Keeping up with cybersecurity is a challenge for every organization. It’s an ongoing investment that requires constant monitoring, a multitude of safeguards, and myriad other requirements to ensure your systems, customer data, assets, and intellectual property are protected—both today and from future breaches.
For large organizations, it can mean significant investment without guaranteed results. For small businesses, it can mean figuring out how to make the most of limited resources. In either situation, many organizations struggle with assessing third parties, like which vendors and service providers to consider for your cybersecurity initiatives. This is no doubt critical, as security breaches do and can happen. In the unfortunate event that they do occur, consumers, employees, and the media won’t see them as your vendors’ mistakes, they will see them as your brand’s mistakes.
Below we’ve laid out key considerations for reviewing your cybersecurity ecosystem—whether you are simply auditing, assessing gaps, or deploying enhancements. This process will help your organization better identify the right partners, approaches, and mindset needed to protect your precious data and assets.
1. Understanding the value of your data and mitigating risk
It is critical to understand the value of your data, both to the organization itself and to potential attackers. Being able to run through the hypothetical scenarios below and quickly assess the risks is paramount in order to understand the impact should something go wrong:
- Do you have any sensitive data accessible over the internet?
- How much data are there and how much are potentially exposed?
- Who might benefit from that data?
- What could happen to your organization if the data were compromised?
- Would there be financial penalties, reputational damage, or loss of business?
The clearer your understanding of what could go wrong, the easier conversations will be around determining necessary controls to prevent the worst outcomes.
Security professionals often use the CIA triad to understand the risks and value of data: Confidentiality, Integrity, and Availability. However, you don't need to be a security professional to use it. This concept helps organizations better understand the risks to their data by showing what a breakdown in any of those key areas would mean for the organization.
Use a scoring system to better help evaluate these concepts. For each concept, ask the question in the table above and answer below:
- It would matter: score of 1
- It would be a big deal: score of 2
- It would be catastrophic: score of 3
Add the scores together. The higher your score, the more security controls and assurances you need to protect your data. You can also use this information to ask questions of your providers.
2. Ask questions of your partners
Seasoned security professionals and auditors have a common mantra for assessing controls: "Trust but verify." Asking questions is a great way to learn more, deepen partner relationships, and ensure that controls are appropriately implemented. Here are some examples to get started:
- Can you share your information security policies?
- Which controls are most important for our needs?
- Do you perform third-party penetration tests?
- What training and certifications does your security team have?
- How often does patching occur?
- Do you have an internal auditor?
- Can you share a third-party audit report such as a SOC 2?
- How would you ensure our data confidentiality?
- How do you ensure controls are operating as designed?
While these questions will not give a complete picture of the security program in its entirety, it will give partners and providers a chance to engage on topics that are important to their level of service in protecting your organization. Short answers, or an unwillingness to engage on these topics, should be seen as a cause for further investigation. Good security thrives with communication and partnership amongst all stakeholders, both internal and external.
3. Embrace the process
It is important to accept that security is always in flux; it is a living, breathing process due to the humans that interact with and manage it.There is no such thing as “set-it-and-forget-it” in cybersecurity. Technology and software can become outdated and, in some cases, obsolete. Architectural patterns change, cyber attackers change tactics, and many controls require periodic operation and review, making them susceptible to human error.
The idea of a perpetual process can be understandably unnerving to some people. However, organizations, careers, and even lives can be impacted by a significant security incident, so adopting a mindset that security is never truly "done” is critical. Successful practitioners think of it as an evolving challenge, one which is constantly transforming—like a puzzle that changes a little bit each day. It is critically important that systems are regularly reassessed to monitor changes both inside and outside of your cybersecurity ecosystem.
And while not all organizations have the resources to build a best-in-class security operations team, having the right partners—the kind that can help you navigate the everchanging risks and protect your business assets—will ultimately enable you to build a stronger and more resilient organization.