Improving the outcomes of your security assessments

Regular assessments are a key method to gauge improvement and compliance

By Paul Grapendaal, Head of Managed Security Services at Nclose

Recently, the inspector general for NASA found that resource constraints and a lack of awareness had resulted in continued ineffectiveness of the agency’s information security programme. Common controls were deficient, there were deficiencies in its plan of action and milestones, and system security plans were not all updated. The review found numerous shortfalls in the agency’s risk assessment plans, which left it open to any number of risks. But the agency is not alone: organisations around the world are failing to address common vulnerabilities.  Few local organisations have the resources NASA does to mitigate risk and secure systems, which makes it all the more important for them to work continuously to address risk and assure compliance.

A key part of the overall security and risk management programme is regular security assessments. These assessments, whether penetration testing, vulnerability assessments or broader risk assessments, are often seen as an onerous additional workload and – if they are not approached correctly – they may not adequately reduce risk exposure.

But security assessments deliver real value when the assessments are used to inform fundamental improvements and where there is buy-in to the process from the top down.

It is not enough to gather information on a variety of systems and processes and produce a regular report. Organisations then need to categorise and prioritise what they are finding, deciding whether they will mitigate, remediate or accept the risk. They need to consider if certain policies should be amended, strive to understand the root causes of problems, and develop a programme identifying low hanging fruit that can be resolved quickly.

Organisations need to create visibility of the results of assessments and ideally create metrics that allow them to track and celebrate improvements. Often, improvements will not reflect in the next assessment weeks or months later: organisations may need to review 6 – 12 month trends to determine whether risk is being successfully mitigated. Ideally, when the assessments are contextualised over a year or longer, the organisation would see continuous improvement.

As risk factors evolve, the organisation’s risk assessment portfolio should be updated and adjusted. Assessments conducted or supported by an independent third-party help by giving the organisation fresh perspectives and benchmarks against which to assess the environment.

Organisational culture is also important in addressing risk: where the culture of the business is not to apportion blame but rather to affect real change and improvement, security assessments are seen less as an additional workload and more as an important way to monitor and measure improvement.

Ideally, the organisation should strive for a culture in which people are encouraged to flag risks internally, instead of waiting for an assessment to identify the risks. In such an environment, teams collaborate to highlight and address risks, and buy in to the assessment processes. Once the internal teams have been given room and encouragement to raise visibility of known issues and shortfalls, external assessments can help validate these. An external partner, like Nclose, provides independent validation and also has the benefit of experience across multiple industries and multiple businesses, and is able to share this with new and existing clients. Leveraging the experience will further assist clients in identifying risks they weren’t or aren’t directly aware of and also help them understand the true risk of any specific items.

Need to Mitigate a Cyber Risk?