Eric has been with GoSecure for over 15 years and has helped build the Advisory Services team in addition to creating its cybersecurity assessment methodology. In this blog, we asked Eric several questions to help provide more insights around cybersecurity assessments and when organizations should seriously consider performing one. As you will see, Eric is very passionate about the value assessments offer organizations in improving their security risk and maturity.

Eric Rochette
Eric Rochette
Eric has been with GoSecure for over 15 years and has helped build the Advisory Services team in addition to creating its cybersecurity assessment methodology. In this blog, we asked Eric several questions to help provide more insights around cybersecurity assessments and when organizations should seriously consider performing one. As you will see, Eric is very passionate about the value assessments offer organizations in improving their security risk and maturity.

Q: When is the right time for a cybersecurity assessment?

Knowing when the right time for an assessment is dependent on the abilities of the security team to know their security posture.

When working with IT security teams, we can always expect there are multiple projects running. The questions we ask include “Why are you investing in that project?” and “Do you know how it will improve your security posture?” If a client has a good understanding of their posture, they will know why that project is important and its impact.

When a client does not have good visibility into their environment, then they will not know how an initiative is going to impact their security posture. This is when an assessment may be important.

Q: What questions should organizations be asking of themselves to determine if an assessment is needed?

It’s important for security teams to be as transparent as possible with themselves when it comes to assessing their security posture. The consequences of not being honest can lead to the one thing you want to avoid – a security incident or breach.

Here are some questions that come to mind:

  • Do we know what our current security posture is? Do we have a broad view?
  • Have we recently deployed a new system, technology or program?
  • How confident are we that our security investments are configured properly and therefore protecting us effectively?
  • How confident are we with our remote access strategy?
  • How confident are we with our backup security and strategy (for example, if hit with ransomware – are we sure we have a good back up strategy?).
  • How capable or confident are we in handling an incident when it occurs?
  • How confident are we that our firewall(s) are configured properly?
  • When is the last time we tested our firewall configurations? (Here is where security team personnel changes can be a problem. When a person leaves an organization, they take internal knowledge with them. Even if procedures are well documented, things get dropped or miscommunicated so someone new coming in doesn’t know all the configuration details or nuances.)
  • Are there any potential M&A activities? Or third-party partners who need to be validated/secured?
If you are unable to answer these questions or are not confident in your current security posture, an assessment will be of value.

Q: What is the difference between an audit and an assessment?

These terms are sometimes used interchangeably, but in reality – they do not mean the same thing.

An audit implies a more exhaustive validation, sampling from controls, compliance with different standards (i.e., GDPR, HIPAA, ISO27001, NIST, etc.). Ultimately, it’s a more extensive project requiring significant internal involvement by the client organization.

An assessment implies a non-exhaustive validation of controls. The depth and duration of the assessment depends on the methodology followed by the service provider and how they interpret standards. When you want to comply to a standard – typically there is a gap in how that standard reads and how it actually translates into real security. Interpreting standards is critical as standards are rarely explicit or prescriptive on the ‘how’ in terms of implementation or configuration.

Here is a list of questions to consider when evaluating a service for the review of your cybersecurity posture:

  1. Do you want an audit or an assessment?
  2. Are you comfortable with the level of depth and accuracy of the audit or assessment?
  3. Are you confident in your service provider’s ability to interpret the standards?
  4. How much time do you need to invest internally?
  5. Do you want a report on your apparent posture or the actual situation?

Q: Are there common triggers that could prompt the need for a cybersecurity assessment?

We’ve seen many instances where a new CISO or someone accountable to security comes in and wants to better understand their posture. A cybersecurity assessment will not only help them identify security gaps but will also help in prioritizing their security roadmap.

Other triggers could be significant staffing changes, potential M&A activity, a request from the company’s board of directors or a new third-party partnership where an assessment is required.

Q: What is required of the client for a GoSecure CSA? Is there a perception that it is burdensome for clients to conduct an assessment?

We recognize clients are already overloaded so at GoSecure, we really try to minimize the time required of the client and our methodology is built to support this.

Typically, we come in and ask questions that take only a few hours and that is about the extent of the client’s time. If there are one-off questions, we can do this via email if needed.

Other assessment methodologies get bogged down with heavy involvement required of clients. Because we have a deep understanding of security environments and the impacts of threats and vulnerabilities, we are able to minimize client involvement and can get the project moving quickly. Clients are exposed to risk all the time so getting actionable results and findings fast is important to us.

Q: What does your team see most often when conducting an assessment? Are there common gaps?

We have found that an organization’s formal vision rarely matches up with reality. What an organization intends to do in terms of security, what’s documented versus what is actually in place is different.

