Cybersecurity assessments: Your fast path to a stronger defense

* Recorded on Thursday, March 28, 2024. Please note since this recording, Covalence has been renamed Field Effect MDR.

Whether you're well into your cybersecurity journey or just getting started, a cybersecurity assessment can keep you on the right, most efficient path to a stronger defense.

Join cybersecurity experts Mike Russell and Alyssa Parenteau to learn what security assessments are, how they work, and how they can help businesses of all sizes:

• Pinpoint gaps and areas for improvement
• Prioritize next steps for better defenses
• Invest more efficiently in cybersecurity

What does good cybersecurity look like?

There are six key attributes. The classic three are confidentiality, integrity, and availability.

Confidentiality is about keeping things private that are meant to stay private. Integrity means making sure records can’t be changed without logging those changes, so only authorized modifications can happen. Availability ensures that whatever service you’re offering is accessible when and how it’s needed by your clients.

Three additional attributes closely relate to these: privacy, safety, and reliability.

Privacy means information should only be shared in the ways you intend. Safety is especially important with internet-connected systems—you don’t want a compromise at, say, a chemical plant to result in harm to people, the environment, or physical assets. Reliability is vital in sectors like electricity, where continuous power is expected. If there are outages, people need to know when they’ll happen so they can plan around them.

Together, these six attributes form the foundation of a good cybersecurity program. The program identifies risks to each, implements controls to reduce those risks to an acceptable level, and then allows the organization’s management to accept the residual risk that remains.

That’s what makes a good cybersecurity program. At its core, cybersecurity is an exercise in risk management, specifically tailored to digital systems.

A practical approach to cybersecurity

This is one of the hardest things to put into practice. You could try to identify every risk and then implement every possible control, but very quickly you realize there are hundreds, if not thousands, of controls. It becomes a never-ending exercise of “what do I need to do today?”

In practice, that doesn’t work. Even following a framework is often unrealistic because frameworks have hundreds of controls. For small and medium-sized businesses, it’s just too expensive. You can’t implement military-grade security in the private sector, especially in smaller organizations—it’s simply too costly.

A more practical approach works much better, and it’s the one we use.

Step 1: Invest in excellent monitoring.

This offsets weaker parts of your program. The idea is to make sure someone can’t get into your network and stay there for long while you improve other controls.

Monitoring is especially important because it also helps with containment. Even if something does happen, strong monitoring lets you minimize the impact of an incident. The whole goal is to reduce dwell time—catching intrusions quickly so they don’t have a chance to cause significant harm.

It’s not a question of if but when. Defenses aren’t perfect, so you have to assume attackers will get through eventually. If you’re able to catch them quickly, the compromise won’t have much impact. You remediate, move forward, and prepare for the next attempt.

That means even if your program has weaker controls in some areas, good monitoring ensures you can detect and respond effectively. Then you can reprioritize and strengthen your defenses over time.

While you continue improving your overall program in the background, you’ve got strong enough frontline defenses to prevent serious compromise in the meantime.

Step 2: Assess your program.

If you have expertise in-house, great. If not, look outside for cybersecurity experts who can give you a prioritized action plan.

Step 3: Prioritize wisely.

If you can’t do everything, do the things that matter most and will give you the greatest benefit. Put those at the top of your list instead of letting them slide while less effective controls get implemented first.

Step 4: Implement and measure improvement.

Once you have an action plan, implement it and measure your improvement. Measuring is important, especially if you need to show leadership or a board why more investment is required. A solid plan that demonstrates a strong return on investment, backed by evidence of improvement, builds trust. That makes it much more likely you’ll get approval for future initiatives.

Why do a cybersecurity assessment?

One of the things we wanted to cover today is why an assessment matters. Different companies have different needs and are at different points in their cybersecurity journey. Larger organizations often have cybersecurity departments built into IT, but smaller ones don’t. It’s hard to find and afford that kind of expertise, and demand is far greater than supply.

That’s where an assessment comes in. It gives you a clear picture of where you stand and helps you move forward in the right way. Getting assessed by an external organization can be very beneficial if you don’t know what to invest in or what to invest in next, in terms of priority.

