Three essential cyber security considerations - from an assessor
Doing some early and honest thinking around your cyber security framework assessment means you will get the answers that are right for your business
In my time as a Senior Security Assessor, I’ve run various organisations through many frameworks and I’m not looking for the right answers only - I’m looking at what the right answer looks like for any given organisation, without a pass/fail result.
Assessment v Audit
So, what’s the difference?
This understanding is crucial as an assessment requires honesty… even when a Safeguard has what would appear to be great controls in place, if the team utilising the tool doesn’t have the time to maximise its capabilities, or they don’t think the tool is the best fit, I need to know.
In an audit, we may well take this control as acceptable for the purpose of securing a passing grade. In an assessment however, we don’t need to because we want to utilise this data to reflect not only what the current security posture looks like, but also help support the IT teams in getting the correct eyes on what needs to be done going forward.
Three common themes from assessments
Over many assessments you start to spot many trends, below are my top three:
1. Great ideas, not enough resources – This is two in one! I speak to so many amazing people and teams that have so much vision for what they want to do to improve their organisation's posture. They have so much passion for their work and desire to make sure they’ve done everything to put their employer in the best position from a security perspective.
But what they don’t have is enough resources. When I say this, I don’t just mean technology, I’m talking time, people, buy-in and support. All this potential can get buried and the focus becomes on the recurring phrase, that I may soon get tattooed to my forearm, ‘keeping the lights on’.
2. User Awareness Training – I feel I could write a whole blog just on this one control. Many organisations seem to understand how important it is that the workforce receive regular training, with a fair few moving away from the dreary classroom-styled training, onboarding only, and quickly deleted training emails.
Organisations are adopting data-rich approaches, presented in a shorter and more gamified manner, thus being more memorable and digestible. However, so many organisations still do very little here, users are often the first and last line of defence, and many don’t even seem to know what they would do if they spotted a phishing email. Some would delete it -which is great but as an organisation this information is useful and ideally, we want users sending this to our IT team. And that’s just phishing, very rarely do we hear about training being provided to help prevent a physical breach. Most people are naturally friendly in a work environment and want to help, but this can be a negative if we’re kindly leading a person with malicious intent into our office.
There is so much more to this, but the long and short is user awareness tools should be explored, especially where resource and time restraints exist. There is an ever-growing number of tools available on the market, that once set up can require little management. All the fancy tools and controls can be in place, but even some basic user training can go a very long way and keeps everyone accountable.
3. Service providers – You can probably start to see how all the areas so far can connect. Service providers exist for many reasons, to help add extra resources where there may be gaps internally, and it’s just how many products are managed these days in the world of various ‘as-a-service (AAS)’ offerings. These are great tools, but consideration is required, where company data is relevant.
However, for assessments done using Center for Internet Security Version 8 framework at Softcat, the average score for Service Provider Management across 150 customers is <30/100, which would fall under our ‘non-compliant’ category. Here, at a minimum, what I like to hear is the organisation has an inventory of their providers, from there ideally, we start to flesh this out with details like what service they provide, key contacts, ideally with onboarding, and decommissioning processes, classification and regular reviews.
Many other areas have taken the limelight, but on average, security surrounding service providers needs some love.
These are only a few considerations, and I’ve barely scratched the surface. There is much more, but overall, I think the key takeaway is an organisation often doesn’t seem to realise, IT’S NOT JUST YOU. So many have similar or the same issues, often associated with resources but the correct buy-in which we’ve only lightly touched on.