We are on day two of an intense business planning session in Kentucky – of key topic that always comes up is, “How do we create business, and do the assessments we’re currently using work for this sort of thing?”

There are three common assessments I see out there:

1.  The vulnerability assessment is most common – a technical paper that identifies as many holes in the security architecture as possible.  The resulting report is generally very technical in nature, product focused (meaning: Network, application, etc.) and appeals to the IT department.  Certainly there is a place for this.

2. The pen test – penetration that is.  A test to see if the assessment team can break in.  This is fun, expensive and obvious…at least to the team.  They can always get in if they’re good.

3. The risk assessment – this should measure the impact of a loss, but equally, the likelihood of such an issue.

The third one is always most effective in building new business.