Here’s an uncomfortable truth: too few mid-market companies are doing regular cyber risk assessments, and some aren’t doing them at all. According to CompTIA’s State of Cybersecurity 2025,” report, “fewer than 6 in 10 organizations use a formal risk management framework, and roughly a third are only assessing risks informally, if at all. Meanwhile, nearly 68% of mid-market executives fully expect someone to try to breach their systems this year (2025 RSM US Middle Market Business Index Cybersecurity Special Report.)
That gap, between the threat executives anticipate and the rigor they are actually applying to identify and mitigate risk, is exactly where breaches happen. Closing this gap starts with one non-negotiable discipline: the cyber risk assessment.
I sat down with Marty Menard, former CIO for Pacific Coast Companies (PCCI). I asked him to help me dig into the specifics of why regular assessments are essential to maturing a cyber program. Today, Marty serves as Advisory Board Member for PCCI and for Wellesley Information Services and he has 35+ years in technology leadership with global companies like Intel, HP, and Rabobank. He is deeply experienced, direct, and refreshingly candid.
How Often Should You Be Assessing?
The short answer: at least once a year. No exceptions. Marty’s organization has been running cyber risk assessments every year since 2018, alternating between a full enterprise review and a deep dive into their manufacturing groups. This cadence allows the team to focus on both IT and OT within the factory networks, where risks are related to regulatory exposure and operational continuity.
“The cadence has worked well for us,” Marty says. “The outcomes and recommendations are what drive process improvements going forward. We focus our priorities, in part, based on gaps or weaknesses the assessment identified.
That said, doing annual assessments is the floor, not the ceiling. Certain events could force an unscheduled assessment, such as a major technology rollout, a merger or acquisition, an incident, or any material change to the environment. However, security leaders need to be pragmatic about “more-is-better” thinking. More frequent assessments may sound ideal in theory, but the reality is that an assessment is only as valuable as an organization’s capacity to act on it. This is because the cycle of absorbing results, building a plan, securing resources, and executing typically takes at least 12 months, sometimes more. “Flooding that cycle with additional assessments before the prior roadmap is executed can create distraction and noise,” explains Marty.
The use of AI could shorten this cycle in the future, however it’s too early to tell, as most organizations are just getting started with AI adoption in their cyber program. How AI will be used as part of the assessment process or for creating more efficiency in executing on post assessment priorities is still to be determined.
Between formal assessments, organizations may also consider complementary or proactive exposure management practices like periodic pen testing, red teaming, table-top exercises, and cyber range exercises, particularly if the threat landscape is escalating or a new risk area has been identified. These are not substitutes for assessments, but they can improve situational awareness between cycles and augment assessment findings.
Preparing for an Assessment: Who Needs to Be at the Table
“When it comes to cyber risk assessments, many organizations underestimate who should be in the room,” says Marty. An assessment is not purely a technical exercise for the IT and security teams. It’s key to ensuring business leaders understand organizational risks, so they can make informed decisions about risk tolerance and ensure operational continuity. As such, it requires leadership conversations as well as broad collaboration.
Internal teams. Yes, IT and security are the operational core. But conversations should extend to business unit leadership, legal, compliance, enterprise risk, and the executive team. Assessment results should be reviewed with the board, the advisory committee, and subsidiaries to ensure everyone is aware of what is being worked on and why. This cross-functional visibility is critical to building the organizational accountability that turns a report into an actual roadmap.
Third-party assessors. Don’t dismiss the value of bringing in an external party to conduct assessments. Internal teams are often too close to the work and won’t catch everything. A third-party assessor is paid to tell you what they objectively see, not what you’d prefer to hear. Marty’s advice for vetting is don’t shop on price alone, “It’s the old adage, if you focus purely on cost, you’ll get what you pay for.” His team worked with three providers over nine years before landing on a trusted long-term partner. Find the right fit and stay for a while. Consistency in methodology and relationship compounds over time.
On objectivity. There’s a real debate about whether an organization’s existing MSSP can conduct a truly unbiased assessment of services they also deliver. Marty’s take is pragmatic: it comes down to whether you’ve built a genuine trusted advisor relationship. “We knew when we found a great partner, based on how we approached the key strategies from our assessment,” he says. Organizations that want cleaner separation can engage an independent assessor and lean on the MSSP for execution and remediation. Either approach works—as long as you’re making the choice deliberately.
Equally important: internal teams must approach the assessment with full transparency. In some seen cases, team members could be tempted to shape or soften findings. That behavior undermines the entire purpose. “All feedback is a gift,” Marty says. “Take the gift and figure out what to do with it.”
Supply chain partners. Don’t ignore third-party vendor risk. According to Verizon’s 2025 Data Breach Investigations Report,” third-party involvement in breaches has doubled, now accounting for 30% of incidents.” If contractors are operating inside your environment—especially in manufacturing, financial services, healthcare, and other critical areas—they belong in your assessment scope, even if only at the edges.
Analyst advisory support. When it comes to evaluating findings or vetting service provider and technology options, consider bringing in outside analyst advisory resources. Firms like Gartner stand on a reputation for research access, but they also do contract reviews, which can often save enough on vendor negotiations to more than cover the cost of the subscription. Other firms, such as IDC, Omdia, or Forrester, as well as boutique groups like Richmond Advisory Group, can also help with contract reviews and advisory on road map recommendations. AI-powered research tools are increasingly capable of delivering comparative vendor analysis in a fraction of the time; however analysts’ focus on primary research and one-on-one human engagement builds relationship and trust, both of which remain uniquely human.
