How to approach your company’s cybersecurity posture more holistically
The topic of cybersecurity will be top of mind for many executives in 2019 as they will have a keen interest in understanding their organization’s cybersecurity posture. One of the first steps for securing this understanding should involve engaging in a conversation with an outside vendor who will offer an engagement to measure the organization with the intention of identifying and preventing any outside (or inside) influences from launching an attack.
Usually, this conversation involves a discussion around the fantastic tools and team the third party has on hand, complemented by a “show and tell” presentation of scanning tools, reporting processes and deliverables, dire threats faced by the company, and for good measure, an update on “must know” buzz words that are necessary for making a sound purchase decision. Often, the reputation, name, or relationship with the third-party weighs in as well.
If all this cybersecurity exploitation makes you confused and numb, then we suggest stepping back and approaching your organization’s cybersecurity posture more holistically.
A Cybersecurity Risk Assessment is More Than Scanning and Making Fixes
Cybersecurity involves much more than conducting scans and fixing some configurations on a network and servers. It is the intersection of People, Processes and Technology that enables an organization to design, deploy, monitor and maintain a sound cybersecurity program.
We believe that the interaction between People, Processes and Technology within your company’s IT environment is key to the development and overall success of a mature cybersecurity program.
Cybersecurity Assessment: People
People represent one of the most vulnerable areas of your cybersecurity program. A well-balanced assessment should include examination of areas such as organizational structure, policy, procedures, security training and awareness, communication, tone at the top and culture. People represent one of the most vulnerable areas of your cybersecurity program, and any complete Cybersecurity Assessment should include assessing an organization’s people and culture.
Cybersecurity Assessment: Process
The processes your organization implements to operate daily should include basic security measures and practices such as: asset management, access management, third–party IT management, patching & system maintenance, backup & restore processes, disaster recovery, physical protection of infrastructure, “acceptable use” practices, incident response, business continuity and disaster recovery plans. All of these play significant roles in a strong cybersecurity program. During the cybersecurity assessment, specific measurements should be obtained regarding the maturity of your processes, including any recommendations for process improvement.
Cybersecurity Assessment: Technology
For most cybersecurity practitioners, technology generates the most excitement. It’s what most third party firms will offer as the mainstay of their Cybersecurity Assessment, and usually involves a only a vulnerability assessment scan with a report listing findings.. To a seasoned cybersecurity team, this is only one small necessary area of an overall assessment, as a comprehensive analysis should also include access and network controls, wireless network controls, endpoint management, penetration testing, and web application assessments and other technical areas.
Connect with Cybersecurity Risk Assessment Experts
Too often, organizations seek out third parties to assess cybersecurity and receive a scan and a report that showcases the vendor’s lack of understanding of the organization and its business. Most approaches don’t include information gathering, interviews, analysis, specific prioritized recommendations that are actionable for your organization’s resources.
Be wary of cybersecurity firms that lack the ability to assess your complete cybersecurity posture.
At Freed Maxick, our cybersecurity team works closely with your team to learn what you do, how you do it, understanding the entire picture, not just one area. This is the experience that comes with 60 years of working with organizations.
For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.