Chapter 4: How to do a risk assessment

As an MSP looking to offer vCISO services, one of the most critical tasks you’ll perform is a risk assessment. This process helps identify, evaluate, and prioritize the risks that could impact your client’s business. A well-executed risk assessment not only strengthens your client’s security posture but also demonstrates the value you bring as a vCISO.

Step 1: Understand the business

Before you dive into the technical aspects, it’s essential to understand your client’s business. This includes:

• Identifying key assets: What are the critical data, systems, and processes that keep the business running? These might include customer databases, financial records, or proprietary software. You can use this inventory mapping template.
• Understanding business goals: What are the short-term and long-term objectives of the business? For example, the business may be planning to expand, enter new markets or adopt new technologies.
• Recognizing regulatory requirements: Are there specific regulations the business must comply with, such as HIPAA for healthcare or PCI-DSS for payment card processing?

Step 2: Identify potential threats and vulnerabilities

Once you understand the business, the next step is to identify potential threats and vulnerabilities that could impact the client’s key assets.

• Threats: These are external and internal factors that could harm the business. Common examples include cyberattacks (like phishing or ransomware), natural disasters (like floods or fires), and human errors (like accidental data deletion).
• Vulnerabilities: These are external and internal weaknesses that could be exploited by threats. Examples include outdated software, weak passwords, or lack of employee cybersecurity training.

How to do it:

• Conduct interviews
• Review existing documentation
• Use tools

Talk to key stakeholders, including IT staff, managers, and even frontline employees. Ask about their concerns, past incidents, and known vulnerabilities.

Examine any current security policies, past audit reports, and system configurations. This will give you insights into potential weaknesses.

Employ automated tools to scan the network for vulnerabilities, such as unpatched software or misconfigured systems.

Step 3: Assess the impact and likelihood of risks

Now that you’ve identified the threats and vulnerabilities, the next step is to assess the potential impact and likelihood of each risk.

• Impact: Consider how much damage a risk could cause if it were to materialize. For example, a data breach could result in financial losses, legal penalties, and damage to the company’s reputation.
• Likelihood: Estimate how likely it is that each risk will occur. Some risks, like phishing attacks, are more common, while others, like natural disasters, may be rare but still possible.

How to do it:

• Rate each risk: Assign a rating (e.g., low, medium, high, critical) for both the impact and likelihood of each identified risk.
• Prioritize risks: Focus on risks that have a high impact and high likelihood first, as these are the most urgent to address.

Step 4: Assess the client’s business goals and risk appetite

The choice of a framework should also align with your client’s business objectives and their willingness to accept risk. Some frameworks are more rigorous and comprehensive, while others are designed to be more flexible.

How to do it:

• Discuss business goals: Understand your client’s short, medium and long-term business goals. For instance, are they planning to expand into new markets, adopt new technologies, or go public? These goals will influence the level of security and compliance needed.
• Evaluate risk appetite: Determine how much risk your client is willing to accept. For example, a highly regulated industry with low tolerance for risk must comply with specific mandatory frameworks such as HIPAA for healthcare. Additionally, leveraging frameworks like NIST can complement these regulations by enhancing overall cybersecurity practices. In contrast, a startup with fewer regulatory pressures might opt for a more flexible framework like CIS Controls. This assessment should also consider their current insurance policies. 

Step 5: Develop a risk mitigation plan

With a clear understanding of the most pressing risks, the next step is to develop a plan to mitigate them. Mitigation strategies typically fall into four categories:

How to do it:

• Create action items: For each prioritized risk, define specific actions that need to be taken, who will be responsible, and the timeline for completion.
• Assign resources: Determine the budget, tools, and personnel needed to implement each mitigation strategy.
• Communicate the plan: Share the mitigation plan with key stakeholders to ensure everyone understands the risks and the actions being taken to address them.

Step 6: Monitor and review

Risk management is an ongoing process. After implementing your risk mitigation plan, you need to continuously monitor and review the risks to ensure the effectiveness of your strategies.

How to do it:

• Set up regular reviews: Schedule regular meetings (e.g., quarterly) to review the status of identified risks, the effectiveness of mitigation strategies, and any new risks that may have emerged.
• Update the risk assessment: As the business environment, technology, and regulations change, update your risk assessment to reflect new threats, vulnerabilities, and priorities.
• Report to management: Provide regular updates to the client’s management team, highlighting key findings, progress, and any areas that require further attention.