Security Assessments: Goals and Outcomes
Security assessments are an essential tool in answering these three important questions:
- Are we secure?
- Where do we go from here?
- Which security investments will provide the most benefit to the organization?
Given the importance of a strong security posture, we’re finding a growing dissatisfaction with the methods frequently used to assess the state of information security within the organization. Security assessments help organizations understand individual aspects of their cybersecurity approach, but often fall short of answering the three primary questions above.
In this blog, I will unpack the three most common security assessments and areas where I find these methods are failing to make the grade.
- Best practices, aka “a giant checklist” (I also lump compliance audits into this category)
- Vulnerability/penetration testing
- Risk-based assessment
The Best Practices method for assessing security leaves me somewhat dissatisfied in answering all three security assessment questions:
Are we secure? Let’s assume you have a REALLY good list. Your checklist is so good that when all boxes are checked, it would take the combined forces of all the intelligence agencies in the world to breach your systems. You diligently run through the list and start checking off boxes. But when the company stakeholder wants to know how secure the business is, you cannot give them a good answer, except to say you’re “36% of checklist items away from being super-secure.”
Where do we go from here? A checklist may help you identify the cracks in your security posture, but it doesn’t give you answers for where to focus your efforts next. Without better insight, we tend to start with the easiest fixes first and work our way back. This is not the best approach when the unchecked items further down the list may be the ones with the potential to cause irreversible damage to the foundation of your business.
Which security investments will provide the most benefit to the organization? Using a long checklist to try to communicate the need for an increased (or maintained) security budget is not very effective – with the obvious exception of a compliance audit.
There is certainly a good business case for using the best practices checklist. It combines knowledge of many professionals, it can serve as a useful tool for systems implementation or design, and it is well-suited to address specific compliance requirements. But in the context of managing cybersecurity for the organization as a whole, you’ll need a better way to quantify these risks in order to plan for the future.
Vulnerability / Penetration Testing
Vulnerability or penetration testing assessments are fantastic. They do a great job of showing where your patching program can be enhanced, where you possibly have misconfiguration and, in a limited scope, demonstrate your organization’s susceptibility to a cyberattack.
To some degree, they help answer the first question, “Are We Secure?” – if there are obvious and easily exploitable gaps. Barring those, however, similar problems to the “Giant Checklist” exist. Additionally, per-system vulnerability assessments frequently miss the inter-connectedness of systems and relationships between them.
Risk Assessments (and here I am not talking about a “Best Practices” list masquerading as a risk assessment) are the holy grail of security assessments.
Our objective in this assessment is to mitigate cybersecurity risk – and in doing so determine current risk level as a literal estimate of how secure the business is. A true risk-based assessment gives practitioners the information they need to make statements like:
- We are 90% confident that our annual loss expectancy is $234,567
- There is a 5% chance that we will encounter a loss of over $7,000,000 next year
- If we implement this particular technology/process – we will drive those numbers down
If you’re looking for a deep-dive into this approach, I recommend Doug Hubbard’s book, How to Measure Anything in Cybersecurity Risk.
The only trouble I see with this approach is that its implementation can require a greater investment than most organizations I have worked with are willing to make.
There has to be a better way…
In my next blog, I’ll explain a solution to the challenges described above, and share our threat-based approach to protecting what matters. If you are interested in learning more about our approach to cybersecurity for midsize businesses, contact us to connect with our team.