Such an approach has a number of benefits. First, it lets organizations tailor their security solution to their unique needs, without spending more than they have to. Most vendors offer a one-size-fits-all package (or tiered packages, with more features available the more you’re willing to spend) that provides equal protection across your entire network. But by conducting a risk assessment, an organization can understand both where they might be vulnerable and what information is most valuable, allowing them to choose the security solution that best suits their needs.
This leads into my second point: A risk assessment is the best means with which to protect your critical business information. Without knowing what information is valuable and what is not, IT admins have to defend the entire network equally all the time, a very tall task indeed. By identifying the value of information, organizations can shift resources to the defense of more important data, so that even if they do become the victim of a data breach, their critical information remains safe.
Finally, this approach is significantly more holistic in scope than a security assessment. This is critical for an enterprise-level organization, which can be made up of tens or even hundreds of thousands of people, each of them territorial and concerned primarily with the work that they do, rather than the functioning of the overall business.
Because of this, I recommend to organizations that they bring in an outside partner
to conduct the risk assessment, rather than doing it themselves. Individual departments generally don’t have the infrastructure capable of quantifying risk, and organizational efforts can often get bogged down in internal politics. An objective, outside view is necessary to understand the big picture, and how to best protect your organization from external threats through a data-driven security strategy.