Getting Started with Cyber Risk Assessments: Lessons from the Front Lines 

Getting Started with Cyber Risk Assessments: Lessons from the Front Lines 

Introduction: 

Risk assessments can seem overwhelming—especially when time, budget, and organizational support are limited. But during NYSERNet’s Fireside Chat "Risk Assessment: Cutting Through the Noise," panelists from NYSERNet, Tempus Network, Beckage Firm, and St. Bonaventure University offered candid, real-world perspectives that demystify the process. Whether you’re preparing for your first assessment or looking to refine your approach, their insights provide a practical roadmap for taking meaningful action. 

 Why Risk Assessments Matter More Than Ever

• Risk isn’t a fixed point in time. Technology evolves. Threats adapt. Regulations shift. As Scott Morris shared, organizations that stay stagnant quickly fall behind. A risk assessment helps you understand your current security posture, uncover control gaps, and prioritize what matters most. Without that insight, you’re flying blind.

“Cyber risk is a wheel in motion,” said Paul Robinson. “Your strategy should constantly evolve. It’s not a one-and-done exercise.” 

Start Small: You Don’t Need to Boil the Ocean

• You don’t have to launch a full NIST 800-171 audit to gain value from an assessment. In fact, a few structured conversations can begin to identify risk areas and guide strategy.

"Start small and work up,” Scott advised. “Even a brief, targeted engagement can give you clarity and direction without draining resources.” 

Mike Hoffman from St. Bonaventure emphasized the importance of timing: *"We waited until we felt ready—not perfect—and that made a big difference in how the assessment was received internally."

Challenge Your Assumptions

• Going into a risk assessment with assumptions is natural, but don’t let them limit your perspective. Mike expected to shift focus from technical controls to processes, only to find unexpected tech gaps still needed attention.

"It wasn’t completely different than what I thought, but it wasn’t exactly what I expected either…and that’s a good thing," he said. Having a third-party perspective helped uncover blind spots his internal team had grown used to overlooking.

Getting Organizational Buy-In

• Transparency and collaboration are essential for success. Mike shared how he got buy-in across campus by clearly communicating the purpose of the assessment: *"We were transparent: here's what we're doing, here's why, and we expect to find things."

Scott recommended including skeptics: “Bring in the detractors. You need their perspective, too.” 

Paul highlighted the cultural impact: "Education through participation grows a stronger security culture. When people see their role in governance, they begin to own it."

Choosing the Right Partner

• Don’t let a vendor drive the conversation. Do your homework and come prepared. As Paul put it, “Know what you want so you’re not sold something you don’t need.”

Mike shared that trust and expertise were key in selecting Beckage Firm: *"I saw Scott and Jennifer present, and it was clear they knew their stuff and understood our space. That personal connection made the decision easy." 

🔗 Download the guide: [Top Questions to Ask When Choosing a Cyber Risk Assessor]

Managing the Results

• Once the results are in, the work continues. Mike’s team reviewed their draft report collaboratively and started mapping it to action steps. Not everything will be fixed immediately—and that’s okay.

Paul reminded the audience of a key concept: risk acceptance. 

"Knowing the risk and choosing to accept it is valid. 'I didn’t know' won’t fly with insurance or auditors. Document what you know and what you’re choosing to address." 

Final Takeaway: Just Get Started 

If there’s one theme echoed by all the panelists, it’s this: you don’t need a perfect plan to begin. Start where you are. Grow from there. Even an internal self-assessment is a valuable first step. 

"Crawl, walk, run," Emilyann Fogarty encouraged. *"Every step forward is a win." 

Watch the Full Session 
🎥 Risk Assessment: Cutting Through the Noise – Watch Now 

Register for the Next Fireside Chat 
🗓️ April 29, 2025 – Unpacking the Unexpected: Incident Response Tabletop Secrets 
🔗 Register Here