Download the Complete Guide to Building Your Vendor Risk Management Program

Posted on Feb 15, 2018

Limitations of the Point-in-Time IT Security Risk Assessment

In 2016, there were more than 1,000 data breaches in the United States alone and  more than 36 million records exposed, according to Statista. Given the prevalence of high profile breaches in 2017, last year was not any better.

As organizations build and strive to improve their cybersecurity postures in 2018, the statistics alone should be enough to drive new risk assessment strategies-- but that’s often not the case.  Many companies, organizations, and government agencies continue to rely on point-in-time risk assessments and point-in-time penetration tests leaving them unprepared to combat the continuous threat of a cyberattack.

The Inherent Pitfalls of Short-Term IT Security Risk Assessment:

Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective.

It’s not unusual for organizations to have a mad scramble in preparation for the point-in-time risk assessment resulting in securing systems and reviewing existing documentation to meet certain compliance or audit requirements. This means, the picture painted by such an assessment is reflective of more stringent security behavior that may not be the norm at the organization. Once the compliance requirements are met, it’s often back to business as usual, and business as usual can yield risks that were unaccounted for.

Organizations looking to make real improvements in cybersecurity must gain operational command of their security posture and the security posture of their third-parties through continuous, non-intrusive monitoring. Just assessing vulnerabilities at a single point-in-time is not enough.

Moving Toward a More Comprehensive Approach to IT Security Risk Assessment:

To combat hackers, organizations must think like hackers do and continuously monitor a broad range of risk categories such as application security, malware, patching cadence, network security, hacker chatter, social engineering, and leaked information. In doing so, organizations gain a real-time assessment allowing them to make better decisions to mitigate security risks. Gone are the days when organizations could focus on behind-the-perimeter attacks; now, organizations need advanced analytics to get a complete picture to respond accordingly.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!