Do you know where the holes in your network are? Are you concerned about them? Do you even know TO be concerned about them?
As I talk to business leaders it has become increasingly clear that network security—especially understanding where you fall in network security to secure your sensitive data—is non-existent within many organizations.
One of the easiest ways to see where your security holes are?
Experts recommend performing a gap analysis to evaluate where your information security program stands today and where it should be.
How can you ensure that you are properly addressing gaps and remediating security vulnerabilities within your organization?
Measure your progress.
One of the easiest ways to making sure you reaching your goals when it comes to security is by measuring your progress, performance and outstanding risks. Performing a continual gap analysis will provide you with a way of tracking security within your organization and will help you devise metrics that create acute awareness as to whether you are filling in the security gap.
Practically speaking, think of every gap identified through gap analysis as a homework assignment for your IT team. One easy way to measure how your team is doing on its assignments is to assess progress against those assignments. This will involve several steps:
Define your desired outcomes—what does “good” security look like in one area of network security. For passwords, it might be having a policy that is getting your team to actually change passwords at regular intervals and get them to understand how and why secure passwords are important.
Determine intermediate milestones—any long term goal will likely need continual feedback. Think of bigger security initiatives within your organization akin to bigger homework assignments. Instead of writing 10 page paper and calling it done, your milestones might be to create a topic outline, topic sentences for each paragraph, research any topics you are unsure about and then put together content paragraph by paragraph.
Similarly, for larger initiatives, make sure your team has broken down the bigger project into smaller milestone tasks that can be tracked (completed or not completed). Assign someone within your IT team responsible for those tasks and hold them accountable to their completion.
Devise ways to measure intermediate progress—as I mentioned above, understanding that progress is getting made on a larger initiative is critical to its completion. Make sure that your team has broken down tasks into digestible week by week assignments and hold them accountable to getting those done. Consider holding a weekly meeting to determine what has been done and what has been missed. If you notice tasks getting missed, devise a plan to getting your team back on track.
Set realistic timelines—if a lot is getting missed because your team has a ton on its plate, take a step back and redefine priorities or timelines. In order to be successful, it’s always best to set SMART (specific, measurable, attainable, relevant and time-bound goals).
Continually celebrate throughout the process—even for small wins or milestones, make sure to encourage your team to keep moving through your security gaps.
The measurables listed above were purely project management deliverables. In cybersecurity, you will definitely want clear metrics to show that your team is actually keeping you safe. Below are some areas where you might want to focus your awareness and tracking of issues:
Understand risks to your business—the list of vulnerabilities that might put your business at risk of a cyberattack are growing day by day and week by week. Understanding what is out there and being able to confidently say whether something is an actual risk to your organization is becoming a critical measurement for leadership.
Classifying risks as key or non-essential—having your team classify and point out critical risks to your network and infrastructure security should be a growing focus of leadership teams.
Prioritizing risks your organization faces—your team should be prioritizing your security risks in relation to the level of impact and damage a potential vulnerability could cause. In addition, make sure to consider the ease of addressing issues as part of prioritization (better to focus on low hanging fruit than spend countless weeks trying to fix complex issues).
Identify tolerances your business permits—by identifying tolerances and comparing your metrics vs a tolerance or tolerance range, you can evaluate areas or gaps in your security that need to have higher attention. As your leadership sees those tolerances they’ll be able to understand critical contingencies, such as budgets or devoted team members to a specific issue.
Compute an aggregated risk score—as you tally up all of the vulnerabilities facing your business, you should consider getting some aggregate score to sum up your improvements and where you stand today vs yesterday.
What to do next?
Know that metrics are living and dynamic. What was reported last week is probably an inaccurate depiction of what your security looks like this week.
Your ongoing step is to continually track your weaknesses and adjust your security posture accordingly. The metrics you produce should guide you and allow to intelligently course correct, rather than simply haphazardly making decisions and throwing money to this expensive cybersecurity problem. Gap analysis can serve you well as a driver of how to improve your security program and help your IT team seize opportunities to make you and your stance even safer.