The value of assessments in building cyber resiliency and maturity

We spoke with Eric Rochette, Senior VP of GoSecure’s Global Services who has helped hundreds of organizations better understand their security risk and maturity through assessments and asked him to share his insights and experiences in a Q&A session.

If one of your 2023 security goals is to become more cyber resilient, it’s time to consider a cybersecurity assessment if you’re not already conducting one. Regardless of your goals or priorities, regular cybersecurity assessments should be on every organization’s radar because of the value they provide to security teams.

We spoke with Eric Rochette, Senior VP of GoSecure’s Global Services who has helped hundreds of organizations better understand their security risk and maturity through assessments and asked him to share his insights and experiences in a Q&A session.

Q: When is the right time for a cybersecurity assessment?

When working with IT security teams, we can always expect there to be multiple projects running. The questions we ask include “Why are you investing in that project?” and “Do you know how it will improve your security posture?” If a client has a good understanding of their posture, they will know why that project is a priority and its intended impact.

When a client does not have good visibility into their environment, then they will not know how an initiative is going to impact their security posture. This is when an assessment is most important.

Q: According to IDC, cybersecurity and recovery investments provide the greatest strategic advantage. How do assessments play a part in cyber resilience?

Assessments are a great starting point for organizations looking to be more cyber-resilient because they help in the following ways:

• Identifying critical systems
• Understanding how they are protected
• Understanding the risks these systems are exposed to
• Ensuring there is adequate visibility
• Understanding the importance of critical systems in daily operations
• Determining if a clear plan exists to recover critical systems in the case of an incident

Q: Is it realistic for organizations with limited cybersecurity resources to aspire to cyber resilience? What recommendations would you offer to organizations with limited resources?

That said, like most business initiatives, it is important to understand risks and budgets as well as to prioritize elements of cyber resiliency accordingly.

Q: What role do assessments have in building out a security roadmap?

Q: What questions should organizations be asking of themselves to determine if an assessment is needed?

It’s important for security teams to be as transparent as possible with themselves when it comes to assessing their security posture. The consequences of not being honest can lead to the one thing you want to avoid – a security incident or breach.

Here are some questions that come to mind:

• Do we know what our current security posture is? Do we have a broad view?
• Have we recently deployed a new system, technology or program?
• How confident are we that our security investments are configured properly and therefore protecting us effectively?
• How confident are we with our remote access strategy?
• How confident are we with our backup security and strategy (for example, if hit with ransomware – are we sure we have a good back up strategy?).
• How capable or confident are we in handling an incident when it occurs?
• How confident are we that our firewall(s) are configured properly?
• When is the last time we tested our firewall configurations? (Here is where security team personnel changes can be a problem. When a person leaves an organization, they take internal knowledge with them. Even if procedures are well documented, things get dropped or miscommunicated so someone new coming in doesn’t know all the configuration details or nuances.)
• Are there any potential M&A activities? Or third-party partners who need to be validated/secured?

Q: What is the difference between an audit and an assessment?

These terms are sometimes used interchangeably, but in reality – they do not mean the same thing.

An audit implies a more exhaustive validation, sampling from controls, compliance with different standards (i.e., GDPR, HIPAA, ISO27001, NIST, etc.). Ultimately, it’s a more extensive project requiring significant internal involvement by the client organization.

An assessment implies a non-exhaustive validation of controls. The depth and duration of the assessment depends on the methodology followed by the service provider and how they interpret standards. When you want to comply to a standard – typically there is a gap in how that standard reads and how it actually translates into real security. Interpreting standards is critical as standards are rarely explicit or prescriptive on the ‘how’ in terms of implementation or configuration.

Here is a list of questions to consider when evaluating a service for the review of your cybersecurity posture:

1. Do you want an audit or an assessment?
2. Are you comfortable with the level of depth and accuracy of the audit or assessment?
3. Are you confident in your service provider’s ability to interpret the standards?
4. How much time do you need to invest internally?
5. Do you want a report on your apparent posture or the actual situation?

Q: What are some common triggers that could prompt the need for a cybersecurity assessment?

Other triggers could be significant staffing changes, potential M&A activity, a request from the company’s board of directors or a new third-party partnership where an assessment is required.

Q: What is required of the client for a GoSecure cybersecurity assessment (CSA)? Is there a perception that it is burdensome for clients to conduct an assessment?

Typically, we come in and ask questions that take only a few hours and that is about the extent of the client’s time. If there are one-off questions, we can engage via email if necessary.

Other assessment methodologies get bogged down with the heavy involvement required of clients. Because we have a deep understanding of security environments and the impacts of threats and vulnerabilities, we can minimize client involvement and can get the project moving quickly. Clients are exposed to risk all the time so getting actionable results and findings fast is important to us.

Q: What does your team see most often when conducting an assessment? Are there common gaps?

In Phase 1 of our cybersecurity assessment, we look at governance and security management – how organizations formalize their approach toward Information Security. Basically, how they document how they do security.

In Phase 2, we look at Infrastructure security – how security technologies are implemented and configured in the environment. This is where we validate security controls and often identify security gaps where technological controls do not match organizational strategy. In other words, security solutions which are not providing the expected protections or value. Additionally, subsequent pen testing phases may be part of the assessment to further validate the extent of controls in the environment.

A great example of common gaps involves vulnerability management. Most organizations will document and say they patch everything in their environment every 30 days. When we ask what tools they are using, oftentimes the response is a tool that patches Microsoft operating systems but nothing else, leaving an important gap in regard to other operating systems and third-party applications. In the infrastructure assessment, we find these gaps quite often.

Organizations can have bulletproof policies and procedures but if the operations team is not implementing these rules and policies, it does no good. We see a lot of this with purchased security technologies, especially firewalls where they are not properly configured so their value is diminished.

All our findings and security gaps are documented in the third phase of the assessment where we compile an extensive report with actionable data and a roadmap to help the security team prioritize their initiatives.

Q: How has the pandemic impacted the security posture of organizations? Have you seen more gaps, vulnerabilities, etc.?

In general, patch management infrastructure is built around users being within the corporate network but the expansion of the remote workforce changed things up. Security teams realized their existing patch management infrastructure wouldn’t work as before.

In addition to that issue, many organizations quickly installed new employee collaboration tools without thorough security due diligence. Employees working from home also tends to open potential security issues so overall I would say the pandemic definitely impacted the security posture of most companies as it expanded the overall attack surface.

Over time, many organizations have shifted to a more decentralized model whereby a significant number of their workforce operate remotely from the main offices. As an organization’s cyber landscape changes, and as the global threat landscape changes in turn, it is important that the organization re-evaluate their posture.

Q: Is there a best practice around the cadence of assessments – how often should a cybersecurity assessment be conducted?

Q: What is the value of doing a GoSecure CSA Essentials versus a full CSA?

Our CSA Essentials is aligned with the annual Verizon Data Breach Investigations Report that breaks down different industries and lists the areas of specific risk for each. Statistically, these areas should be the most secure and that is what we focus on in the Essential assessment. It’s a quicker analysis that helps compare yourself to peers in the industry and answer “where am I and am I covering the areas of greatest risk?”.

Q: What should prospective clients be looking for in an assessment provider?

About Eric Rochette