Stay on the cutting edge. Subscribe to our blog.
How to start your cyber risk assessment
A good starting point in assessing risk is to identify key assets: What data do you have that criminals might want? What systems are used to store/process/access that data? Who has access to them? Larger and more complex organizations will need to conduct more sophisticated asset inventories, at greater scale, of how systems, services and applications are communicating across their networks, and what security controls protect them.
The results of an asset inventory will help those responsible for security and risk understand what’s in scope and what needs to be prioritized. Prioritization is different for every business, based on its individual risk tolerance as well as the type of data and systems it manages and applicable privacy and cybersecurity regulations. What’s more, this entire process is not a one-time project; asset assessments must be continuous to reflect the current state of the organization, taking into account new data and technology added to the ecosystem that put the organization at greater or lesser risk.
Test your controls
For smaller businesses, testing security controls is probably outsourced to providers, though it’s important to remember that outsourcing management of security does not equal outsourcing responsibility for security. For enterprises with security and infrastructure teams, ongoing testing of controls to ensure they’re working as desired is necessary. “As desired,” though, is unique from organization to organization, based on risk tolerance. Often, stricter security controls affect performance and accessibility. Therefore, the organization might make a risk decision to place less-stringent requirements for access and use onto less-sensitive assets.
What’s more, both security control settings and risk tolerance are adaptive. What is appropriate or acceptable one day or month may not be acceptable the next, because, as mentioned previously, things change all the time. New data is added to the company’s systems. Employees join and leave the organization. New technologies and applications are deployed; sometimes these ship with vulnerabilities and sometimes vulnerabilities arise while they’re in production. And the list of risks only grows from here, so security best practices requires a constant OODA loop: observe, orient, decide, act. Importantly, while the company is in the first three stages of the loop, security and infrastructure teams can’t neglect action. Data and systems must be protected from threats at every stage. This is why the security of the modern enterprise is so tricky to manage and why organizations must operate in shades of risk.
Invest in people, processes, and technology
There is no shortage of security technologies, but simply purchasing a supposed cutting-edge solution is not the answer to “how do I protect my assets and mitigate risk?” That said, no company — big or small — can exist in today’s cyber threat climate without tools that prevent, detect, and stop threats. This is why it is important for any company evaluating a security solution to understand how the provider-partner addresses adaptive risk. Static security controls don’t match the dynamism of today’s business needs. Tools that require extensive amounts of hands-on, manual management and oversight aren’t realistic given the volume of work infrastructure teams have in merely keeping systems operational.
Instead, businesses should look for security provider-partners that:
- Temper cyber risk through adaptive security controls that work across environments (cloud, on-premises, containers);
- Use automation and machine learning to ensure that controls are appropriate for the amount and type of security desired by each individual customer; and
- Scale easily alongside the business, eliminating the arduous deployment and on-boarding schedules of many traditional security solutions.
When new security solutions are implemented, make sure to invest in skills development and awareness. The people managing the technology must understand its capabilities and governance requirements; even best-of-breed products take a moment or two to learn. A little upfront training on proper use of the technology will go a long way toward reducing risk down the road. People and processes are critical risk factors, so don’t overlook the importance of training.
As a business evolves, it should not have to assume preventable risk due to security controls that have to be manually configured, adapted to new environments, and take too long to deploy, all of which introduces unnecessary vulnerabilities. No business regardless of size is free from cyber threats, and all organizations should be able to take advantage of modern technology to run their business without adding avoidable risk. Keep your cyber risk under control with:
- Ongoing asset inventories that help determine what assets you have and how to prioritize protection;
- Security controls that reflect the needs of the business. Controls must be tested to ensure they’re functioning as desired;
- Adaptive security solutions and processes that can grow alongside your business; and
- Trained, skilled staff who have command over the environment and can make risk-based business decisions using best-of-breed cybersecurity technology.
Interested in learning how Edgewise can help your organization automate, simplify, harden and scale security? Sign up for a demo today.