Cyber Resiliency is the ability to anticipate, protect against, withstand, and recover from adverse conditions, stresses, attacks, and compromises of cyber-enabled business.

If one of your 2023 security goals is to become more cyber resilient, it’s time to consider a cybersecurity assessment if you’re not already conducting one. Regardless of your goals or priorities, regular cybersecurity assessments should be on every organization’s radar because of the value they provide to security teams.

Cybersecurity Assessment

We spoke with Eric Rochette, Senior VP of GoSecure’s Global Services who has helped hundreds of organizations better understand their security risk and maturity through assessments and asked him to share his insights and experiences in a Q&A session.

Cybersecurity Assessment
Cyber Resiliency is the ability to anticipate, protect against, withstand, and recover from adverse conditions, stresses, attacks, and compromises of cyber-enabled business.

If one of your 2023 security goals is to become more cyber resilient, it’s time to consider a cybersecurity assessment if you’re not already conducting one. Regardless of your goals or priorities, regular cybersecurity assessments should be on every organization’s radar because of the value they provide to security teams.

We spoke with Eric Rochette, Senior VP of GoSecure’s Global Services who has helped hundreds of organizations better understand their security risk and maturity through assessments and asked him to share his insights and experiences in a Q&A session.

Q: When is the right time for a cybersecurity assessment?

Determining the right time for an assessment is dependent on the abilities of the security team to know and understand their security posture.

When working with IT security teams, we can always expect there to be multiple projects running. The questions we ask include “Why are you investing in that project?” and “Do you know how it will improve your security posture?” If a client has a good understanding of their posture, they will know why that project is a priority and its intended impact.

When a client does not have good visibility into their environment, then they will not know how an initiative is going to impact their security posture. This is when an assessment is most important.

Q: According to IDC, cybersecurity and recovery investments provide the greatest strategic advantage. How do assessments play a part in cyber resilience?

Assessments are a great starting point for organizations looking to be more cyber-resilient because they help in the following ways:

  • Identifying critical systems
  • Understanding how they are protected
  • Understanding the risks these systems are exposed to
  • Ensuring there is adequate visibility
  • Understanding the importance of critical systems in daily operations
  • Determining if a clear plan exists to recover critical systems in the case of an incident

Q: Is it realistic for organizations with limited cybersecurity resources to aspire to cyber resilience? What recommendations would you offer to organizations with limited resources?

Cyber resilience involves cybersecurity resources, but it is an organizational concept, meaning it should involve more than the cybersecurity team. Much like business continuity and risk management, business operations are at stake, therefore it must involve business stakeholders as well.

That said, like most business initiatives, it is important to understand risks and budgets as well as to prioritize elements of cyber resiliency accordingly.

Q: What role do assessments have in building out a security roadmap?

Assessments allow an organization to understand their current cyber security posture, exposing risks and gaps in relation to industry best practices. With the visibility provided by assessments, organizational stakeholders can make informed decisions on risks and maximize their investments by prioritizing the right projects in their security roadmap.

Q: What questions should organizations be asking of themselves to determine if an assessment is needed?

It’s important for security teams to be as transparent as possible with themselves when it comes to assessing their security posture. The consequences of not being honest can lead to the one thing you want to avoid – a security incident or breach.

Here are some questions that come to mind:

  • Do we know what our current security posture is? Do we have a broad view?
  • Have we recently deployed a new system, technology or program?
  • How confident are we that our security investments are configured properly and therefore protecting us effectively?
  • How confident are we with our remote access strategy?
  • How confident are we with our backup security and strategy (for example, if hit with ransomware – are we sure we have a good back up strategy?).
  • How capable or confident are we in handling an incident when it occurs?
  • How confident are we that our firewall(s) are configured properly?
  • When is the last time we tested our firewall configurations? (Here is where security team personnel changes can be a problem. When a person leaves an organization, they take internal knowledge with them. Even if procedures are well documented, things get dropped or miscommunicated so someone new coming in doesn’t know all the configuration details or nuances.)
  • Are there any potential M&A activities? Or third-party partners who need to be validated/secured?
If you are unable to answer these questions or are not confident in your current security posture, an assessment will be of value.

Q: What is the difference between an audit and an assessment?

These terms are sometimes used interchangeably, but in reality – they do not mean the same thing.

An audit implies a more exhaustive validation, sampling from controls, compliance with different standards (i.e., GDPR, HIPAA, ISO27001, NIST, etc.). Ultimately, it’s a more extensive project requiring significant internal involvement by the client organization.

An assessment implies a non-exhaustive validation of controls. The depth and duration of the assessment depends on the methodology followed by the service provider and how they interpret standards. When you want to comply to a standard – typically there is a gap in how that standard reads and how it actually translates into real security. Interpreting standards is critical as standards are rarely explicit or prescriptive on the ‘how’ in terms of implementation or configuration.

Here is a list of questions to consider when evaluating a service for the review of your cybersecurity posture:

  1. Do you want an audit or an assessment?
  2. Are you comfortable with the level of depth and accuracy of the audit or assessment?
  3. Are you confident in your service provider’s ability to interpret the standards?
  4. How much time do you need to invest internally?
  5. Do you want a report on your apparent posture or the actual situation?

Q: What are some common triggers that could prompt the need for a cybersecurity assessment?

We’ve seen many instances where a new CISO or someone accountable to security comes in and wants to better understand their posture. A cybersecurity assessment will not only help them identify security gaps or potential deficiencies but will also help in prioritizing their security roadmap.

