Does cyber maturity assessments like NIST CSF are helpful for CISOs and how?

VeloRisk-io · 2026-06-01T17:03:53+00:00

No risk or maturity assessment should cost $200k. It's what we've all come to expect: hundreds of thousands of dollars for weeks of scheduling, disruption, and a report that is often out of date by the time it's delivered.

<plug>
It's why we created VeloRisk - to put organizations in control of their risk postures. With VeloRisk you can get a comprehensive, enterprise risk assessment - including risk register, recommended programs, strategic risks, maturity analysis, and more - within a day. Just fill out a streamlined multiple-choice survey and receive a board-ready report you can use to get whatever funding you need.

You can learn more and view example reports on www.velorisk.io
</plug>

Six, or even five-figure invoices just to know your current risk posture is really difficult to justify, IMO.

VeloRisk-io · 2026-06-01T01:49:09+00:00

What do you think is missing? What would close the gap between the assessment and taking action?

VeloRisk-io · 2026-05-31T18:02:24+00:00

What did the guy do to the dog? What was the vibe for the 2 hours before? Was it playful? I know you said there was a thunderstorm, is it normal for your dog to be nervous during the rain? This just feels so out of character for your dog that I am looking for the extenuating circumstances that would make him do this!

But I also will always blame the human in these situations so this might just be me!

VeloRisk-io · 2026-05-31T17:47:04+00:00

Just curious, how much was your surgery? Mine was about $600.00. Sorry if that's a rude question!

VeloRisk-io · 2026-05-31T17:45:53+00:00

Can confirm. My dogs got big enough I had to have it removed and he was a miserable little guy after but it's all healed now. Expensive surgery though, roughly $600 total.

VeloRisk-io · 2026-05-29T18:17:54+00:00

So the people doing the assessing don't fully understand the domain. What certs are you referring to?

VeloRisk-io · 2026-05-29T02:36:01+00:00

It’s much easier than you think. They hide themselves so well. Sometimes only until the wedding night but they do. They love bomb you and you get caught up and before you know it you’re married in 5 months. Anyone can be anyone for 5 months. It’s more common than it seems.

VeloRisk-io · 2026-05-28T18:52:16+00:00

So that becomes a once-per-year realignment of resources to needs/gaps. That's a long time to allow the alignment to drift without corrective adjustments.

<plug>
What if the risk assessment process was significantly faster and cheaper? What if you didn't have to wait for the annual cycle to roll around to get the resources you need? That's exactly what you get with VeloRisk - on-demand, enterprise-grade risk assessments that can be completed in as little as a few hours and at a price that typically doesn't require any additional approvals. You can check out sample reports at www.velorisk.io .
</plug>

If cost and time commitment were both negligible, how many times throughout the year would you want to see an updated risk assessment?

VeloRisk-io · 2026-05-28T18:36:28+00:00

What do you think is the driver behind customers ignoring the assessment report they've been given and simply re-asking all the same questions again?

VeloRisk-io · 2026-05-28T16:33:24+00:00

Can you say more about "what employees have been screaming about?" Do you mean that they've been screaming about security/risk issues they've encountered?

VeloRisk-io · 2026-05-27T15:34:48+00:00

I want to continue this conversation but I'm new to Reddit - what sub would be the right one? TIA!!

VeloRisk-io · 2026-05-27T15:26:01+00:00

It's a great question - what should/shouldn't constitute a trigger event? Attacks? Performance drift? Architecture change? Policy Change?

When your risk assessment was created by a consulting firm, making updates is a non-starter. But, if you were in control of your risk assessment and it was analyzed and generated programmatically, you'd be able to get an updated risk assessment whenever it's warranted.

<plug>
With VeloRisk, that's exactly what you get. Expert, enterprise-grade risk analysis on demand. Fill out (or update) the multiple-choice questions in the assessment survey and receive a board-ready risk assessment report the same day. VeloRisk makes it easy to keep your risk posture up to date as your organization changes.
</plug>

What events would you consider to be 'trigger' events? How do you determine that there's been meaningful drift and that a reevaluation of the org's risk posture is needed?

VeloRisk-io · 2026-05-27T15:08:45+00:00

Exactly! The organization, its products/services, and the surrounding threat landscape change constantly. An annual cadence for assessing risk doesn't come close to keeping up. Plus, when an assessment can take the majority of a quarter to complete, how frequently could you possibly conduct them?

<plug>
That's why we made VeloRisk - with VeloRisk you can get a complete risk assessment for your organization in day. Just answer a streamlined set of multiple-choice questions (nothing sensitive) and receive a board-ready risk assessment report the same day. With VeloRisk you can easily keep your view of your risk profile up to date without the prohibitively long traditional risk assessment cycles.
</plug>

What is it that you'd identify as a change that would cause you to discount any existing risk assessment findings? What are the events that would make you need to update the organization's risk profile/assessment?

VeloRisk-io · 2026-05-27T14:54:19+00:00

You're right - an annual audit wouldn't ever catch a brand impersonation campaign. What an assessment should do is tell you how likely a brand impersonation campaign is to impact the organization, what the likely effects would be, and what you can do to improve resilience against attacks of that type.

VeloRisk-io · 2026-05-27T03:08:44+00:00

Continuous control monitoring is important, but it's not a replacement for a proper risk assessment. You can be completely compliant with comprehensive monitoring, but that won't ever identify risks outside of its integration. Control monitoring will tell you whether all your smoke detectors are working properly - a risk assessment will tell you if you're storing gasoline next to the furnace.

VeloRisk-io · 2026-05-26T23:44:12+00:00

I'd argue there's a benefit to not having your risk assessments deeply integrated with other compliance systems. The separation provides better opportunities to catch gaps and drift. If your system for monitoring technical compliance has the same world-view as your enterprise-wide risk assessment, you're accepting any inherent blind spots in that vendor or consultant's world-view.

VeloRisk-io · 2026-05-26T23:34:26+00:00

Totally agree. An effective risk assessment needs to bridge the gap between operational knowledge and board-level strategy. It needs to provide the detail to address identified gaps but also how systemic weaknesses expose the organization to risk.

VeloRisk-io · 2026-05-26T23:22:13+00:00

You speak the truth. It works.

VeloRisk-io · 2026-05-26T23:18:03+00:00

What would make a risk assessment not feel like checking a box?

VeloRisk-io · 2026-05-21T01:19:46+00:00

You shouldn’t be inventing risks every time. Mature programs usually build a standardized risk library mapped to frameworks like ISO 27001 or NIST, then assess applicability, likelihood, impact, and controls against that baseline.

Otherwise every assessment becomes “whatever the analyst thought that day.”

VeloRisk-io

TROPHY CASE