How Long Does a Cybersecurity Assessment Take: 3 Scenarios For Better Understanding
For various reasons, it is impossible to give a one-size-fits-all answer to how long does a cybersecurity assessment take. A few factors unique to each business and organization affect turnaround times.
So, to help you better understand how long it might take for your organization, we’ll discuss some of the factors that go into planning and then see how these look when applied to three different scenarios.
Understanding How Long Does a Cybersecurity Assessment Take
Before we delve into the specific examples, let’s first look at a few factors that can impact the turnaround time on a cyber risk assessment.
It’s important to note that most of these factors are within the organization’s control. Delays will typically occur because needed documents or information are not promptly provided.
Understanding this can help inform the preparation process better and eliminate potential delays in the cybersecurity risk assessment.
4 Factors Influencing Cybersecurity Assessment Turnaround Time
While several factors can affect the turnaround time of a cyber risk assessment, the five listed below will have the most significant impact.
Organization size and complexity
An enterprise-level organization with many different locations and vast networks, users, and machines will take longer than a small business.
In addition, organizations in complex industries, such as financial institutions or healthcare organizations, often require more work, which can increase the timeline for the assessment delivery.
Previous cybersecurity assessments
If this is your organization’s first cybersecurity assessment, it will likely come as no surprise that it can increase the turnaround time.
Conversely, if your organization has completed one or more previous assessments, establishing a baseline and having the documentation in place can shorten the process. This holds even more so if the same stakeholders are the go-to during the following assessment, as this means everyone will know what to expect.
Scope of the assessment
A complete cybersecurity assessment will take longer than one-off activities such as penetration testing. If this is your organization’s first time conducting a cyber risk assessment, a full and thorough evaluation is recommended.
Regulatory compliance requirements
As noted previously, finance, education, or healthcare organizations are typically required to conduct cyber assessments as part of regulatory requirements.
This also means that more of these types of assessments may be needed than one conducted for a single-location small business, as the level of complexity is higher and the stakes are higher in the event of oversight.
3 Cybersecurity Risk Assessment Scenarios To Better Understand Turnaround Times
Since each business is different, it would be impossible to give a definitive answer to how long does a cybersecurity assessment take for different circumstances.
With that said, below are three examples based on real organizations that Mandry Technology has previously worked with.
Using these three scenarios, you can likely get an idea of real-life factors that will affect the turnaround time and examples of how long each step in the process can take.
Cyber Risk Assessment Scenario 1: Pinecrest Community College
Scenario one involves a mid-sized college in a smaller urban area of the United States. To make this more real, we’ll call this Pinecrest Community College.
Unique Challenges
Diverse user base – one of the primary challenges for Pinecrest and other colleges and universities is the varied user base, which includes students, administrators, professors, contractors, and visitors. This includes regular user surges during sporting events, conferences, graduations, etc.
Research data protection – along with student data, Pinecrest must consider protections for professor research. The school is heavily invested in medical research, making it a more attractive target to threat actors looking to steal intellectual property and research data.
Compliance with FERPA and other regulations – Pinecrest must comply with the Family Educational Rights and Privacy Act as a beneficiary of federal funding for various purposes. This means proactively securing and keeping confidential student information.
Breakdown of a College or University Cybersecurity Assessment Timeline
1. The Center for Internet Security Control Questions (CIS Controls) are sent to the IT team and administrators for review. They must be completed and returned to Mandry Technology within one week.
2. The Mandry Technology SECURE team, university IT, and administrators will hold a call the following week to finalize the response to the CIS control questions. The call will typically last two hours.
3. The following week, the Mandry Technology SECURE team will compile all data into a printable format with charts and a breakdown of information. This process typically takes about two hours for a small to mid-sized college, assuming all information has been provided in the needed format.
4. That same week or the next, the Mandry Technology SECURE team will create a gap analysis and remediation plan and compile everything into a presentation geared toward all stakeholders. This process takes about two hours for a small to mid-sized college.
5. A final presentation is scheduled to present all findings to relevant stakeholders at the college. This presentation is delivered online or in person, depending on location and driving/flight times.
Estimated College or University Cybersecurity Assessment Turnaround Time
3 – 4 weeks
Cyber Risk Assessment Scenario 2: West Lake Credit Union
The second scenario is a fictional multi-location credit union called West Lake Credit Union. There are five locations: three in their home city, including the headquarters, and two other locations in smaller regional towns.
Unique Challenges
Regulatory compliance—Credit unions and banks are subject to various regulations that require them to conduct regular cybersecurity risk assessments. The Gramm-Leach-Bliley Act (GLBA) is of primary importance, as it dictates how financial services providers convey customer data usage practices and regulates safeguarding sensitive financial data.
Member data protection: Credit unions present a desirable target for threat actors looking to steal private financial data. This holds doubly true for smaller credit unions, which may be seen as easier targets than larger banks that may have more robust safeguards in place, though this is not always the case.
