{"id":235574,"date":"2026-06-23T02:21:00","date_gmt":"2026-06-23T06:21:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/23\/the-cyber-c-suite-why-cyber-risk-assessments-should-be-the-cornerstone-of-your-security-strategy\/"},"modified":"2026-06-23T04:40:12","modified_gmt":"2026-06-23T08:40:12","slug":"the-cyber-c-suite-why-cyber-risk-assessments-should-be-the-cornerstone-of-your-security-strategy","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/23\/the-cyber-c-suite-why-cyber-risk-assessments-should-be-the-cornerstone-of-your-security-strategy\/","title":{"rendered":"The Cyber C-Suite: Why Cyber Risk Assessments Should Be the Cornerstone of Your Security Strategy"},"content":{"rendered":"

The Cyber C-Suite: Why Cyber Risk Assessments Should Be the Cornerstone of Your Security Strategy<\/a><\/p>\n

https:\/\/www.cybersecurity-insiders.com\/the-cyber-c-suite-why-cyber-risk-assessments-should-be-the-cornerstone-of-your-security-strategy\/<\/a><\/p>\n

Publish Date: 2026-06-23 02:21:00<\/a><\/p>\n

Source Domain: www.cybersecurity-insiders.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Here\u2019s an uncomfortable truth: too few mid-market companies are doing regular cyber risk assessments, and some aren\u2019t doing them at all. According to CompTIA\u2019s State of Cybersecurity 2025,\u201d report, \u201cfewer than 6 in 10 organizations use a formal risk management framework, and roughly a third are only assessing risks informally, if at all. Meanwhile, nearly 68% of mid-market executives fully expect someone to try to breach their systems this year (2025 RSM US Middle Market Business Index Cybersecurity Special Report.)
\nThat gap, between the threat executives anticipate and the rigor they are actually applying to identify and mitigate risk, is exactly where breaches happen. Closing this gap starts with one non-negotiable discipline: the cyber risk assessment.
\nI sat down with Marty Menard, former CIO for Pacific Coast Companies (PCCI). I asked him to help me dig into the specifics of why regular assessments are essential to maturing a cyber program. Today, Marty serves as Advisory Board Member for PCCI and for Wellesley Information Services and he has 35+ years in technology leadership with global companies like Intel, HP, and Rabobank. He is deeply experienced, direct, and refreshingly candid.\u00a0
\nHow Often Should You Be Assessing?
\nThe short answer: at least once a year. No exceptions. Marty\u2019s organization has been running cyber risk assessments every year since 2018, alternating between a full enterprise review and a deep dive into their manufacturing groups. This cadence allows the team to focus on both IT and OT within the factory networks, where risks are related to regulatory exposure and operational continuity.
\n\u201cThe cadence has worked well for us,\u201d Marty says. \u201cThe outcomes and recommendations are what drive process improvements going forward. We focus our priorities, in part, based on gaps or weaknesses the assessment identified.
\nThat said, doing annual assessments is the floor, not the ceiling. Certain events could force an unscheduled assessment, such as a major technology rollout, a merger or acquisition, an incident, or any material change to the environment. However, security leaders need to be pragmatic about \u201cmore-is-better\u201d thinking. More frequent assessments may sound ideal in theory, but the reality is that an assessment is only as valuable as an organization\u2019s capacity to act on it. This is because the cycle of absorbing results, building a plan, securing resources, and executing typically takes at least 12 months, sometimes more. \u201cFlooding that cycle with additional assessments before the prior roadmap is executed can create distraction and noise,\u201d explains Marty.\u00a0
\nThe use of AI could shorten this cycle in the future, however it\u2019s too early to tell, as most organizations are just getting started with AI adoption in their cyber program. How AI will be used as part of the assessment process or for creating more efficiency in executing on post assessment priorities is still to be determined.\u00a0 \u00a0\u00a0
\nBetween formal assessments, organizations may also consider complementary or proactive exposure management practices like periodic pen testing, red teaming, table-top exercises, and cyber range exercises, particularly if the threat landscape is escalating or a new risk area has been identified. These are not substitutes for assessments, but they can improve situational awareness between cycles and augment assessment findings.
\nPreparing for an Assessment: Who Needs to Be at the Table
\n\u201cWhen it comes to cyber risk assessments, many organizations underestimate who should be in the room,\u201d says Marty. An assessment is not purely a technical exercise for the IT and security teams. It\u2019s key to ensuring business leaders understand organizational risks, so they can make informed decisions about risk tolerance and ensure operational continuity. As such, it requires leadership conversations as well as broad collaboration.\u00a0
\nInternal teams. Yes, IT and security are the operational core. But conversations should extend to business unit leadership, legal, compliance, enterprise risk, and the executive team. Assessment results should be reviewed with the board, the advisory committee, and subsidiaries to ensure everyone is aware of what is being worked on and why. This cross-functional visibility is critical to building the organizational accountability that turns a report into an actual roadmap.
\nThird-party assessors. Don\u2019t dismiss the value of bringing in an external party to conduct assessments. Internal teams are often too close to the work and won\u2019t catch everything. A third-party assessor is paid to tell you what they objectively see, not what you\u2019d prefer to hear. Marty\u2019s advice for vetting is don\u2019t shop on price alone, \u201cIt\u2019s the old adage, if you focus purely on cost, you\u2019ll get what you pay for.\u201d His team worked with three providers over nine years before landing on a trusted long-term partner. Find the right fit and stay for a while. Consistency in methodology and relationship compounds over time.
\nOn objectivity. There\u2019s a real debate about whether an organization\u2019s existing MSSP can conduct a truly unbiased assessment of services they also deliver. Marty\u2019s take is pragmatic: it comes down to whether you\u2019ve built a genuine trusted advisor relationship. \u201cWe knew when we found a great partner, based on how we approached the key strategies from our assessment,\u201d he says. Organizations that want cleaner separation can engage an independent assessor and lean on the MSSP for execution and remediation. Either approach works\u2014as long as you\u2019re making the choice deliberately.
\nEqually important: internal teams must approach the assessment with full transparency. In some seen cases, team members could be tempted to shape or soften findings. That behavior undermines the entire purpose. \u201cAll feedback is a gift,\u201d Marty says. \u201cTake the gift and figure out what to do with it.\u201d
