Why Settle for an Un-actionable Cybersecurity Report?
Here’s the scenario….your organization’s leaders read or hear about recent cybersecurity breach in the news. Sometimes, the breach involves a competitor or a similar business line, where the result was a damaged brand, possible fines, or even lawsuits.
Many leaders fear that they could be the next victims of cybertheft and want to know if their business or organization is safe. Typically, after a rigorous proposal and bid process, they’ll engage a third party to perform an independent assessment of the organization’s cybersecurity posture. The consultant conducts interviews and meetings, collects info, runs scans, and issues a report.
The Fallacies of Typical Cybersecurity Risk Assessments
A typical report includes a discussion about the background, organization’s use of technology, and the amazing assessment process they used to detect the organization’s vulnerabilities.
And typically, the report will identify an abundance of vulnerabilities presented vis a listing of an enormous glut of data organized by server or IP address. Sometimes the list is prioritized by a risk rating; other times the list is prioritized by IP addresses.
After the organization’s leaders sift through the background, risk assessment procedures and 50 plus pages of findings, they’ll meet with their IT department for the “real explanation”. At this point, IT presents their defense for why a server has so many vulnerabilities, or to confirm the expert’s risk assessment.
Most importantly, the organization’s leaders ask for an explanation of what the data in the report really means.
Read our post from our team: Cybersecurity Risk Assessment is More Than Just a Scan
What Results Leaders Want from a Cybersecurity Assessment
It is our belief that organizational leaders want to know five things:
- “What do we do well?”
- “What needs to be fixed?
- “How do we measure up?”
- “What are the recommendations to fix this?”
- “How do we plan this year for fixing this?”
This must be conveyed to three separate audiences – executives, managers, IT staff - who will be looking for insights relevant to their responsibilities within the organization. Consequently, an Assessment Report should contain three sections:
- An Executive Summary, which is a “30 second elevator talk” explaining why the organization needs to dedicate resources to cybersecurity. The best summaries communicate this information on one “bulleted” page.
- Management Findings, that summarize detailed findings so management can create and execute an action plan, make changes and improvements, and drive results. A significant portion of the report will be dedicated to this objective.
- Detailed Findings, containing supporting information and documentation captured during the assessment that will be used by IT team members to address specific findings.
The report should include clear, understandable descriptions of the challenges and opportunities for improvements requiring attention. Each recommended improvement should be weighted and prioritized so the organization can set a path for their teams to begin work. Recommendations in the report should right sized for the organization and its capabilities.
A strategic roadmap should be included in the Assessment Report that helps the organization prioritize work over time.
Connect with Freed Maxick’s Cybersecurity Risk Assessment Experts
Ultimately, leaders want and deserve a clear and actionable Cybersecurity Assessment Report from the consultant they hire. The Cybersecurity Team at Freed Maxick will constructively listen to your wants, needs and concerns. We’ll bring our years of experience to understanding your capabilities, and provide clear guidance and a strategic plan to prioritize and address areas of opportunity.
Our assessments are presented in the right language, using graphical representation, color and an amount of detail relevant for each type of stakeholder. We believe that this is a best practice for preparing an actionable report and plan, especially for executives.
For more information about our cybersecurity assessments and other related programs and services, please connect with us here or call us at 716.847.2651.
More Insights and Guidance on Cybersecurity Issues - Click here.View full article
How to approach your company’s cybersecurity posture more holistically
The topic of cybersecurity will be top of mind for many executives in 2019 as they will have a keen interest in understanding their organization’s cybersecurity posture. One of the first steps for securing this understanding should involve engaging in a conversation with an outside vendor who will offer an engagement to measure the organization with the intention of identifying and preventing any outside (or inside) influences from launching an attack.
Usually, this conversation involves a discussion around the fantastic tools and team the third party has on hand, complemented by a “show and tell” presentation of scanning tools, reporting processes and deliverables, dire threats faced by the company, and for good measure, an update on “must know” buzz words that are necessary for making a sound purchase decision. Often, the reputation, name, or relationship with the third-party weighs in as well.
If all this cybersecurity exploitation makes you confused and numb, then we suggest stepping back and approaching your organization’s cybersecurity posture more holistically.
A Cybersecurity Risk Assessment is More Than Scanning and Making Fixes
Cybersecurity involves much more than conducting scans and fixing some configurations on a network and servers. It is the intersection of People, Processes and Technology that enables an organization to design, deploy, monitor and maintain a sound cybersecurity program.
We believe that the interaction between People, Processes and Technology within your company’s IT environment is key to the development and overall success of a mature cybersecurity program.
