This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.
It’s impossible to figure out how to get to where you’re going without knowing where you’re starting from. You must have a crystal-clear understanding of your organization’s current cybersecurity capabilities; what you have and what you do not. Addressing the identified gaps in your capabilities – within the context of your organization’s priorities and objectives – is a fundamental goal of the cybersecurity strategy.
Every organization should regularly conduct a cybersecurity capability assessment to establish where it currently stands and identify any gaps that need to be addressed. The assessment should be comprehensive in nature and encompass not only the technical, but operational and tactical capabilities as well.
Side Note
While having a Configuration Management Database (CMDB) deployed for asset management is a notable attainment, what’s more important is what you are doing with it. Is it working within the context of a formally established Asset Management Program with Key Performance Indicators (KPIs)? Are there policies directing registration of assets? If so, what assets are registered? Hardware? Virtual? Software? Data? Is the CMDB integrated with the Change Management and Incident Management Systems respectively? Is there operational guidance in place for its ongoing use and management? The list goes on.
The cybersecurity capability assessment can be lengthy and involved, but its critical importance can’t be understated. Knowing where to focus your attention in maturing the organization’s information security function will be a major factor in whether you succeed or fail in making that function better.
When considering a cybersecurity assessment, here are some things to think about.
Fitting Within a Framework
While it isn’t strictly necessary to conduct a cybersecurity assessment in alignment with any existing cybersecurity framework (e.g., NIST CSF, COBIT or ISO 27001), structuring it within the context of a known framework makes the methodology and results easier to communicate and be understood by others in the field or familiar with cybersecurity. Also, the gaps and associated recommendations are framed within this structure, making the resulting remediations easier to assign and plan.
Most times, the information security function will have already settled on a particular cybersecurity framework as a frame of reference. If that’s the case, stick with it for the assessment. If the organization has not yet adopted a specific cybersecurity framework, choose the one which best fits with the organization’s operational model.
Side Note
Within the U.S. and Canada, most organizations in the public and private sectors adhere to the NIST Cybersecurity Framework. The COBIT and ISO 27001 frameworks are popular in Europe and around the globe. There are others and each all have their own pros and cons.
Assess What You Can Control
When conducting a cybersecurity assessment, be sure to understand the scope of the effort. Restrict yourself to assessing only those areas which are either under the direct control of the information security function or can be controlled or influenced through partnership with other areas of organization. Many public agencies, for example, have rigidly defined administrative boundaries and there is no point to assessing those agencies where you have no jurisdiction. Similarly, many global private organizations have separate legal operations that are self-governing. These will often have their own Information technology function.
Prior to engaging in an assessment, make sure you have worked out how extensive it will be and who from around the organization will be involved.
The Outside Perspective
Can you trust a self-assessment, or do you think it best to bring in an outside agency? That can be a tough question but, the truth of the matter is, very few organizations have an information security function with people 1) skilled in conducting thorough cybersecurity assessments or 2) with bandwidth to do them.
Two benefits of bringing in an outside agency are 1) neutrality and 2) expertise and experience. An outside agency has likely performed multiple assessments across a number of industries and can bring much needed perspective to the assessment. They may not be as familiar with your environment as you are but that is actually a good thing as they are also not as emotionally invested in it as you are. And, frankly, their job is to learn as much as they can from the organization about its information security function from the ground up. So, a blank slate is a good place to start from.
Side Note
A thorough cybersecurity assessment should entail face-to-face discoveries with relevant staff and management, possibly with technical reviews and the reviews of relevant documents, where appropriate. It is an intensely collaborative, immersive, and potentially lengthy experience. Be wary of some providers whose “assessments” consist merely of a questionnaire sent to the stakeholders which they’re asked to fill out and mail back for analysis. Other providers may conduct the assessment remotely with minimal interaction with staff and management.
Just make sure you know what you’re going to get for your money. For example, how do they conduct the assessment (e.g., what do they look at)? How interactive is it? What is/are the final product(s)? Assessments can be valuable if they’re done properly: with collaboration and partnership.
It’s All About the Roadmap
What good is an assessment without recommendations to address the gaps identified? The recommendations must be framed as actionable and reasonable activities that will provide tangible results. Optimally, the recommendations should be in the form of a structured roadmap that provides – at the very least – the following features:
- The recommended activities are clearly articulated as initiatives or projects with specific goals.
- The recommended initiatives and projects are directly linked to the gaps they are intended to address. Note: There is rarely a one-to-one alignment of recommendation to gap. Many single initiatives for example can address multiple gaps (or vice versa).
- The recommended activities are prioritized (i.e., both in terms of their direct criticality and according to the organization’s goals and objectives) and include estimated costs and duration.
- The roadmap presents a timeline wherein the component initiatives and projects are laid out in chronological order and with dependencies.
Most importantly, the roadmap must be laid out in a way that makes it realistically achievable to the organization. The recommendations must be doable, either with existing resources or through the addition of outside assistance. The idea, after all, is to be able to do something about those gaps.
Side Note
Be sure to also set up a Risk Registry to document gaps and risks that either did not make it into the roadmap (e.g., they were considered acceptable) or are discovered while executing the roadmap. These can be addressed as appropriate during a revision to the roadmap or during the next assessment and iteration of the roadmap.
The Question of Maturity
For some organizations, it’s not enough to understand where you stand and what gaps need to be addressed. For numerous reasons (e.g., budget, KPIs, policy), a few organizations will want to know how mature they are. This will typically entail a numerical score against their established cybersecurity framework.
It’s important to remember that many established frameworks are not intended to act as a maturity framework. This transforms the objective of the assessment from determining whether you are doing something to how well you are doing it. So, existing maturity models therefore must be leveraged and adapted in order to have some commonly accepted measurement criteria. Some assessment methods for example may use the Capability Maturity Model Integration (CMMI) model while others may use Program Review for Information Security Assistance (PRISMA) to determine maturity based on the NIST Cybersecurity Framework.
Side Note
When considering whether to determine your level of maturity in terms of your cybersecurity posture, remember this: just being able to adequately address all of the requirements of a cybersecurity framework (e.g., the 23 Categories of the five NIST Cybersecurity Framework functions) would indicate a very respectable level of maturity already.
My advice is to be careful when looking to understand your maturity. Be sure to set a benchmark for the desired level of maturity for the various cybersecurity framework control areas that is appropriate for your business/industry. Not every organization should strive for 5-out-of-5 for every cybersecurity framework category. Nor should it. That would be prohibitively expensive and drastically overshoot what the organization may deem “Acceptable Risk Levels”.
Using assessments to determine maturity is not perfect and, though they may try to be as objective and empirical as possible, determining the “maturity” of the organization’s information security function is not an exact science. It will entail a great deal of subjective input and should require some back-and-forth between the assessor and the client organization to ensure agreement on the results. If you’re OK with that, then you’re good to go.
One final thought: a cybersecurity assessment should never be used to cast judgement or to lay blame. No one will trust them, and you will never get honest answers or data. It should fundamentally be viewed as an objective, benign instrument intended to plant a stake in the ground saying, “Here is where we are” and look forward to the future and where you want to go.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Three – Who Goes There? (Understanding the Current and Projected Threat Landscape).
Special thanks to Justin Yost and Michael Howard for their contributions to this post.
Eric's Cyber Blog 