Why a risk assessment should be in your futureBy Charles CooperCompanies that put cyber risk assessments on the backburner will quickly find themselves enmeshed in controversy if their controls are found to be inadequate, or fail to satisfy regulatory requirements.Recent legislation, such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley, not only contain references as to how organizations should protect different kinds of data but also require regular security assessments. What\u2019s more, organizations involved in mergers or acquisitions have extra incentive to stay on top of this. A recent New York Stock Exchange survey of its members found that the overwhelming majority of respondents agreed that the disclosure of a high-profile data breach would have \u201cserious implications\u201d on a pending transaction.Regular cyber risk assessments are a critical part of an effective cyberdefense if for no other reason than the results provide clear answers about the risks associated with using particular information systems or types of data.At the same time, though, it\u2019s unrealistic to include everything in a risk assessment. Indeed, the US Commerce Department\u2019s National Institute of Standards and Technology (NIST) allows that there are no specific requirements and no right way to conduct risk assessments.So, what\u2019s the right approach? Actually, there\u2019s not a single answer since it will vary based on the company and its unique position in the market. Rather, the overarching goal should be to create a framework that includes the areas that process, store and transmit its most important information. \u00a0\u00a0Managing the ProcessYears ago, this task might have been farmed out to the IT department. But as threat levels rise, the danger of brand and reputational damage from a data breach has elevated the responsibility for cyber risk assessment up the organizational chart. The C-suite - including the board of directors - is now as responsible for managing this process as it is for the constellation of considerations affecting other areas. \u00a0The exercise should spotlight the various categories of risk that an organization faces. At the same time, it should inform the leadership about the actual location of the company\u2019s assets as well as whether there\u2019s appropriate security to protect its most valuable information.And once complete, the drill should help management prioritize so it isn\u2019t throwing money wildly at the problem any longer. Instead, managers can adopt more prudent, cost-effective spending and invest in defending the most important, higher-payoff items.Organizations should also use the process as an opportunity to vet the security worthiness of their third party business partners. In a networked world, a partner company\u2019s security vulnerabilities also become yours. As a precaution, it\u2019s prudent to adopt strict role-based access so that third parties only access specified applications.At the end of the day, this is about adding to an organization\u2019s muscle memory. Companies that fail to conduct thorough security reviews can\u2019t ever know for sure which data is most likely to be in the crosshairs. But adopting cyber risk assessments into their regular routine will allow organizations to understand what they face and better navigate a threat landscape that gets more dangerous all the time.Just as important, it will give them a running start when trouble finally knocks on the door.Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.Be one of the first to receive the latest AT&T Cybersecurity Insights report, Mind the Gap: Cybersecurity\u2019s Big Disconnect. You\u2019ll learn more about minimizing gaps in your cybersecurity strategy and how to defend against the growing cyberthreats.\u00a0Sign up today!