\nSupply chain partners. Don\u2019t ignore third-party vendor risk. According to Verizon\u2019s 2025 Data Breach Investigations Report,\u201d third-party involvement in breaches has doubled, now accounting for 30% of incidents.\u201d If contractors are operating inside your environment\u2014especially in manufacturing, financial services, healthcare, and other critical areas\u2014they belong in your assessment scope, even if only at the edges.
\nAnalyst advisory support. When it comes to evaluating findings or vetting service provider and technology options, consider bringing in outside analyst advisory resources. Firms like Gartner stand on a reputation for research access, but they also do contract reviews, which can often save enough on vendor negotiations to more than cover the cost of the subscription. Other firms, such as IDC, Omdia, or Forrester, as well as boutique groups like Richmond Advisory Group, can also help with contract reviews and advisory on road map recommendations. AI-powered research tools are increasingly capable of delivering comparative vendor analysis in a fraction of the time; however analysts\u2019 focus on primary research and one-on-one human engagement builds relationship and trust, both of which remain uniquely human.
\nInternal Champions. One practice Marty flags as particularly effective: a dedicated technology and cybersecurity advisory committee that reports to executive leadership and the board. His committee includes business management, the CFO, a board member, and independent advisors. This body reviews programs before they go to executive leadership, providing both accountability and organizational \u201cair cover\u201d for the CIO or CISO. It\u2019s a model worth considering.
\nFrom Results to Roadmap: Priorities, Execution, and ROI
\nGetting the assessment done is only the beginning. The real work\u2014and the real value\u2014is in what you do with the results. For example, with report and readout in hand, run it through multiple internal discussions with management, leadership, the IT and security team, and the board, and then use it and those discussions to build a prioritized roadmap. That roadmap becomes the playbook for what your team works toward.\u00a0
\nSetting priorities. You cannot do everything, and you shouldn\u2019t try. In 2025, Marty\u2019s team was running approximately 30 active network, server, device and cyber initiatives in parallel\u2014all derived from the assessment roadmap. That many initiatives could be overwhelming for smaller organizations. Priorities should be unique to the organization and its resources, and effective prioritization weighs severity of risk, operational impact, regulatory obligation, as well as your team\u2019s actual capacity to execute. High-risk gaps that could lead to operational shutdown or regulatory penalty go to the top. Lower-risk items get documented, deferred, and assigned clear accountability for when they\u2019ll be addressed\u2014or business leaders accept the risk.
\nExecution. Analysis paralysis is one of the most common failure points when it comes to acting on assessments. \u201cThere are no bad decisions,\u201d Marty suggests. \u201cThe only bad ones are the decisions that aren\u2019t made.\u201d Once the priorities are set, the organization needs the discipline to move and the leadership accountability to hold people to commitments. Debate the recommendations all you want\u2014but then decide and go.
\nMeasuring ROI. Cyber ROI isn\u2019t always obvious, but it\u2019s measurable. Tracking year-over-year scores against your framework is the most direct measure of program improvement. Beyond that, metrics could include reduction in things like mean time to detect and respond, decline in successful phishing simulations, reduction in critical exposures, and progress on completing roadmap initiatives on schedule.\u00a0
\nWhen it comes to communicating ROI upward, stop talking about the number of patched vulnerabilities and start talking about mitigated exposures and reduced risk. Boards and executive teams don\u2019t need a technical inventory, they need to understand what could go wrong, what it would cost, and what\u2019s being done to reduce the exposure. Frame issues in business risk, operational continuity, and regulatory consequence. That\u2019s the language that earns sustained investment.
\nAs an example of how assessments can positively impact budgets, consider PCCI\u2019s approach. Marty\u2019s team has tracked cyber spending as a percentage of total IT budget over time, growing that budget from 3% in the first year he came onboard to 8% and beyond as the program matured. This gave leadership both a financial benchmark and a clear narrative about the direction of investment. Keep in mind, though total spending increased over time, year-to-year the budgets can fluctuate. For example, after an assessment, Marty\u2019s budget generally went up, as the business purchased new security tools (hardware and software) and services. However, during years of execution(once those purchases were made) the spending decreased.\u00a0\u00a0
\nA Risk Assessment Is Not the Destination\u2014It\u2019s the Starting Point
\nThe numbers tell a story worth paying attention to. The RSM report mentioned earlier showed that nearly one in five mid-market organizations experienced a data breach in the past year, yet 97% of mid-market executives say they feel confident in their security measures. The potential for over confidence\u2014how secure executives feel versus the actual strength of their security posture\u2014is precisely what regular assessments are built to address.
\nWhat Marty\u2019s CIO experience demonstrates is that mature cyber programs aren\u2019t built on technology alone. They are built on discipline\u2014consistent assessments, honest reporting, collaborative prioritization, and the organizational will to execute. At PCCI, he spent the better part of a decade turning a program where \u201cfew people understood cyber\u201d into one that consistently executes on initiatives to reduce exposure and risk, measured against a consistent framework, and reviewed regularly with the board.
\nDo you have good discipline? Do you have strong processes? Do you know what your priorities are? Are your people executing to those? These are measures of an effective program\u2014and the risk assessment is where that discipline begins.
\nIf your organization hasn\u2019t done a formal cyber risk assessment in the last 12 months\u2014or ever\u2014that\u2019s your starting point. Advocate for the importance of assessments within your organization and gain the support of key executives. Consultants, MSSPs, or other trusted advisors can help with this. Be transparent with the results. Establish a consensus on priorities. Build a roadmap. Work it. Measure results and adjust. Then do it again next year.
\n5 Tips for Success<\/p>\n

Do risk assessments annually, at minimum, and be consistent.
\nHire an independent third-party to perform the assessment.
\nInvolve the entire business beyond the core IT and security teams.
\nUse the assessment to build a comprehensive roadmap strategy for annual and multi-year priorities.
\nCreate an advisory board for strategy review and plan evaluation, and to reduce risk and provide air cover with the board and executives.<\/p>\n

___________
\nAbout Marty Menard
\nMarty Menard, the former Chief Information Officer of Pacific Coast Companies and an Advisory Board Member for Wellesley Information Services. With more than 35 years in technology leadership\u2014including executive roles at Intel, HP, and Rabobank\u2014Marty has led enterprise-scale IT and security programs through multiple generations of technology transformation. He is a practitioner, a mentor, and a believer that strong discipline, clear priorities, and decisive execution are the foundations of any effective cyber program.
\n\u00a0
\n\u00a0<\/p>\n

Join our LinkedIn group Information Security Community!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The Cyber C-Suite: Why Cyber Risk Assessments Should Be the Cornerstone of Your Security Strategy…<\/p>\n","protected":false},"author":1,"featured_media":235575,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cybersecurity-insiders.com\/wp-content\/uploads\/Cybersecurity-strategy-session.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,25],"class_list":["post-235574","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235574"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235574"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235574\/revisions"}],"predecessor-version":[{"id":235576,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235574\/revisions\/235576"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235575"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}