One of the things we hear from many business owners and even some IT folks is, “I don’t know where our cybersecurity stands. Are we good? Bad? Do we have holes? How do we know where to start?” A cybersecurity assessment is an easy way to begin to answer all these questions and more–some you probably didn’t even know you had.

Who is a cybersecurity assessment for?

A cybersecurity assessment is for any company, small business or large, looking to understand where their cybersecurity stands and where they need to make improvements. For example, organizations with compliance needs such as Healthcare, Finance, and Department of Defense (DOD) manufacturers perform regular cybersecurity assessments to meet requirements or to prepare for an audit—something that can come down from regulatory bodies and/or companies they do business with who are doing their own third-party vendor risk assessments.

Typically, a cybersecurity risk assessment is performed by an internal IT leader or the company’s MSP (managed service provider) on behalf of the company. In both instances the results of the assessment are provided to the business leaders to show them where improvements can be made in their cybersecurity posture.

What is a cybersecurity assessment?

A cybersecurity assessment is a survey/questionnaire that reviews your company’s cybersecurity posture in several ways. It covers topics such as:

• policies
• plans
• procedures
• technology
• testing
• training

Imagine it like a checklist that, when completed, shows you where your company is doing well and where it needs to improve.

If an organization has compliance needs, they might use the assessment to see how they stand against a specific cybersecurity framework or frameworks such as NIST 800-171 or NIST-CSF NIST 800-51, for example. These frameworks and recent laws set the standards and guidelines as to what should be in place for an organization to help protect against and respond to a cyber incident.

When does a cybersecurity assessment matter?

Just like your health, cybersecurity improvement is an ongoing process. It’s a posture, not a project. Once you complete an assessment, you can then begin to strengthen any areas of weakness that were surfaced. Once significant improvements have been made, complete another assessment. This is important because threats change, companies change (new location, employees, technology), and requirements for companies change. You should continue to complete the full assessment at a frequency designed for your company. For many companies that is at least semi-annually or annually.

If your company suffers a cybersecurity breach or incident it will be important to conduct an assessment soon after the incident to understand where the weaknesses are and then work to strengthen them.

Where does a cybersecurity assessment happen?

Cybersecurity assessments come in many different forms and can be completed both digitally and in-person (i.e. good old pen and paper!). Spreadsheets and questionnaires are fairly common, but online platforms and tools are fast becoming the norm, often streamlining the process and enabling collaboration. For example, with Defendify’s Cybersecurity Health Checkup tool you can complete a cybersecurity assessment using a simple web-based tool that guides you through intuitive questions and generates actionable recommendations using plain English (i.e. straight talk, not tech talk). It even maps against popular cybersecurity frameworks and, once completed, your given a simple letter grade and can access prior results all through a single pane of glass.

Why is a cybersecurity assessment important? There are a lot of good reasons why performing a Cybersecurity Assessment is important for your business, here are a few of the most common:

1. Answer the question of “Where do I stand?”
2. Identify and prioritize areas for improvement.
3. Prepare for compliance needs and third-party requirements.

Be proactive and regular with your cybersecurity assessments

Completing a cybersecurity assessment is something just about every business will go through at some point. While it could be for a bank, an audit, compliance, insurance, or to win—or not lose—a key customer contract, it’s also the first step and foundation to cybersecurity self-improvement. Don’t wait, get your cybersecurity assessment into gear and take your business and cybersecurity from reactive to proactive.