Key Takeaways
- Regular cyber risk assessments (at least annually) are essential for identifying gaps and driving measurable security improvements.
- Assessments must involve a cross‑functional group—IT, security, business unit leaders, legal, compliance, executive leadership, and the board—to ensure organizational accountability.
- Engaging an independent third‑party assessor brings objectivity; consistency in methodology and relationship yields deeper insight over time.
- The real value lies in turning assessment findings into a prioritized roadmap, executing it with discipline, and measuring ROI through risk‑reduction metrics rather than mere vulnerability counts.
- Complementary practices such as penetration testing, red‑team exercises, and advisory committees enhance situational awareness between formal assessments.
The Gap Between Threat Expectation and Assessment Practice
Despite nearly 68 % of mid‑market executives anticipating a breach attempt in 2025, fewer than six in ten organizations employ a formal risk‑management framework, and roughly a third only assess risks informally, if at all. This disparity between anticipated threats and actual rigor creates the conditions where breaches occur. Closing the gap begins with instituting a disciplined, repeatable cyber risk assessment process.
How Often Cyber Risk Assessments Should Be Conducted
Marty Menard advises that assessments should happen at a minimum once per year, with no exceptions. At his former organization, PCCI, assessments have run annually since 2018, alternating between a full enterprise review and a deep dive into manufacturing‑group networks. This cadence balances attention to IT and OT environments while feeding continuous process improvement.
Triggering Events for Unscheduled Assessments
While annual assessments set the floor, certain events warrant an unscheduled review: major technology rollouts, mergers or acquisitions, security incidents, or any material change to the IT/OT environment. However, leaders must avoid “more‑is‑better” thinking; the cycle of absorbing results, building a plan, securing resources, and executing typically spans 12 months or more. Flooding that cycle with additional assessments before the prior roadmap is executed can create distraction and noise.
Leveraging AI and Complementary Exposure Management Practices
Artificial intelligence may eventually shorten the assessment‑to‑action cycle, but most organizations are still in early AI adoption phases, so its impact remains uncertain. Between formal assessments, organizations can adopt proactive exposure‑management tactics—periodic penetration testing, red‑team exercises, table‑top simulations, and cyber‑range drills—to maintain situational awareness and augment assessment findings without replacing the core assessment process.
Preparing for an Assessment: Who Needs to Be at the Table
An effective assessment is not a purely technical exercise for IT and security teams. It requires leadership dialogue and broad collaboration so that business leaders understand organizational risks, can set risk tolerance, and ensure operational continuity. Involving the right participants transforms a report into an actionable roadmap.
Internal Stakeholder Involvement and Cross‑Functional Collaboration
Core IT and security staff provide the operational foundation, but conversations must extend to business unit leaders, legal, compliance, enterprise‑risk officers, and the executive team. Assessment results should be reviewed with the board, advisory committees, and subsidiaries to guarantee visibility across the organization. This cross‑functional exposure builds the accountability needed to turn findings into concrete improvements.
The Value of Third‑Party Assessors and Objectivity Considerations
External assessors bring an unbiased perspective that internal teams, often too close to the work, may miss. Marty’s counsel is clear: do not select a provider based solely on price; “if you focus purely on cost, you’ll get what you pay for.” After vetting several vendors over nine years, PCCI settled on a trusted long‑term partner, benefiting from consistent methodology and a deepening relationship. While an MSSP can conduct an assessment if a genuine trusted‑advisor relationship exists, organizations seeking cleaner separation may engage an independent assessor and rely on the MSSP for remediation execution.
Engaging Supply‑Chain Partners and Analyst Advisory Support
Third‑party vendor risk is increasingly critical; Verizon’s 2025 DBIR shows third‑party involvement in breaches has doubled to 30 % of incidents. Contractors operating inside the environment—especially in manufacturing, finance, health care, or other critical sectors—must be scoped into the assessment, even at the periphery. Additionally, analyst advisory firms (Gartner, IDC, Omdia, Forrester, boutique groups like Richmond Advisory) can help evaluate findings, vet service providers, and conduct contract reviews that often save enough to offset subscription costs. AI‑powered research tools accelerate comparative analysis, but human‑driven analyst engagement still supplies relationship‑building trust that automation cannot replicate.
