Risk Assessment 101

Shannon DeLange Conversation starter Idea generator

Performing a Risk Assessment

What is a risk assessment?
  • A security risk assessment identifies, assesses, and implements essential security controls in your company’s applications, systems, and procedures. It aims to find areas within your organization that need more security.
Why should I perform a risk assessment?
  • Most cyber-attacks are aimed at small businesses, but only a few are prepared to defend themselves. Breaches can cost a company millions of dollars. An effective risk assessment strategy can improve your security posture and protect your company’s most valuable data and information.
When should I perform a risk assessment? 
  • Once a year, or before a company merger, before a company acquisition, or after deploying new technology.
Where should I start?
  • Identify asset inventory and the value of each asset
  • Identify vulnerabilities and threats.
  • Threat Probability & Impact: How likely is this threat to occur, and how much damage will it cause?
  • For a more comprehensive understanding of Vulnerability Scoring, take a look at the National Vulnerability Database
  • Threat Impact and Cost of Protecting your Assets

Establishing Risk Assessment Framework

  • Is there any specific compliance the organization is trying to achieve? ie, SOC2, HIPPA, GDPR
  • Each compliance has a framework of policies that must be monitored and assessed. 
  • What can be done to create a risk assessment framework structured around compliance? 
    • Perform company-wide security training
    • Employees receive targeted training relevant to their role
    • Managers meet with direct reports weekly to review their work
    • Managers are responsible for mentoring and providing guidance to increase staff awareness of security policies 
    • Leverage tools that detect and alert asset misconfigurations and vulnerabilities 
    • For a comprehensive guideline of policies, check out this list of helpful security policies
Continuous Risk Assessment
  • Risk assessment & vulnerability management is a continuous cycle!
  1. Discover: What assets are available? 
  2. Assess: How Valuable are these assets to our company, and what vulnerabilities have we found in them?
  3. Report: What have we found, who should be involved, and what is our plan moving forward?
  4. Remediate: Take action and fix the issues
  5. Verify: Confirm vulnerabilities have been patched and compliances are met 
  6. Repeat the cycle!



  • Comment author
    Taylor Buckler Conversation starter Great answers

    Pro tip! In Vanta, we'll already provide you with examples. :)

  • Comment author
    Michael Argast Conversation starter Idea generator

    I love the fact that this is central to Vanta. A couple of thoughts I'd love to share as someone who has done a bunch of this analysis for clients:

    1. Assets need to include data.

    2. Risk impacts need to be relative, not absolute. The impact of a $1M loss on a 10 person startup can be existential, on a 1000-person tech firm it is painful but completely manageable in most cases.

    3. I tend to focus on risks that are "bad things that can happen" rather than vulnerabilities (I call these contributing factors). So, a successful Ransomware attack is a Risk with a probability and impact, but the vulnerability or phishing attack or malware that led to it is a "contributing factor". This gives you a more manageable list of risks to work with and allows you to have an executive conversation about risk that is more comprehensive than "We haven't updated Struts on our Apache Server".

    I'm not sure there's a ton of value in leveraging CVSS scoring - yes, it's a nice metric but doesn't really give you system or threat centric risk in a useful way. IMHO. ;-)

  • Comment author
    Lucien Pinto Conversation starter Idea generator

    The risk scenarios examples provided are really helpful, thanks :) !

  • Comment author
    Shannon DeLange Conversation starter Idea generator

    Thanks, Lucien! Welcome to the Community - we are so excited to have you here! And CONGRATULATIONS on being our first founding member! We'll be in touch soon with more details, your badge, and Vanta Swag! 

  • Comment author
    Alex McMillan Great answers

    I kid, I kid!

    Welcome and congrats Lucien, and all. Very cool to see a Vanta community!

  • Comment author
    Lucien Pinto Conversation starter Idea generator

    Wow, it's such an honor, Shannon :) ! 

    I've been passionate about Vanta since the first days so I'm more than honored to be the..... first founding member :) !

    Thanks again for it and the upcoming gear :) !



  • Comment author
    Lucien Pinto Conversation starter Idea generator

    Thanks Alex McMillan :) ! Your picture is adequate :) !


Please sign in to leave a comment.