Internal Champions. One practice Marty flags as particularly effective: a dedicated technology and cybersecurity advisory committee that reports to executive leadership and the board. His committee includes business management, the CFO, a board member, and independent advisors. This body reviews programs before they go to executive leadership, providing both accountability and organizational “air cover” for the CIO or CISO. It’s a model worth considering.
From Results to Roadmap: Priorities, Execution, and ROI
Getting the assessment done is only the beginning. The real work—and the real value—is in what you do with the results. For example, with report and readout in hand, run it through multiple internal discussions with management, leadership, the IT and security team, and the board, and then use it and those discussions to build a prioritized roadmap. That roadmap becomes the playbook for what your team works toward.
Setting priorities. You cannot do everything, and you shouldn’t try. In 2025, Marty’s team was running approximately 30 active network, server, device and cyber initiatives in parallel—all derived from the assessment roadmap. That many initiatives could be overwhelming for smaller organizations. Priorities should be unique to the organization and its resources, and effective prioritization weighs severity of risk, operational impact, regulatory obligation, as well as your team’s actual capacity to execute. High-risk gaps that could lead to operational shutdown or regulatory penalty go to the top. Lower-risk items get documented, deferred, and assigned clear accountability for when they’ll be addressed—or business leaders accept the risk.
Execution. Analysis paralysis is one of the most common failure points when it comes to acting on assessments. “There are no bad decisions,” Marty suggests. “The only bad ones are the decisions that aren’t made.” Once the priorities are set, the organization needs the discipline to move and the leadership accountability to hold people to commitments. Debate the recommendations all you want—but then decide and go.
Measuring ROI. Cyber ROI isn’t always obvious, but it’s measurable. Tracking year-over-year scores against your framework is the most direct measure of program improvement. Beyond that, metrics could include reduction in things like mean time to detect and respond, decline in successful phishing simulations, reduction in critical exposures, and progress on completing roadmap initiatives on schedule.
When it comes to communicating ROI upward, stop talking about the number of patched vulnerabilities and start talking about mitigated exposures and reduced risk. Boards and executive teams don’t need a technical inventory, they need to understand what could go wrong, what it would cost, and what’s being done to reduce the exposure. Frame issues in business risk, operational continuity, and regulatory consequence. That’s the language that earns sustained investment.
As an example of how assessments can positively impact budgets, consider PCCI’s approach. Marty’s team has tracked cyber spending as a percentage of total IT budget over time, growing that budget from 3% in the first year he came onboard to 8% and beyond as the program matured. This gave leadership both a financial benchmark and a clear narrative about the direction of investment. Keep in mind, though total spending increased over time, year-to-year the budgets can fluctuate. For example, after an assessment, Marty’s budget generally went up, as the business purchased new security tools (hardware and software) and services. However, during years of execution(once those purchases were made) the spending decreased.
A Risk Assessment Is Not the Destination—It’s the Starting Point
The numbers tell a story worth paying attention to. The RSM report mentioned earlier showed that nearly one in five mid-market organizations experienced a data breach in the past year, yet 97% of mid-market executives say they feel confident in their security measures. The potential for over confidence—how secure executives feel versus the actual strength of their security posture—is precisely what regular assessments are built to address.
What Marty’s CIO experience demonstrates is that mature cyber programs aren’t built on technology alone. They are built on discipline—consistent assessments, honest reporting, collaborative prioritization, and the organizational will to execute. At PCCI, he spent the better part of a decade turning a program where “few people understood cyber” into one that consistently executes on initiatives to reduce exposure and risk, measured against a consistent framework, and reviewed regularly with the board.
Do you have good discipline? Do you have strong processes? Do you know what your priorities are? Are your people executing to those? These are measures of an effective program—and the risk assessment is where that discipline begins.
If your organization hasn’t done a formal cyber risk assessment in the last 12 months—or ever—that’s your starting point. Advocate for the importance of assessments within your organization and gain the support of key executives. Consultants, MSSPs, or other trusted advisors can help with this. Be transparent with the results. Establish a consensus on priorities. Build a roadmap. Work it. Measure results and adjust. Then do it again next year.
5 Tips for Success
- Do risk assessments annually, at minimum, and be consistent.
- Hire an independent third-party to perform the assessment.
- Involve the entire business beyond the core IT and security teams.
- Use the assessment to build a comprehensive roadmap strategy for annual and multi-year priorities.
- Create an advisory board for strategy review and plan evaluation, and to reduce risk and provide air cover with the board and executives.
___________
About Marty Menard
Marty Menard, the former Chief Information Officer of Pacific Coast Companies and an Advisory Board Member for Wellesley Information Services. With more than 35 years in technology leadership—including executive roles at Intel, HP, and Rabobank—Marty has led enterprise-scale IT and security programs through multiple generations of technology transformation. He is a practitioner, a mentor, and a believer that strong discipline, clear priorities, and decisive execution are the foundations of any effective cyber program.
Join our LinkedIn group Information Security Community!
