Benefits of A Security Posture Assessment
By Frank Gillman & Chris Ballod
Security assessments follow a two-fold structured approach. The first part is to measurably determine if the current NIST1 security controls within an organization are applied properly, working as intended, and generating the preferred result in accordance with the requirements. Once the review is completed, the second part is to deliver to the organization a comprehensive gap identification and remediation plan, which identifies specific known exploits and proposes recommendations on how to address each one.
One of the most significant takeaways for an organization from the results of a security assessment is the ability to then effectively prioritize which vulnerabilities should be addressed in both the short and long term. Since internal resources for staffing or investment are often hard to come by, determining the prioritization, timing, and cost of remediation efforts becomes simpler when there is a plan.
This assessment requires weighing legal compliance obligations and potential liability concerns against operational efficiency. Privacy counsel should be involved to address these considerations and to shield these sensitive discussions with the attorney-client privilege.
Technology leaders within an organization, such as the CIO, CISO, and other IT department leadership, should rightly view this as welcome news. For too long, IT leaders have often been handed, or lulled, into this sense of “It’s my problem. Deal with it.” But it’s really not. The IT systems are only part of the balance. Successfully establishing a genuine culture of security involves input and engagement from colleagues in human resources, marketing, facilities, and anyone else regularly involved in administration management.
Security assessments are what builds that bridge. Each of those people may have critical functions to perform if there’s ever a data breach or other security incident. Having everyone participate in a security assessment better integrates them into the security plans as opposed to simply names on a contact sheet within an Incident Response or Business Continuity Plan.
1 National Institute of Standards and Technology