Building Internal Champions and Advisory Committees
Marty highlights the effectiveness of a dedicated technology and cybersecurity advisory committee that reports to executive leadership and the board. His committee includes business management, the CFO, a board member, and independent advisors. This body reviews programs before they reach executive leadership, providing accountability and “air cover” for the CIO or CISO—a model worth emulating for organizations seeking structured oversight.
Turning Assessment Results Into a Prioritized Roadmap
The assessment itself is only the beginning; the real work—and value—lies in translating findings into a prioritized roadmap. After receiving the report, organizations should run it through multiple discussions with management, leadership, IT/security teams, and the board. Those conversations shape a roadmap that becomes the playbook for upcoming initiatives, ensuring that efforts are aligned with identified gaps.
**Setting Priorities, Setting Priorities, Avoiding Analysis Paralysis, and Executing Plans
Prioritization must reflect the organization’s unique risk profile, resources, and capacity. High‑risk gaps that could cause operational shutdown or regulatory penalties rise to the top; lower‑risk items are documented, deferred, and assigned clear accountability or accepted risk. Marty warns against analysis paralysis: “There are no bad decisions… the only bad ones are the decisions that aren’t made.” Once priorities are set, disciplined execution and leadership accountability are required to move forward.
Measuring and Communicating ROI of Cyber Risk Assessments
Cyber ROI is measurable, though not always obvious. Tracking year‑over‑year scores against a chosen framework directly shows program improvement. Supplementary metrics include reductions in mean time to detect and respond, declines in successful phishing simulations, fewer critical exposures, and on‑time completion of roadmap initiatives. When communicating upward, shift focus from “number of patched vulnerabilities” to “mitigated exposures and reduced risk.” Boards need to understand potential business impact, cost, and what is being done to lower exposure—framing issues in business risk, operational continuity, and regulatory consequence earns sustained investment.
A Real‑World Example: PCCI’s Budget Growth and Execution Cycles
At PCCI, Marty’s team tracked cyber spending as a percentage of the total IT budget, growing it from 3 % in his first year to 8 % and beyond as the program matured. This provided a financial benchmark and a clear narrative about investment direction. Budgets typically rise after an assessment when new tools and services are purchased, then dip during execution years once those acquisitions are in place—illustrating the cyclical nature of assessment‑driven investment.
Why Assessments Are the Starting Point, Not the Destination
The RSM report noted that nearly one in five mid‑market organizations suffered a data breach in the past year, yet 97 % of executives felt confident in their security measures. This over‑confidence versus actual posture underscores why regular assessments are indispensable. Marty’s decade‑long effort at PCCI transformed a program where “few people understood cyber” into one that consistently executes initiatives, reduces exposure, and is measured against a stable framework with regular board reviews. Discipline, honest reporting, collaborative prioritization, and the will to execute are the hallmarks of a mature cyber program—and they begin with the risk assessment.
Five Practical Tips for Successful Cyber Risk Assessment Programs
- Conduct risk assessments annually, at minimum, and maintain consistency.
- Hire an independent third‑party to perform the assessment for objectivity.
- Involve the entire business—beyond IT and security—to ensure broad ownership.
- Use the assessment to build a comprehensive roadmap that outlines annual and multi‑year priorities.
- Establish an advisory committee for strategy review, plan evaluation, and to provide air cover with the board and executives.
About Marty Menard
Marty Menard served as Chief Information Officer for Pacific Coast Companies and now sits on the Advisory Board for Wellesley Information Services. With more than 35 years of technology leadership—including executive roles at Intel, HP, and Rabobank—he has guided enterprise‑scale IT and security programs through multiple waves of transformation. Marty advocates that strong discipline, clear priorities, and decisive execution are the foundations of any effective cyber program.