Expert Opinions: Frequency of Reviewing Your Cyber Risk

Nick Gonzalez
September 17, 2020 | 4 min read | Security Posture

Recently, IDG TECHTalk hosted a Twitter chat on, “Risk Management in the Enterprise,” and asked experts to chime in on several questions. In particular, one question that fueled many responses was, “How often should businesses review their cybersecurity risk, and should it be done more frequently, less frequently, or at the same cadence as other risks like regulatory changes, natural disasters, or economic risk?

The experts’ opinion was unanimous and almost everybody agreed that if you are not reviewing your cyber risk as a continuous activity, you are leaving your organization open to breaches.

Here are a few answers from folks who joined the chat:

From Mike D. Kail (@mdkail)

Mike Kail

“Managing and mitigating #cybersecurity risks should be a continuous process, not a periodic ‘tick the box’ activity.” #Compliance = #Security

From Ben Rothke (@benrothke)

Ben Rothke

“Big mistake regarding annual reviews, if methods are the same used 10 years ago, you need a major update.”

From Arsalan Khan (@ArsalanAKhan)

Arsalan Khan

“All the time and be paranoid about it. If you are paranoid about #cybersecurity then you will greatly be appreciated by your customers eventually.”

While there were several answers to this question, most participants who answered all agreed that businesses should be reviewing their cyber risk continuously. According to the Center for Internet Security (CIS) Security Controls, a recommended set of actions for cyber defense, getting continuous visibility into and monitoring your cyber risk is a basic control that organizations must have in place.

However, 64% of organizations lack confidence in their security posture, citing inadequate visibility. That is because 60% of organizations are aware of less than 75% of the assets on their networks. “If you don’t know what you’re protecting, how can you know whether or not you’re secure?” experts in the discussion say, “For your cybersecurity team to be successful, you need visibility into your entire attack surface – all assets, and all attack vectors.”

Like the participants in the chat, we agree. Assessing cybersecurity risk should be a comprehensive, continuous effort. By gaining up-to-date insights into every asset on your network, and their susceptibility to the hundreds of attack vectors, you can improve your organization’s security posture and mitigate risk.

Get this done and your key stakeholders, including the CEO and board members will sleep better at night, knowing that the business is taking a proactive approach to its security posture and overall cyber resilience.

Sound interesting? Take a more in-depth look into risk-based vulnerability management in this white paper.

Related Posts

11 Ways to Strengthen Cyber Hygiene With a Remote Workforce
3 Essential Tools for CISOs to Get the Job Done
CISO Board Presentations: 9 Key Slides You Need