How long does it take to perform a typical security risk assessment?

Well, I suppose you; or someone you know perhaps; may have had this question come up during meetings or conversations with clients that are probably looking to “weigh” their cybersecurity investment/capability options.

Well, I’ve been asked this question (or different variances of the same question) a few times in the past few weeks. So, I thought I’d share my thoughts/views on the subject.

I think it’s fair to infer that the question assumes that a breach is yet to take place, and that there is no live security breach as at the time the question was raised. Of course, where the assumption is invalid, the subject would cease to be a risk but would be treated as an actual security incident/event that requires a completely different set of activities including response, containment, and recovery.

So, back to the primary subject; I think that a very simple, straight-to-the-point, and honest response is: “There’s no specific duration or time range that could objectively answer the question correct; it all depends…”

It’s like asking the question: how long is a piece of string?

And come to think of it, could any effective security risk assessment be objectively described as “typical”?

A security risk is never wholly in isolation all by itself. In other words, a security risk is associated with at least one vulnerability that is associated with at least one threat that is associated with at least one asset.

risk-threat-asset-vulnerability

Several industry-acclaimed frameworks, guidelines, standards, and tools share this approach in identifying security risks, and subsequently assessing and managing such risks.

Yes, how long it takes to conduct an effective security risk assessment depends on lots of factors; and until several of these factors are fleshed out, any response provided could simply be total rubbish, I mean seriously.

Risk assessment, risk management; and indeed, corresponding control management; are very contextual, and could be influenced by several disparate factors including:

  1. Security competency of your organisation
  2. Up-to-date risk register and pre-breach playbook (i.e. risk assessment process)
  3. Relevant Knowledge, Skills, & Abilities (KSA) within your organisation
  4. Effective risk management framework or guidelines implemented in your organisation
  5. Incidence response effectiveness including effective BC/DR plans

In conclusion, I must stress that it mustn’t take longer to perform a security assessment than it would take to secure the asset at risk nor should it take longer than is required to achieve relevant underlining business objectives.

Yes, just thought I put that out there too; hopefully, that would address any related thoughts.