Keeping member data safe can be an uphill battle, requiring multiple safety layers from the credit union and the members themselves.
Distributed IT infrastructure—In the case of West Lake Credit Union, having multiple locations that all need to communicate with each other creates added complexity compared to a single location.
This added complexity is reflected in the turnaround times for the cyber risk assessment, as each location requires an evaluation, multiplying the completion time.
Breakdown of a Credit Union or Bank Cybersecurity Assessment Timeline
1. The Center for Internet Security Control Questions (CIS Controls) are sent to the IT team and credit union management for review. They must be completed and returned to Mandry Technology within one week. Each location will require a document unless otherwise requested.
2. The Mandry Technology SECURE team, credit union IT team, and management will hold a call the following week to finalize the response to the CIS control questions. The call will typically last two hours.
Each location will require a two-hour call, so in the case of West Lake Credit Union, there will be five two-hour calls. Depending on the scheduling, this specific scenario will likely take two weeks to complete all calls.
3. The following week, the Mandry Technology SECURE team will compile all data into a printable format with charts and a breakdown of information. This process typically takes about two hours, assuming all information has been provided in the format needed. Each location will require a document, which means a total of ten hours.
4. That following week, the Mandry Technology SECURE team will create a gap analysis and remediation plan and compile everything into a presentation geared toward all stakeholders. This process takes about two to three hours but can take longer due to the added locations.
5. A final presentation is scheduled to present all findings to relevant stakeholders at the credit union. This presentation is delivered online or in person, depending on location and driving/flight times.
Estimated Credit Union or Bank Cybersecurity Assessment Turnaround Time
5 – 7 weeks
Cyber Risk Assessment Scenario 3: Bridgeport Memorial Hospital
The fictional Bridgeport Memorial Hospital is the final scenario we’ll look at to answer how long does a cybersecurity assessment take.
For this example, the hospital is a mid-sized rural hospital with thirty beds that serve multiple counties. It has an in-house IT team, but like many rural hospitals, it experiences turnover.
Unique Challenges
Health Insurance Portability and Accountability Act compliance—Like most other healthcare organizations, Bridgeport Memorial Hospital is a covered entity and must comply with HIPAA regulations.
Under HIPAA regulations, the hospital must conduct regular assessments to ensure proper storage of personal health information (PHI) and identify vulnerabilities.
Protection of sensitive patient data—Due to the nature of the information stored, hospitals present an attractive target to threat actors looking to steal patient data. This higher level of vulnerability requires greater sensitivity and security during the cyber risk assessment.
Critical infrastructure dependencies – hospitals are highly dynamic environments with critical services being provided that can’t be put on hold. For this reason, some of the activities related to cybersecurity assessment might be delayed based on what is happening at the hospital.
Breakdown of a Hospital Cybersecurity Assessment Timeline
1. The Center for Internet Security Control Questions (CIS Controls) are sent to the IT team and administrators for review. They must be completed and returned to Mandry Technology within one week.
2. The Mandry Technology SECURE team, hospital IT, and administrators will hold a call the following week to finalize the response to the CIS control questions. The call will typically last two hours.
3. The following week, the Mandry Technology SECURE team will compile all data into a printable format with charts and a breakdown of information. This process typically takes about two hours for a small to mid-sized hospital, assuming all information has been provided in the needed format.
4. That same week or the next, the Mandry Technology SECURE team will create a gap analysis and remediation plan and compile everything into a presentation geared toward all stakeholders. This process takes about two hours for a small to mid-sized hospital.
5. A final presentation is scheduled to present all findings to relevant stakeholders at the hospital. This presentation is delivered online or in person, depending on location and driving/flight times.
Estimated Hospital Cybersecurity Assessment Turnaround Time
3 – 6 weeks
Final Thoughts On How Long Does a Cybersecurity Assessment Take
Even though the process is similar from one organization to the next, turnaround times on cybersecurity assessments can vary. Everything from multiple locations to delays when delivering questionnaires can impact the total turnaround time.
That said, the above examples represent organizations that typically have more complexity due to regulatory requirements and environmental challenges. For smaller, single-location businesses, completion times for a cyber risk assessment will generally be more straightforward.
If your organization needs a cybersecurity risk assessment for regulatory compliance or peace of mind, contact Mandry Technology today. While we work with businesses of all sizes, the Mandry SECURE team specializes in working with organizations in critical industries and multi-location businesses with more complex needs.
Jeff Woodham is the Executive Vice President at Mandry Technology, where he leads operations and IT strategy to drive business. With over 20 years of experience across various industries, Jeff has a proven record of optimizing processes and implementing secure, forward-thinking solutions. His strategic planning, cybersecurity, and leadership expertise enable him to bridge the gap between technological innovation and operational efficiency.