CISOs need to measure themselves to further develop their programs. Assessments help to make the case for the success of an existing program, while supplying the data necessary to get executive support for its improvement.
Regardless of what size shop you are, I think it is essential to do both internal and external assessments.
Internal assessments are important because they help to gauge the relative risk across the entire organization. Things like business email compromise, or account hijacking or impersonation all start with a cyber genesis. So it’s the security department’s purview to look at the various business units’ processes to figure out whether any of them are unnecessarily risky or can be improved.
Once you’ve done the internal work and assessed your risk, then you mitigate it.
The internal assessment is something the security department should formulate, onboarding the different departments inside the organization and publishing to the board of directors. Sharing that information helps to level set everyone on the preparedness and awareness of departments in the organization around their security risks. This is critical to drive a security-centric culture.
The more mature organizations do internal assessments and benchmarking annually to see whether things backslid or improved.
The internal assessment is also important because external assessors don’t know how your company operates. The external assessor’s value is in taking a look at how well your mitigations worked.
I advise companies to change their assessor every couple of years – and to use different vendors for different types of assessments. While that might seem more expensive, it actually isn’t, and you end up with better results by leveraging different partners.
Those different vendors would cover:
* Cybersecurity assessment: External cybersecurity assessment should look at your company’s ability to handle external cybersecurity attacks. This would be more comprehensive than a pen test, expanding beyond attack surfaces to checking wi-fi, socials and people to get a 50,000-foot view of your company’s ability to manage and mitigate cyber threats.
*Network security assessment: The network security assessment is there to evaluate how much damage could be done if someone got in, and what mitigations and controls you put in place to limit damage.
Network security assessments tend to look deeper at internal things you might not think about, like printers and copiers that can add vulnerabilities onto your network. They also tend to look at IoT devices and other internal controls that would not be examined in a cybersecurity assessment. You can have great external controls and a great cybersecurity posture, but a user can inadvertently allow something into your network.
* Cybersecurity risk: This is going to validate the internal assessments you did earlier. A third party will measure you against your own findings and the things you’ve mitigated. How well did you actually improve your posture based on the things you found during the internal assessment? How much further can you go?
* Data management assessment: This is crucial for any company that handles consumer data in any way, shape or form. More and more states are starting to adopt privacy legislation. But before these rules and regulations were put in place, companies amassed tons of data that have never been assessed. So take time to work with a third party to assess your data structures, storage mechanisms, and processes related to access and authentication. Look at the technologies that interact with data and at your communication protocols. Can you stop a flood of information from being able to leave, and detect malicious or unusual activity? These assessments can be expensive, but it’s money you need to spend.
Timetables for doing the various assessments can vary from organization to organization. But I would say the overall cybersecurity assessment is something you should do toward the end of the year because that provides all of the data for your end-of-year reporting to the board.
Business changes around us on a routine basis, making annual assessments a critical benchmark to ensuring we’re protected. And more important than just being protected is the need to articulate just how well we’re protected. It’s critical to take this data and use it for value creation and articulation.
Probably the easiest line in your budget could be a line for assessment services. No executive doubts the value of pen testing any more. The same should hold for assessments if you make your case properly. I think it’s an easy value statement to be able to make.