Other triggers could be significant staffing changes, potential M&A activity, a request from the company’s board of directors or a new third-party partnership where an assessment is required.

Q: What is required of the client for a GoSecure cybersecurity assessment (CSA)? Is there a perception that it is burdensome for clients to conduct an assessment?

We recognize clients are overloaded, so at GoSecure, we try to minimize the client’s time, and our methodology is built to support this approach.

Typically, we come in and ask questions that take only a few hours and that is about the extent of the client’s time. If there are one-off questions, we can engage via email if necessary.

Other assessment methodologies get bogged down with the heavy involvement required of clients. Because we have a deep understanding of security environments and the impacts of threats and vulnerabilities, we can minimize client involvement and can get the project moving quickly. Clients are exposed to risk all the time so getting actionable results and findings fast is important to us.

Q: What does your team see most often when conducting an assessment? Are there common gaps?

We have found that an organization’s formal vision rarely matches up with reality. What an organization intends to do in terms of security, what’s documented versus what is actually in place is often very different.

In Phase 1 of our cybersecurity assessment, we look at governance and security management – how organizations formalize their approach toward Information Security. Basically, how they document how they do security.

In Phase 2, we look at Infrastructure security – how security technologies are implemented and configured in the environment. This is where we validate security controls and often identify security gaps where technological controls do not match organizational strategy. In other words, security solutions which are not providing the expected protections or value. Additionally, subsequent pen testing phases may be part of the assessment to further validate the extent of controls in the environment.

A great example of common gaps involves vulnerability management. Most organizations will document and say they patch everything in their environment every 30 days. When we ask what tools they are using, oftentimes the response is a tool that patches Microsoft operating systems but nothing else, leaving an important gap in regard to other operating systems and third-party applications. In the infrastructure assessment, we find these gaps quite often.

Organizations can have bulletproof policies and procedures but if the operations team is not implementing these rules and policies, it does no good. We see a lot of this with purchased security technologies, especially firewalls where they are not properly configured so their value is diminished.

All our findings and security gaps are documented in the third phase of the assessment where we compile an extensive report with actionable data and a roadmap to help the security team prioritize their initiatives.

Q: How has the pandemic impacted the security posture of organizations? Have you seen more gaps, vulnerabilities, etc.?

Early on in the pandemic was brutal. Clients were scrambling to get everyone working remotely. Strategic projects were de-prioritized or put on hold. Everything was about enabling remote access.

In general, patch management infrastructure is built around users being within the corporate network but the expansion of the remote workforce changed things up. Security teams realized their existing patch management infrastructure wouldn’t work as before.

In addition to that issue, many organizations quickly installed new employee collaboration tools without thorough security due diligence. Employees working from home also tends to open potential security issues so overall I would say the pandemic definitely impacted the security posture of most companies as it expanded the overall attack surface.

Over time, many organizations have shifted to a more decentralized model whereby a significant number of their workforce operate remotely from the main offices. As an organization’s cyber landscape changes, and as the global threat landscape changes in turn, it is important that the organization re-evaluate their posture.

Q: Is there a best practice around the cadence of assessments – how often should a cybersecurity assessment be conducted?

It is a good best practice to perform an assessment at least every 2-3 years to ensure proper policies and procedures are in place. Some companies may do more to meet an internal or compliance requirement or to validate they’ve achieved the expected outcomes associated with implementations from previous assessments.

Q: What is the value of doing a GoSecure CSA Essentials versus a full CSA?

The value of a GoSecure CSA Essentials assessment is a more streamlined and budget-friendly assessment tailored specifically to an industry. The overall scope and time frame are limited compared to a full assessment.

Our CSA Essentials is aligned with the annual Verizon Data Breach Investigations Report that breaks down different industries and lists the areas of specific risk for each. Statistically, these areas should be the most secure and that is what we focus on in the Essential assessment. It’s a quicker analysis that helps compare yourself to peers in the industry and answer “where am I and am I covering the areas of greatest risk?”.

Q: What should prospective clients be looking for in an assessment provider?

A third-party assessor should be well-versed and experienced in translating cybersecurity best practices into real-life security. For example, it’s easy to say you have or you need a Firewall, a SIEM, or DLP solution – but it’s much harder to determine whether that solution is actually contributing to your organizational cybersecurity. Is it configured properly and with the required processes to support it? This knowledge comes from years of experience and hard-earned expertise, so you will want to really vet that out with any assessment provider.
For additional information on GoSecure cybersecurity assessments (CSA), view our recent CSA workshop conducted by Eric where he discusses the value of assessments and our assessment methodology in detail.

Interested in speaking with us with a cybersecurity assessment subject matter expert? Contact us to learn more.

About Eric Rochette

Mr. Rochette brings over 15 years of experience in information security and currently serves as Senior Vice President of Global Services for the company. Over the last few years he has led the company’s professional services, which includes offerings in advisory, pentesting and operational services. With a background in information security risk assessments, cybersecurity assessment and security architecture, his strong experience in service delivery has allowed him to help structure, organize and improve the organization’s offerings and ensure the delivery of high-value services. In addition, he has served as a security advisor to numerous boards in need of strategic guidance in cybersecurity.

Prior to leading professional services at GoSecure, Mr. Rochette built and led the company’s Advisory team where he managed the delivery of a variety of assessments, audits and security architecture design projects. He started his career as a security analyst having performed a multitude of security solution implementations for private and public sector organizations.

Mr. Rochette holds a degree in Computer Engineering from Montreal’s Polytechnique University.

Eric Rochette

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858