Cybersecurity Assessment: People
People represent one of the most vulnerable areas of your cybersecurity program. A well-balanced assessment should include examination of areas such as organizational structure, policy, procedures, security training and awareness, communication, tone at the top and culture. People represent one of the most vulnerable areas of your cybersecurity program, and any complete Cybersecurity Assessment should include assessing an organization’s people and culture.
Cybersecurity Assessment: Process
The processes your organization implements to operate daily should include basic security measures and practices such as: asset management, access management, third–party IT management, patching & system maintenance, backup & restore processes, disaster recovery, physical protection of infrastructure, “acceptable use” practices, incident response, business continuity and disaster recovery plans. All of these play significant roles in a strong cybersecurity program. During the cybersecurity assessment, specific measurements should be obtained regarding the maturity of your processes, including any recommendations for process improvement.
Cybersecurity Assessment: Technology
For most cybersecurity practitioners, technology generates the most excitement. It’s what most third party firms will offer as the mainstay of their Cybersecurity Assessment, and usually involves a only a vulnerability assessment scan with a report listing findings.. To a seasoned cybersecurity team, this is only one small necessary area of an overall assessment, as a comprehensive analysis should also include access and network controls, wireless network controls, endpoint management, penetration testing, and web application assessments and other technical areas.
Connect with Cybersecurity Risk Assessment Experts
Too often, organizations seek out third parties to assess cybersecurity and receive a scan and a report that showcases the vendor’s lack of understanding of the organization and its business. Most approaches don’t include information gathering, interviews, analysis, specific prioritized recommendations that are actionable for your organization’s resources.
Be wary of cybersecurity firms that lack the ability to assess your complete cybersecurity posture.
At Freed Maxick, our cybersecurity team works closely with your team to learn what you do, how you do it, understanding the entire picture, not just one area. This is the experience that comes with 60 years of working with organizations.
For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.
More Insights and Guidance on Cybersecurity Issues - Click here.
Make sure you are using the right cybersecurity test for the right purpose.
Many companies (and sometimes their cybersecurity consultants) refer to a vulnerability assessment and a penetration test as the same thing, and while they both serve to protect a networked environment, they are not. Unfortunately, the interchangeable use of these two terms blurs the lines between these two very distinct activities and can result in missed opportunities to find, repair and defend an organization against cyberattacks.
A simple way to understand the differences is that a vulnerability scan, which can be automated, searches for network issues like missing patches and outdated protocols, certificates, and services. A penetration test is a proactive attempt to actively exploit a weakness once found.
Though both a vulnerability assessment and a penetration test are individually important elements of a well-rounded cybersecurity program, they are designed with different goals.
What is a Vulnerability Assessment?
A vulnerability assessment is a scan intentionally designed to identify configurations on your systems that could possibly be exploited by an attacker. A good vulnerability assessment scan will identify all system vulnerabilities, assign a level of risk or score to each and prescribe a fix.
Many companies look to third parties to perform this assessment, and their report of findings should provide a clear understanding of what vulnerabilities exist and what needs to be fixed first. This type of assessment needs to be executed regularly to maintain network security, with attention paid when network changes like new equipment installation occurs or when new network functionality or services are added.
What is a Penetration Test?
A penetration test is a fundamental part of most required cybersecurity regulatory or compliance program requirements, like PCI compliance.
A penetration test is more complex than a vulnerability assessment, with multiple steps involved. It’s designed to identify system or network vulnerabilities that can be exploited by a hacker; and attempts to exploit those vulnerabilities and illustrate the level of risk involved by simulating a hypothetical attacker’s attempts to gain unauthorized access to critical systems or networks.
Penetration testing is a form of “ethical testing” that gives qualified and trusted cybersecurity consultants a green light to break into their client’s computers or devices to test their network’s defenses. If successful, the client gets the opportunity to shore up their network’s defenses, and even an unsuccessful attempt at a break-in holds a positive outcome, as it is an indication – although not an absolute certainty – that the organization’s defenses are secure.
Freed Maxick Cybersecurity Services
Today, companies need both vulnerability assessments and penetration testing to protect their company’s assets (and reputation), their employees, and the data they hold about their clients. In either case, having the knowledge to decide which is truly needed for your organization now and in the future, and most importantly, which service you are receiving from a vendor, is vital information for you and your company.
We can help.
Freed Maxick’s dedicated team of cybersecurity risk experts performs vulnerability assessments, penetration tests and designs comprehensive cybersecurity risk management programs. We work closely with your team through each step in our proven process to reduce any concerns or impacts and provide our industry recognized consultation.