Too often organizations spend their security budget in ways that don’t necessarily make the most sense for them. Whether this be purchasing unnecessary appliances or securing an overly broad area, wasting valuable and often scarce security dollars isn’t good for anyone, except perhaps those providing the unnecessary services. A risk assessment, as the name suggests, assesses risk first and foremost. However, when done properly, a risk assessment also does a lot more. A risk assessment must not only look at external and internal risks, it must also look at the assets and the value of them. Finding out what assets are most important to the business is a vital element of a risk assessment. Without understanding what needs to be protected, it is impossible to suggest and implement appropriate protections. Another critical element of a well-performed risk assessment is thoroughly understanding the business’s key processes. This is an area where TrustedSec provides a great deal of expertise. All of our consultants who perform risk assessments have been in responsible positions within organizations and understand how businesses work. TrustedSec creates reports in a way that consider the business and its real world situation and constraints. Although it may sound cliché, TrustedSec truly considers our clients to be partners. We work closely with our risk assessment clients to craft reports that have applications to the business, not just random information security best practices. We make sure that our recommendations also make sense from a budgetary and strategic standpoint. We provide short term and long-term suggestions, as well as identify tactical and strategic recommendations. Understanding the business and providing real world applicable recommendations is what differentiates TrustedSec risk assessments from those offered by others. This article was written by Alex Hamerstone (@infosecdoc) - Practice Lead of TrustedSec's GRC team.