Eric has been with GoSecure for over 15 years and has helped build the Advisory Services team in addition to creating its cybersecurity assessment methodology. In this blog, we asked Eric several questions to help provide more insights around cybersecurity assessments and when organizations should seriously consider performing one. As you will see, Eric is very passionate about the value assessments offer organizations in improving their security risk and maturity.
Q: When is the right time for a cybersecurity assessment?
When working with IT security teams, we can always expect there are multiple projects running. The questions we ask include “Why are you investing in that project?” and “Do you know how it will improve your security posture?” If a client has a good understanding of their posture, they will know why that project is important and its impact.
When a client does not have good visibility into their environment, then they will not know how an initiative is going to impact their security posture. This is when an assessment may be important.
Q: What questions should organizations be asking of themselves to determine if an assessment is needed?
It’s important for security teams to be as transparent as possible with themselves when it comes to assessing their security posture. The consequences of not being honest can lead to the one thing you want to avoid – a security incident or breach.
Here are some questions that come to mind:
- Do we know what our current security posture is? Do we have a broad view?
- Have we recently deployed a new system, technology or program?
- How confident are we that our security investments are configured properly and therefore protecting us effectively?
- How confident are we with our remote access strategy?
- How confident are we with our backup security and strategy (for example, if hit with ransomware – are we sure we have a good back up strategy?).
- How capable or confident are we in handling an incident when it occurs?
- How confident are we that our firewall(s) are configured properly?
- When is the last time we tested our firewall configurations? (Here is where security team personnel changes can be a problem. When a person leaves an organization, they take internal knowledge with them. Even if procedures are well documented, things get dropped or miscommunicated so someone new coming in doesn’t know all the configuration details or nuances.)
- Are there any potential M&A activities? Or third-party partners who need to be validated/secured?
Q: What is the difference between an audit and an assessment?
These terms are sometimes used interchangeably, but in reality – they do not mean the same thing.
An audit implies a more exhaustive validation, sampling from controls, compliance with different standards (i.e., GDPR, HIPAA, ISO27001, NIST, etc.). Ultimately, it’s a more extensive project requiring significant internal involvement by the client organization.
An assessment implies a non-exhaustive validation of controls. The depth and duration of the assessment depends on the methodology followed by the service provider and how they interpret standards. When you want to comply to a standard – typically there is a gap in how that standard reads and how it actually translates into real security. Interpreting standards is critical as standards are rarely explicit or prescriptive on the ‘how’ in terms of implementation or configuration.
Here is a list of questions to consider when evaluating a service for the review of your cybersecurity posture:
- Do you want an audit or an assessment?
- Are you comfortable with the level of depth and accuracy of the audit or assessment?
- Are you confident in your service provider’s ability to interpret the standards?
- How much time do you need to invest internally?
- Do you want a report on your apparent posture or the actual situation?
Q: Are there common triggers that could prompt the need for a cybersecurity assessment?
Other triggers could be significant staffing changes, potential M&A activity, a request from the company’s board of directors or a new third-party partnership where an assessment is required.
Q: What is required of the client for a GoSecure CSA? Is there a perception that it is burdensome for clients to conduct an assessment?
Typically, we come in and ask questions that take only a few hours and that is about the extent of the client’s time. If there are one-off questions, we can do this via email if needed.
Other assessment methodologies get bogged down with heavy involvement required of clients. Because we have a deep understanding of security environments and the impacts of threats and vulnerabilities, we are able to minimize client involvement and can get the project moving quickly. Clients are exposed to risk all the time so getting actionable results and findings fast is important to us.
Q: What does your team see most often when conducting an assessment? Are there common gaps?
In Phase 1 of our cybersecurity assessment, we look at governance and security management – how organizations formalize their approach towards Information Security. Basically, how they document how they do security.
In Phase 2, we look at Infrastructure security – how security technologies are implemented and configured in the environment. This is where we validate security controls and often identify security gaps where technological controls do not match organizational strategy. In other words, security solutions which are not providing the expected protections or value. Additionally, subsequent pentesting phases may be part of the assessment to further validate the extent of controls in the environment.
A great example of common gaps is around vulnerability management. Most organizations will document and say they patch everything in their environment every 30 days. When we ask what tools they are using, oftentimes the response is a tool that patches Microsoft operating systems but nothing else, leaving an important gap in regards to other operating systems and third-party applications. In the infrastructure assessment, we find these gaps quite often.
Organizations can have bullet proof policies and procedures but if the operations team is not implementing these rules and policies, it does no good. We see a lot of this with purchased security technologies, especially firewalls where they are not properly configured so their value is diminished.
All of our findings and security gaps are documented in the third phase of the assessment where we compile an extensive report with actionable data and a roadmap to help the security team prioritize their initiatives.
Q: How has the pandemic impacted the security posture of organizations? Have you seen more gaps, vulnerabilities, etc.?
In general, patch management infrastructure is built around users being within the corporate network but with the expansion of the remote workforce, it changed things up. Security teams realized their existing patch management infrastructure wouldn’t work as before.
In addition to that issue, many organizations quickly installed new employee collaboration tools without thorough security due diligence. Employees working from home also open up potential security issues so overall I would say the pandemic definitely impacted the security posture of most companies as it expanded the overall attack surface.
Q: Is there a best practice around the cadence of assessments – how often should a cybersecurity assessment be conducted?
Q: What is the value of doing a GoSecure CSA Essential versus a full CSA?
Our CSA Essential is aligned with the annual Verizon Data Breach Investigations Report that breaks down different industries and lists the areas of specific risk for each. Statistically, these areas should be the most secure and that is what we focus on in the Essential assessment. It’s a quicker analysis that helps compare yourself to peers in the industry and answer “where am I and am I covering the biggest risk areas”.
Q: What should prospective clients be looking for in an assessment provider?
For additional information on GoSecure cybersecurity assessments (CSA), view our recent CSA workshop conducted by Eric where he discusses the value of assessments and our assessment methodology in detail.
Interested in speaking with us with a cybersecurity assessment subject matter expert? Contact us to learn more.
About Eric Rochette
Prior to leading professional services at GoSecure, Mr. Rochette built and led the company’s Advisory team where he managed the delivery of a variety of assessments, audits and security architecture design projects. He started his career as a security analyst having performed a multitude of security solution implementations for private and public sector organizations.
Mr. Rochette holds a degree in Computer Engineering from Montreal’s Polytechnique University.