In Phase 1 of our cybersecurity assessment, we look at governance and security management – how organizations formalize their approach towards Information Security. Basically, how they document how they do security.

In Phase 2, we look at Infrastructure security – how security technologies are implemented and configured in the environment. This is where we validate security controls and often identify security gaps where technological controls do not match organizational strategy. In other words, security solutions which are not providing the expected protections or value. Additionally, subsequent pentesting phases may be part of the assessment to further validate the extent of controls in the environment.

A great example of common gaps is around vulnerability management. Most organizations will document and say they patch everything in their environment every 30 days. When we ask what tools they are using, oftentimes the response is a tool that patches Microsoft operating systems but nothing else, leaving an important gap in regards to other operating systems and third-party applications. In the infrastructure assessment, we find these gaps quite often.

Organizations can have bullet proof policies and procedures but if the operations team is not implementing these rules and policies, it does no good. We see a lot of this with purchased security technologies, especially firewalls where they are not properly configured so their value is diminished.

All of our findings and security gaps are documented in the third phase of the assessment where we compile an extensive report with actionable data and a roadmap to help the security team prioritize their initiatives.

Q: How has the pandemic impacted the security posture of organizations? Have you seen more gaps, vulnerabilities, etc.?

Early on in the pandemic it was brutal. Clients were scrambling to get everyone working remotely. Strategic projects were de-prioritized or put on hold. Everything was about enabling remote access.

In general, patch management infrastructure is built around users being within the corporate network but with the expansion of the remote workforce, it changed things up. Security teams realized their existing patch management infrastructure wouldn’t work as before.

In addition to that issue, many organizations quickly installed new employee collaboration tools without thorough security due diligence. Employees working from home also open up potential security issues so overall I would say the pandemic definitely impacted the security posture of most companies as it expanded the overall attack surface.

Q: Is there a best practice around the cadence of assessments – how often should a cybersecurity assessment be conducted?

It is a good best practice to perform an assessment at least every 2-3 years to ensure proper policies and procedures are in place. Some companies may do more as internal check box or to validate their implementations from previous assessment.

Q: What is the value of doing a GoSecure CSA Essential versus a full CSA?

The value of a GoSecure CSA Essential assessment is a more streamlined and budget-friendly assessment tailored specifically to an industry. The overall scope and time frame is limited compared to a full assessment.

Our CSA Essential is aligned with the annual Verizon Data Breach Investigations Report that breaks down different industries and lists the areas of specific risk for each. Statistically, these areas should be the most secure and that is what we focus on in the Essential assessment. It’s a quicker analysis that helps compare yourself to peers in the industry and answer “where am I and am I covering the biggest risk areas”.

Q: What should prospective clients be looking for in an assessment provider?

A third-party assessor should be well versed and experienced in translating cybersecurity best practices into real life security. For example, it’s easy to say you have or you need a Firewall, a SIEM, or DLP solution – but how is that particular solution actually contributing to your organizational cybersecurity? Is it configured properly and with processes around it? This knowledge comes from years of vast experience so you will want to really vet that out with any assessment provider.

For additional information on GoSecure cybersecurity assessments (CSA), view our recent CSA workshop conducted by Eric where he discusses the value of assessments and our assessment methodology in detail.

Interested in speaking with us with a cybersecurity assessment subject matter expert? Contact us to learn more.

About Eric Rochette

Mr. Rochette brings over 15 years of experience in information security and currently serves as Senior Vice President of Global Services for the company. Over the last few years he has led the company’s professional services, which includes offerings in advisory, pentesting and operational services. With a background in information security risk assessments, cybersecurity assessment and security architecture, his strong experience in service delivery has allowed him to help structure, organize and improve the organization’s offerings and ensure the delivery of high-value services. In addition, he has served as a security advisor to numerous boards in need of strategic guidance in cybersecurity.

Prior to leading professional services at GoSecure, Mr. Rochette built and led the company’s Advisory team where he managed the delivery of a variety of assessments, audits and security architecture design projects. He started his career as a security analyst having performed a multitude of security solution implementations for private and public sector organizations.

Mr. Rochette holds a degree in Computer Engineering from Montreal’s Polytechnique University.

Titan Managed Detection & Response
Next-Generation Antivirus
Endpoint Detection & Response
Network Detection & Response
Inbox Detection & Response
Insider Threat Detection & Response
Managed Firewall
Managed SIEM
Vulnerability Management as a Service
GoSecure Titan
Titan Software
Email Security
Web Security
ResponderPRO Forensics Toolkit
Advisory Services
Breach Readiness Services
Cybersecurity Assessment
Security Compromise Assessment
Ethical Hacking
Incident Response & Forensics
Compliance & Audit
3rd Party Technology

Pin It on Pinterest

Share This