An expert should have enough experience in cybersecurity to decide what makes sense to do next and provide a prioritized list of what you should be doing.

Another advantage is that someone external doesn’t have the same buy-in to what you’ve done historically, so they can independently assess the merits of certain controls or identify gaps that someone internal might be more resistant to acknowledge. That second-opinion concept is really important. There are also situations where an unbiased third-party assessment is required—for example, due to cyber insurance requirements or as a due-diligence proof point during acquisitions. It can be important to show that an independent party has assessed your program, rather than you checking on yourself.

You also want an improvement plan for cybersecurity—an assessment gives you that. Whether you do it internally or outsource it, it provides a plan to move your program forward, because there are always opportunities for improvement, no matter how good you are.

If you’re looking down the road to get certifications, an assessment—specifically a gap assessment—is very useful. It puts you on the path toward certification. When you want to be certified, you must meet all the controls in a framework, not just some of them. If you do a gap assessment for certification and end up with a hundred deficiencies, you won’t know what to tackle first. If certification is the goal, you need to address them all, so you need a roadmap to get to the point where you’re ready. An assessment helps get your program to that point, so that when you pursue formal certification, your gap is very small.

What to expect from a cybersecurity assessment

The first thing you want is an analysis of your entire cybersecurity program. Certifications tend to cover a subset, but if you’re looking to improve overall, you want the assessor to look at the entirety of your program.

Coming out of it, you want concise, easy-to-understand analysis. A 200-page report isn’t helpful without substantial simplification. You want clear analysis and plain-language recommendations that you can act on, not jargon-heavy detail with little ability to implement.

Your assessment should also include information that helps justify and validate your investments. Cybersecurity, for most organizations, is not a profit center—it’s a cost center. You do it to protect the organization, not because it differentiates your business. Since it’s an expense, you want strong justification for any spend, and you want to validate that the expenditure was effective at mitigating risk. If you can repeatedly show “yes, this reduced risk,” it becomes much easier to get continued support from senior management.

A track record of wise investment and reduced risk makes it easier to keep improving your program. Conversely, if you spend money without clear deliverables or outcomes, it’s harder to ask for more. There are always more controls you could implement to reduce risk further. Having a track record of successfully implementing pieces of your program, and a way to measure reduced risk, shows that an assessment led you to a place where you can invest effectively year over year and keep improving for as long as you want to.

Finally, you want assessment support that simplifies implementation. It’s easy to say, “You should have better multifactor authentication.” It’s much more challenging to implement it correctly and consistently across your environment. There are many considerations during implementation, and you want your assessment to reflect that—so the recommendations are actionable and you have support to carry them through to completion.

Note that this is the ideal of what you should be getting out of your assessment. Clients have come to us with an assessment that isn’t prioritized. We’ve helped them work through a roadmap to support prioritization and implementation. Some of the controls you’re asked to implement aren’t simple, and we understand that. At Field Effect, we focus on small to medium enterprises, and we know there may be extra support needed. I’m mentioning this because if you’re looking around at assessments, not all vendors offer this.

Cybersecurity controls

We’ve talked generally about assessments, and now we’re going to pull back the curtain a bit on how Field Effect architects and conducts cybersecurity assessments. Different vendors have different ways of doing things and different outputs, but we thought it would be helpful to give you a walkthrough and an idea of what you can expect from us. It’s one way of doing things and should give you a better idea of the whole process and the “why”.

First, the foundation of these services: the Field Effect cybersecurity controls. Before getting into it, we should define what a cybersecurity control is. In its simplest form, it’s an action taken to control a specific risk—those risk mitigation actions we talked about earlier.

We know there are many frameworks and tons of control catalogs. We’ve condensed them into what we believe are the most important things to do. We divided them into 18 categories. Within each category, there are roughly 10 to 25 controls per topic.

We then prioritized them further:

• Critical: must-haves with the highest priority and highest return on investment—do these first.
• Core: must-haves at medium priority—do these second. Implementing the critical and core controls together delivers the biggest impact in risk reduction.
• Advanced: should-haves at lower priority—tackle these once your critical and core controls are in place.
• Resilient: nice-to-haves at lower priority—these optimize protections and are often more relevant in leadership-driven programs. Organizations focused on reducing risk from the most common threats won’t start here.

We have a number of controls—roughly half across all categories—that fall into the advanced and resilient “should-have” and “nice-to-have” groups. They’re important, and often very important if you’re seeking certification, because many resilient controls appear in certification frameworks. But they’re not necessary for organizations simply looking to establish a solid cybersecurity program.

With these four tiers, we can roadmap organizations from what they should do immediately, to what they should do over time, to what they should consider doing, and finally to optimizations once the program is more mature.

Example: Field Effect's controls in practice

Let’s look at an example within the same control group, showing critical, core, advanced, and resilient.

Consider the category “Endpoint and Cloud Protection.” A critical control here would be to have a managed detection and response (MDR) capability in place—you need good monitoring. An MDR solution in your environment is the critical control.

A related core control would be ensuring you have a 24/7 security operations center (SOC) or outsourcing SOC functions to an experienced provider. This gives you round-the-clock monitoring of the solutions you’ve deployed.

An advanced control would be having documented service levels you must meet for alerts coming out of your security solutions, including MDR. The purpose here is to have policy in place that says not only do you have a solution and monitor it, but you will catch and investigate any alerts within a defined period of time. Then you can monitor and manage your service levels to make sure you’re meeting the expectations of your program.

At the resilient level, you’d do monthly audits to ensure your security solutions actually cover all of your assets—so not only do you have a program in place, but it runs on everything it should and it’s running effectively and efficiently.

You can see the progression from a must-have—having a monitoring solution in place—to resilient, where you’re optimizing that solution and making sure it continually meets the organization’s needs. Each of those is a different control, and together they contribute to your overall cybersecurity maturity and overall program.

Cybersecurity program maturity

Speaking of program maturity, the critical, core, advanced, and resilient tiers relate to different levels of cybersecurity maturity. Different organizations will require different levels of maturity. Not everyone needs to climb all the way to certification. Understanding where you’re starting and where you want to be is part of the assessment process.

At the bottom of the ladder are organizations with no cybersecurity program—they haven’t had a need or interest in investing, and don’t have many controls. Next is an ad hoc program where some controls exist but there isn’t much programmatic structure. From ad hoc, you move to a repeatable program where programmatics start to appear: policies, processes, and procedures people follow, with fewer one-offs. From there, you move to an assessed program where you’ve started looking for gaps so you have repeatable processes across your entire program and risk space. At the top is a certified program, where external assessors have determined you meet a cybersecurity framework.

Not every organization needs certification. You tend to see certification-driven cybersecurity in regulated sectors or among service providers in those sectors—for example, energy producers or the defense industrial base. In other sectors, like retail, a repeatable cybersecurity program may be sufficient, especially for small and medium organizations where the threats don’t require a more advanced program.

Some small organizations maintain ad hoc programs because they don’t have a large internet presence but do have IT systems; they may aim to build toward a more repeatable program. This continuum can be expressed many ways—we’ve chosen this view because it’s particularly applicable to the small and medium-sized business environment.

Field Effect's cybersecurity assessments

Field Effect has two cybersecurity assessment products. The first focuses on the initial steps on that ladder. We call it the Foundational Cybersecurity Assessment. It focuses on must-have and need-to-have solutions—the high- and medium-priority controls your organization most likely wants in place to build a robust program against common threats.

This assessment is typically for organizations looking to start a formal program or improve existing fundamentals. It prioritizes activities that matter most against common threats.

From the client experience: you complete a survey with us (it takes between one and two hours). You receive an action plan outlining high- and medium-priority items, itemized in terms of how we think they’re best implemented based on return on investment. We discuss this plan with you, and we follow up about a month later to see how implementation is going—making sure we’re not just firing recommendations and forgetting about you. We want to see real improvement, whether we deliver an action plan or, as you’ll see with the next service, a roadmap. The goal is to help you improve cybersecurity effectively and efficiently.

Lastly, if you’re new to us, we include a trial of our Field Effect MDR. This is our flagship product. We include it in our professional services. You’re not obligated to take it, but if you’d like to do a trial while you’re doing an assessment with us, that’s great. We’ll use data from the trial to augment what we get through your survey. If you don’t choose to do it, we’ll base the assessment on the survey you complete with us.

One reason we offer the foundational, smaller version is that many companies at the beginning of their cybersecurity journey would find a full, certification-driven assessment overwhelming—like trying to drink from a fire hose. The foundational assessment is really for organizations with less mature programs. There’s nothing wrong with that—getting an assessment to improve your program is a great step forward.

More advanced organizations that already have a program and staff can absorb more extensive recommendations. At that point, it’s as much a gap assessment as anything. If you are looking to mature an existing program and aren’t quite sure where the gaps are, if you need a longer-term roadmap to an effective program, or if you’re aiming for certification and want to know what to implement to get there, the Advanced Cybersecurity Assessment will give you a roadmap to a robust and resilient program.

In this case, clients complete an extensive survey—roughly twice as long as the foundational assessment—taking about two to three hours. You receive a roadmap. The difference between an action plan and a roadmap: an action plan says “do this.” A roadmap says “do this in phase one, that in phase two, more in phase three, and so on.” Depending on the number of recommendations, we increase the number of phases. Some organizations tackle one phase per year, making it a multi-year plan. Others accelerate and schedule multiple phases within a year. It depends on the extensiveness of the recommendations and the organization’s willingness to implement the gaps.

This roadmap provides a much more detailed, multi-year plan for what you should do in cybersecurity, whereas the Foundational Assessment focuses on what you should tackle first. The major difference is scope. In both cases, you get the same experienced cybersecurity analyst to debrief your findings and follow up a month after the assessment to ensure you’re on the right track for implementation and to address any questions or concerns. And if you're not an existing Field Effect MDR client, there's a trial available as well. 

If you’re looking to establish or mature a relatively basic program, stick to the Foundational Assessment. You’ll still get many recommendations—there’s a lot you can do in cybersecurity. If you already have a strong program and want it assessed in depth, the Advanced Assessment will be better. You’ll get a thorough review of the entire program. Because you already have many controls in place, you’ll likely get a similar number of recommendations as a basic assessment, but the advanced and resilient items won’t be overwhelming the way they might be for a smaller organization just starting out.

Q&A

Q: What are the controls based on?

I have experience with the NIST SP 800 series of controls, like SP 800-53 and 800-171, as well as many of the other smaller families we’re aware of. The NIST Cybersecurity Framework, included some of those controls. There are also commercial frameworks like the Center for Internet Security that produce great frameworks, though they’re licensed, so we don’t use their controls directly.

In Canada, the federal government put out baseline cybersecurity controls a number of years ago, and we incorporated elements from that profile. We also use the ISO/IEC 27000 family of controls, as well as best practices we’ve picked up over the years that are important for a good program.

It’s also informed by our incident response work. We see what attackers are actually doing on networks, so sometimes we’ll adjust priorities if we see something being actively exploited. In short, it’s a mix of well-known frameworks, practical experience, and ongoing threat intelligence.

Q: I’m a new Field Effect MDR customer. Would I benefit from a cybersecurity assessment?

It really depends on your intent. If you’re comfortable being a new Field Effect MDR customer and benefiting from that service, maybe an assessment isn’t necessary right now. But if you want to mature your program, whether you’re starting out or already more advanced, an assessment helps prioritize what to do next.

If you’re looking to make additional cybersecurity investments, we’d recommend it because it gives you an outside opinion on where to start.

I’d also add that while having MDR is one of the most important things you can do, technology alone can’t tell you everything. It can’t show how strong your incident response plan is, or whether you have the right policies and procedures in place. An assessment gives you that more holistic understanding of your cybersecurity posture.

Q: If I know I need CMMC compliance, is there any benefit in doing a general cybersecurity assessment first?

CMMC is an interesting case. If you’ve never had an assessment, a general cybersecurity assessment can be very useful before you dive into a CMMC-specific gap analysis. CMMC gap assessments can be expensive right now due to supply and demand.

If you have big gaps in your program, that will almost certainly show up in a CMMC audit. An overall assessment will help you identify and prioritize those issues first.