According to Ponemon Institute, 7 out of 10 organizations say their security risks increased significantly in 2017, and 54% of companies experienced at least one attack that compromised data or IT integrity. The first half of 2018 disclosed Meltdown and Spectre vulnerabilities, making cybersecurity a growing priority for organizations of all sizes, across all industries.

The business impact of a cyberattack could be very severe. Think of viruses and denial-of-service attacks which could shut down corporate e-mail systems and websites, massive thefts of personal data, or ransomware attacks which could damage industrial systems, utilities or hospitals. Despite the urgency around security and data protection, many organizations are not keeping up with the threats.

Watchful businesses are strengthening their security barriers and implementing stricter, continuous monitoring processes. Any initiative to improve cybersecurity should start with an assessment of the organization’s weaknesses and a plan to address them. IT managers sometimes underestimate the importance of the assessment phase; however, it is undoubtedly useful not only to learn more about the vulnerabilities to be covered but also to estimate the effort behind it. A CIO once told us that he originally scoped cybersecurity as a 6 / 8-week project with a certain budget. After the assessment, he understood 16 / 18 weeks were necessary, and the budget to be allocated was about 5 times higher.

The assessment might be conducted by internal staff or external security experts. Standard, authoritative tools are also available, including the Cybersecurity Framework by the US National Institute of Standards and Technology (NIST), or the Cyber Resilience Review by the US National Cybersecurity and Communications Integration Center (NCCIC).

Regardless from the preferred method or tool, a well made security assessments should unveil the weaknesses of the current IT environment, and even investigate policies, processes, internal culture and workflows which might influence the organization’s ability to detect and respond to cyberattacks.

In other words, a successful assessment will score the maturity of the company against security and data protection. In business experience, maturity is a combination of people, process and technology.

Author: Sabis Chu, IT Technology Evangelist at KRIU