As Donald Rumsfeld once said, there are “known knowns”, “known unknowns” and “unknown unknowns”.
Rumsfeld’s quote certainly comes to mind when considering how to assess, prioritise, manage and mitigate cyber security risks. So, how can you be confident, or demonstrate to others that you are focusing on and investing resources in the right things?
If your organisation is seeking assurance or insight into your security posture, a cyber security assessment is the place to start.
What is a cyber security assessment?
Understanding and addressing control gaps and cyber security risks is critical to being able to improve your cyber resilience. A cyber security assessment identifies and analyses the gaps and risks resulting in a structured review of their security posture. The results of an assessment will rate your existing cyber security controls and should outline prioritised remediation activities.
At Savanti, our assessments are built around our Cyber Security Controls Framework, which consists of 15 domains that cover the organisational, governance and technical security requirements that make for good cyber security.
This framework allows Savanti to perform targeted assessments at all levels across your organisation, by leveraging the following approaches;
- Organisational Assessment. A broad-spectrum review of the full scope of security to find out the current ‘as is’ position and provide a baseline against which improvement can be measured.
- Thematic Assessments. This type of assessment is focused on a general theme or area of concern to the organisation. For example, where a business has concerns or challenges around data management, a thematic assessment could review how the organisation prevents data loss. Other themes could include PCI-DSS compliance or Mobile Device Management.
- Detailed Assessment consisting of focused in-depth assessments of a specific component or technology element of the organisation. For example, detailed review could be performed of firewall configuration, the Secure Software Development Lifecycle or how third-party security is managed and controlled.
How can I get the confidence and assurance I need?
Unfortunately, the act of investing time and money in search of our security demons is often mistakenly seen as a distraction from the pressing urgency of a business’s daily operations.
Conducting a security assessment requires a dedicated and focused effort, removed from the distractions of normal operational business. To support an in-house review, the National Cyber Security Centre is a good source of information; their 10 steps to Cyber Security is a good place to start. Another option is to engage a Cyber Security consultancy, leveraging external resources can help to ensure the assessment is executed efficiently and that your requirements are met.
How can an external security assessment help?
Expertise. The experience required to identify and assess security risks. Specialist auditors or security consultants know what to look for and can advise on the best approach for remediation, including where to start.
Independence. A neutral unbiased approach to assessments is often required to satisfy compliance requirements or client requests.
Industry insights. Leverage to wider security experience, proven security methodologies, knowledge of industry trends, technologies and current threats.
Remediation. Support with the end-to-end transformation journey, from assessment to building transformation roadmaps mitigating priority risks.
Arriving at the “known knowns”
As Donald Rumsfeld alluded to, it’s the issues and challenges that we don’t know about that cause the problems. By using Savanti's cyber security assessment service, organisations are able to clearly articulate their cyber security posture and take the appropriate actions to ensure they have effective information security controls to bolster their cyber security defences.
Look out for our next blog on what to expect from a security assessment and what a good one looks like.
To discuss a security assessment with a member of the team, please provide your details below:
