Choose the Right Information Security Assessment:
We want to clear up any confusion around what a cyber assessment is, what it can reveal, and how a cyber assessment differs from a cybersecurity audit. Lastly, I want to answer when and, in what circumstances, you need each.
One of the most common complaints I hear from leadership teams of prospective mid-sized clients is that they did a cybersecurity assessment and they aren’t sure what the assessment tells them. Or, perhaps the outcomes aren’t what they had expected.
Executives ask their IT or cyber team to “assess how we are doing” or “audit our cybersecurity program,” but the results they’re seeing aren’t consistent and, often, leave the original business security risk questions unanswered.
Overcoming Cybersecurity Assessment Confusion
Truth be told, many cyber “experts” struggle to make the distinction among the different types of assessments. They aren’t clear on what each cybersecurity assessment or audit reveals, how to use the results, or how to perform each type effectively and efficiently. To many, the landscape of compliance assessments, maturity assessments, risk assessments, compliance audits, and cybersecurity reviews may seem to be the same exercise but with a different name.
Yet, each type of cybersecurity assessment or audit have distinct purposes and methods, as well as reflect different perspectives of the user or the accrediting/auditing body who created the framework. While various metrics may overlap, each cyber assessment or audit can provide various outcomes and business value.
Why Cybersecurity Assessments Can Fall Short of Expectations
A misalignment between cybersecurity assessment or audit type and outcome expectations, many times, stems from three communication issues:
- The business leader doesn’t make the request in business terms or outcomes. They ask in cyber terms and the nuance between the two is missed.
- The IT or cyber practitioner (in-house or external consultant) does not push back on the request to clarify and ensure that their business questions are being addressed.
- The results of the assessment or audit are not delivered in business terms, but rather focuses on cyberspeak,’ using technology jargon.
Using Standard Language: Types of Cybersecurity Audits and Assessments
Here is a handy reference of standard cybersecurity assessment and audit terms:
Controls (or Controls Library) – A control is a rule or requirement that is designed to drive a specific objective. A controls library is simply a list of the controls. The business objective, and an established test for the control is often, but not always, included in the library.
Cybersecurity Audit – An audit is typically defined as an evaluation of performance against specifications, standards, controls, or guidelines. This is often a checklist exercise where there is an evaluation against a list of controls called the controls library. The effectiveness, comprehensiveness, and business appropriateness of those controls are not obvious.
Cybersecurity Assessment – Assessments come in many shapes and sizes, and typically deliver a much deeper evaluation of performance against, or adherence to, the controls. Assessments usually include some sort of impact measure or an interpretation of the effectiveness of the area being assessed. Assessments may include some degree of an audit but not always.
Penetration Testing – This is neither an audit or an assessment. It is a situational test that looks at one point in time. It is a trial to the controls, monitoring, processes, and technologies that protect an environment. It provides no measure but an anecdotal data point and a narrative. There is value in this exercise, however it is not a satisfactory replacement for audits or assessments.
Assessment and Audit Types and Purposes
Here are six of the main types of standard assessments or audits:
Compliance assessments evaluate an environment against a reference model. That reference model could be a governance or regulatory framework, such as PCI, SOX, NIST 800-53 or ISO 27000. Typically, there is a review of the controls for comprehensiveness and effectiveness, followed by an audit against the controls. Lastly, a risk valuation is typically completed. A compliance assessment will show how well a compliance program is performing and make improvement recommendations, as well as show some degree of a risk value.
A cyber maturity assessment is an evaluation of the level of maturity an organization has with respect to its technology, people, and processes. The measure is made against a reference model, such as the DoD CMMC (Cyber Maturity Model Certification) or the DoE C2M2 (Cyber Capability Maturity Model). Within those standards, there are different standard maturity levels. This type of assessment provides a good picture of where there are maturity gaps or weaknesses in the overall cybersecurity program. It is also a good indicator of where investments should be made at a very high level. Typically, there is less emphasis on risk and more focus on having a comprehensive program.
A current–state assessment is a group of assessments designed to support the strategic development of the cyber program. The current–state is matched against where the program wants to be or its desired future–state. These assessments focus on capability, technology, maturity, or any other measure that could drive change or improvement.
A risk assessment is a specific type of assessment that identifies, measures, and analyzes risk. The scope could include a regulatory or compliance framework, an application, a business process, a critical investment, or business decision. The likelihood and impact of the risk, as well as mitigation or remediation strategies, is the priority. The deliverables from many of the other assessments and audits discussed here can be used as inputs for the risk assessment. The key business outcome should include a quantifiable measure of business risk.
A threat assessment is a review of the in–scope operating environment, network, application, or process with an intent to measure the significance, likelihood, and mechanisms associated with risks. This assessment is heavy on analysis and is often carried out with a great deal of risk or threat modeling. The business outcome of a threat assessment should be an increased understanding of the most pressing threats to an organization and their level of severity.
A cyber resiliency assessment measures an organization’s ability to identify, withstand, or recover from a cyberattack or breach incident. This is a very pragmatic and applied approach that should provide a very accurate view of the organization’s cyber posture.
Each of these evaluations answer different business questions and provide varied informational and business-decision insight. The differences among them can be subtle or pronounced. Understanding what you need and gaining clarity on which questions you need to answer will help ensure that you choose the right assessment to answers those questions.
Other factors, like organization size, industry, cybersecurity program maturity, and types of customers you serve also help highlight which assessment or audit would be most appropriate.
Choosing the Best Cyber Assessment or Audit: Key Takeaways
- Distill your business needs and understand what questions you need each assessment or audit to answer
- Understand the strengths, weaknesses, and nuances of each type of cybersecurity assessment or audit at your disposal
- Treat your information security assessment and audit deliverables as data points that paint a total picture, providing a measure of risk and strength trends, strengths, or gaps
- Deliver leadership communications in terms of applied risk and business objectives and avoid cyber speak and IT jargon
- When in doubt, reach out for help from a trusted advisor
We’re Your Trusted Cybersecurity Advisor and Partner
If you’re not sure which assessments and audits are required for compliance versus which can be a tool to gain critical business intel on cybersecurity health and strength, we can help.