A Cybersecurity Risk Assessment is a strategic tool that aligns a company’s priorities and budgets within the organization’s high-level threat landscape. It is often confused with other tools like cybersecurity audits, vulnerability assessments, and penetration tests. Each tool is important, but they are not interchangeable.  

Strategic vs. Tactical Application

One major axis on which these tools differ is strategic vs. tactical application:

Strategic applications are the boardroom level decisions made by business owners and executives who do not necessarily understand the details of cybersecurity. While laymen in the technical sense, they are anything but laymen in the business sense. Furthermore, they are the ultimate authority for prioritization, risk exposure, and budgets.

Tactical applications refer to the implementation of cybersecurity. The tactical team is expected to have a deep technical understanding of one or more aspects of cybersecurity. The more specialized the talent is within tactical team, the greater the risk that the technical language will not translate easily to the strategic, executive language. With these concepts in mind, let’s look at each tool in turn.

3 Types of Cybersecurity Assessments

  • Cybersecurity audits – evaluate and demonstrate compliance with some narrow, specific regulatory requirement.  
    • PCI-DSS and HIPAA are common examples where a cyber security audit is employed  
    • tactical in the sense that they offer very specific guidelines for implementing solutions that meet compliance goals
    • strategic in the sense that being compliant is a succinct way to monitor internal security efforts
  • Vulnerability assessments are an evaluation of an organization’s hardware, software, and procedures against a list of known vulnerabilities and best practices as set by the manufacturer.  
  • Penetration testing is a special kind of vulnerability assessment that involves active assessment as opposed to passive inventories.  

Both vulnerability assessments and penetration tests culminate in a large list of technical weaknesses to be addressed. These lists offer tactical guidance, but they are not suitable for strategic planning.

Risk Assessment is a central puzzle piece


Audits, vulnerability assessments, and penetration tests are all designed to evaluate the strength or weakness of the software, hardware, processes, and channels over which valuable company information flows. While each server and network a company uses have costs associated with them, those are the costs of the vessels, or containers, and not the value of the information which these vessels contain. In contrast, the value of the information itself is the value of client records, or the value of a trade secret. This is where audits, vulnerability assessments and penetration tests fall short.

Benefits of a Cybersecurity Risk Assessment

The Cybersecurity Risk Assessment focuses on the value of information and the costs involved if that information gets destroyed, stolen, or otherwise damaged. The value of information or a trade secret is established at a strategic level. Likewise, costs typically are defined in strategic terms like lost revenue, public relations efforts needed to restore brand image, and defending against lawsuits. When the potential losses are known for various types of attack they can be managed like any other typical business decision regarding risk. In practice, this becomes a two-way conversation between the tactical specialists and the executive strategist to make good decisions together using the risk assessment as a common point of reference.
The table below shows where each tool fits into the larger picture of cybersecurity risk management. A risk assessment is the only tool that is fully suited for strategic discussion and decision making. Aligning tactical solutions like vulnerability assessments and penetration tests to match the high-level areas of risk as determined by a risk assessment is a simple, effective way to ensure the right amount of money and effort is being spent on the right areas. 


Cyber Security Tool Business Level Expertise Monitoring Evaluates
Risk Assessment Strategic Business Strategic Information

Value & Cost

Vulnerability Assessment Tactical Technical Tactical Container
Audit Tactical Business / Technical Strategic Container
Penetration Test Tactical Technical Tactical Container

About the Author: Rob Arnold, founder and CEO of Threat Sketch, has worked in internet security for over 20 years, including launching his own consulting firm to provide executive IT and security consulting to small, medium and Fortune 100 companies.