Risk Assessments are among some of the most outsourced projects in the Information Security portfolio. At the same time, majority of the 3rd party risk assessments end up collecting dust in thick binders, to be used exclusively for passing audits. This presentation will outline how any organization can perform its own risk assessment, without the ambiguity and complexity that often keeps managers from undertaking these projects. In fact, the DIY approach will ensure the risk assessment is not only a way to satisfy audit requirements, but can also be used to answer one of the most difficult questions in the industry: “How much security do you really need?”
Attendees will receive practical and actionable advice that can be put into practice immediately, with tools that range from Open Source software through moderately priced assessment automation suites. The presentation will focus on breaking down the risk assessment to its essentials, with specific guidance for completing each phase of the process. Risk assessments don’t have to be ambiguous, and can be something that helps companies make decisions that result in better security and resilience to a security incident.
- Third-Party Risk Assessment Rarely Work
- Risk Assessments are more effective when done in-house
- Many free or inexpensive tools will help facilitate the process
About Yan Kravchenko

Yan Kravchenko is passionate about finding ways for organizations to balance their business objectives with the ever-growing cybersecurity and regulatory challenges. Today, Kravchenko is focused on one of the latest frontiers in the field of security: application security. In this role, he is creating innovative tools and services for complex enterprises to understand their application security risks and optimize their security investments. In dealing with the ever-changing cybersecurity threat landscape, he brings the ability to interpret and apply technical, legal and business information to enable his clients to make informed decisions.
Over the past 20+ years, Kravchenko has worked through many IT and security evolutionary trends, learning different ways to evaluate, understand and remediate cybersecurity risks.