The Ultimate List of Risk Assessment Questions

Serious beautiful technician doing her workThe Fastest Way To Close MSP (and Other Security Related Business) Is To Lead With An Assessment…

However, In Order to Have a Great Assessment, You’ll Need a List of Great Assessment Questions…

Note: Before you can start asking great assessment questions you need to know what your deliverable is going to look like…Download our free Risk Assessment Template Here

Okay, got it?…Let’s get to the questions…


Go Right For The Important Stuff…

Most assessments start with scans…bad idea.

Instead, go right for the gold. Start talking “Assets” (data) with the Asset Owners…I like to start with a three question framework…

  1. What are you trying to protect?
  2. What are your relevant threats?
  3. How comfortable are you with your ability to detect and  respond?

These three simple questions may sound too simple. What they really do is quantify the buyer’s perception of risk.  In my book, The House & The Cloud (chapter 13) I explain risk by modeling it on a graph I call, The Impact/Likelihood Graph.


(Download the Template Before Going On…)

The X-Axis measures IMPACT…and question #1 gives us the data we need to plot the X-axis…

The Y-Axis measure likelihood as a percentage. Think of the Y-Axis as the odds your prospect will encounter disaster (such as data theft or downtime).  Question #2 gives you the issues your client perceives as threats, pushing the likelihood up the vertical axis…#3 tells you if your prospect thinks he’ll know before it’s too late.

Three simple questions take you right to the core issues – you now know how the potential buyer views their data, their threats, and their security controls!  Given these vital inputs, it’s now much easier to proceed with the sales process.

If they believe they’re secure, you know you have some hurdles to clear. You can’t move forward until they see it. If your potential buyer sees trouble ahead, all you have to do is reinforce these truths and build trust.

Given our three part framework, it’s time to dive into some more tactical questions.

Your goal is to keep the interviews interactive, while collecting the data you need to build a case for greater security.

Since there are different functional roles in the organization, and a variety of disiplines, technical savvy, and liability, I’ll approach this list of questions by title and function within the business.

For smaller companies, simply scale down the number of people and eliminate those roles that don’t exist. The process works for both big and small firms.

Three Essential Groups You’ll Meet With If You Want To Close Follow-on Business…and One More Needed To Gather Information

  1. Executive level asset owners.
  2. Power users (and line of business asset owners).
  3. Your internal security subject matter experts.
  4. IT Personnel

Some definitions will be important before launching into questions…

Asset Owner: Asset owners are the people who are liable (or at least believe they are liable) of the security of the company’s data.

NOTE, IT personnel are not liable.

The way to know who the asset owners are is to ask the question, “If a law suite is filed as a result of a breach, who will be on the hook?”  It won’t be IT unless they’ve violated some law…

Executives: Here we are referring to stake holders such as small business owners/partners, C-Suite, and VP level (officers of the company).

Power Users: User who create and use data to run the business are often called “end-users” or “knowledge-workers”. Power users are end-users or knowledge-workers, who create and use data every day.  If systems are down, slow, or compromised, this group will be extremely upset.  (Don’t shut down their network, but if you did, who would start screaming and throwing things?)

Internal Subject Matter Experts: Internal refers to those who work for your company as a subject matter expert – frequently consultants, systems engineers, or systems analysts.  In most cases this group will be experts in data security.

IT Personnel: If the company you’re calling on has internal IT staff, you’ll want their input and cooperation; however, interaction with IT will be the last thing you do before delivering your findings.

The Ultimate List of Questions To Guide Your Through Your Next Security Assessment


EXECUTIVES (Asset owners)

  • What are you trying to protect – find out what applications and data are essential to  this business?
  • How long can you afford to be down (per application)?
  • How much data can you afford to lose (per application)?
  • Have you suffered either in the recent past?
  • For each application – what’s more in important: Data privacy/confidentiality, integrity, availability?
  • Who can’t see this data / why?
  • What is your cost of downtime/ data loss?
  • What is your exposure or liability for any sort of data breach/disaster?
  • What compliance regulations are you dealing with – are you compliant as far as you know?
  • Do you have a disaster recovery plan? Has it ever been tested? Do you believe you would be able to meet your stated requirements for recovery?

POWER USERS (Some will be asset owners)

Use the above questions first. Then, discover their work process/data flow…

  • How is data created (Per application)?
  • Let’s walk through the lifecycle: Creation, transmission (where does it go and how?), applications (how is it used and who accesses it from where?), where and when is it at rest (Stored)? When is it archived (and for how long)?, When and how is it deleted (Is there policy/process to govern data destruction)?
  • Who would want this data (but should have access to it)?  Why?

TECHNICAL TEAM (INTERNAL TEAM – SME/Subject matter experts)

In this third step you’ll need your findings from the first two sets of meetings. Given you know what your prospect’s company does, how data is used and what’s important, and how they work, it’s time to find out what would need to be true to keep this company’s gold safe…

  • What would need to be in place (security controls) in order for this data to be safe?  Review each part of the data lifecycle.

This output of this meeting should be a punch list. You want a list of controls, process, policy, etc. that would need to be properly implemented to keep the data safe.


With your punch-list in hand, your release your technical subject matter experts to scout out the prospects digital world. Each control/process/policy should be checked, either by inspection, demonstration, or verified with any internal technical resources.  (Never take, “We think so” as the gospel. Verify everything.).

In addition, you’ll want to collect data and examine it for symptoms of malware and data misuse or policy violations.  We recommend at least a week’s worth of data. If you can get 2 or 3, more is better.


  • What is urgent? (Urgent means there’s a high likelihood of downtime, data loss, misuse, etc. )
  • Why is it urgent? (In this question you need the business impact, not the technical deep dive.)
  • Prioritize these issues for the report.
  • What would this company need to do now vs. next month of over the next 6 months to fix these issues?  What must be done right now?

© 2017, David Stelzl

PS. Did You Get My Free Template? (Download it here and start justifying sales with Risk)



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s