Security assessments should be a part of any company’s security program. At a high level, they measure a company’s security posture against industry best practices, compliance requirements and industry frameworks. It takes into consideration factors such as open ports, patch management, anti-virus updates, encryption strength, and password policies. Guidelines and standards for security assessments are published by organizations such as National Institute of Standards & Technology (NIST), SANS Institute and PCI Standards Council.
An assessment identifies vulnerabilities and measures the effectiveness of the organization’s controls. They can also determine risk, which is the potential for loss if a vulnerability is exploited. Some vulnerabilities pose minimal or no risk to the company. Following an assessment, a summary report is provided to the client detailing the information learned and remediation recommendations. The company can then make decisions based on their business priorities, the level of risk, and the cost of mitigation.
There are several types of security assessments and each has a different goal. They include:
- Vulnerability Assessment – Identifies weaknesses that can be exploited
- Risk Assessment – Quantifies risk and potential loss based on asset value
- Compliance Assessment – Confirms compliance with required standards, such as HIPAA or PCI
- Penetration Testing – Simulates an internal or external attacker against the company’s network
The benefits to an organization and to the CISO include:
- A security assessment ensures that you are aware of security risks within your environment. This is the most obvious and direct benefit. You can’t fix a problem if you don’t know it exists.
- If you are a new security officer, an initial assessment will provide a snapshot of any vulnerabilities that you might have “inherited” upon starting your position. The only reason this matters is that you will then be able to document and track security issues that are resolved (and not created) on your watch. This benefit diminishes the longer you wait to complete an initial assessment.
- Assessments can help to document the progress being made to protect the company. A challenge faced by many CISO’s is documenting the value that they provide. For example, it is difficult to measure the impact of a breach that was prevented. Value can be highlighted by tracking the remediation accomplishments since a previous assessment.
- Due diligence, which is the effort made by a company to avoid harm, as determined by a reasonable person. If your company encounters a security breach, your company’s legal exposure and financial penalties can be impacted by the due diligence you’ve shown in defending against threats. A security risk assessment is the first step in showing due diligence. The second step is making an effort to address the vulnerabilities that were found.
- Required for compliance. Some industries require security assessments as a condition of compliance. The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) is one example.
Even though there are numerous benefits to conducting a security assessment, many times they are not prioritized within an organization. Below are a few reasons why:
- Time and money. It’s true that security assessments are not free. The cost is based on the complexity of the environment, the scope of the assessment and the length of the engagement. Some assessments can be completed within a day. The good news is that any engagement requires an up-front agreement of the scope and cost, so there should be no surprises. These costs should be weighed against the costs of a breach, which can include legal expenses, lost data, recovery efforts, penalties, business disruption and damaged reputation.
- Security breach would have minimal business impact. This would apply if your company could easily withstand a security breach resulting in data loss, a ransomware attack or service disruption. Not too many companies would place themselves in this category.
- Leveraging the cloud. Some companies are under the false impression that if their storage and applications are cloud-based, then there is no need for assessments. Due diligence extends to the cloud, and ensuring the appropriate protections is the company’s responsibility.
- Security assessment was completed a few years ago. With constant changes to a company’s network, personnel and policies, new vulnerabilities can be introduced at any time. A security assessment should be completed periodically – perhaps annually, or when significant changes occur. It should be viewed as critical, routine maintenance - much like an oil change for your car.
While these considerations might be common sense, many companies place security assessments on the back burner, and treat them as an optional expense. Given the damages and expenses that can result from security breach, the cost of a routine security assessment should be easily justified. Assessments should be part of a company’s security program and part of its annual budget.