Closeup view of car dashboard showing the reference indicators to gauge an organization’s security posture
What Indicators Can I Reference to Gauge My Organization's Security Posture? by Christopher Gerg, CISO and Vice President of Cyber Risk Management at Gillware

What Indicators Can I Reference to Gauge My Organization’s Security Posture?

Understanding an organization’s security posture will help to create a clear and present representation of what the cybersecurity capabilities of your organization are. Any information security program is evaluated on the integrity, availability, and confidentiality of the data within a designated secured environment. Several indicators can help to gauge where your organization belongs within the risk management structure, which can help to identify your organization’s security posture and what security challenges the business must confront.

Many cybersecurity information risk management programs suggest businesses should adopt the InfoSec security standards and implement cybersecurity as a key driver of business decision making. The scope of InfoSec is wide-ranging, but the aim is to continuously improve your organization’s information security, year after year.

What exactly should you look for? What are the indicators that will help describe your organization’s security posture? The following information will help you determine what your new approach to cyber risk management should be.

Is there a set budget for infosec?

Understanding if there has been a budget allocated for information security helps to identify if an organization is serious about cybersecurity. In-house cybersecurity can work out to be incredibly expensive; hiring highly-skilled, ethical security personnel is not easy. SecOps engineers are highly sought-after personnel and salary expectations are usually very high. The purchasing of software licenses and security hardware appliances is another considerable cost to consider.

Many organizations realize that the OpEx costs can be high, and many choose to outsource to a reputable cybersecurity service provider who can call upon teams of SecOps architects, engineers, and consultants when needed to install, manage, and maintain any purchased security infrastructure service.

Companies need a pragmatic approach for monitoring and assessing their cybersecurity landscape, and a security program that delivers a return on the security investment (ROSI). Security expenditure needs to be justified by successfully completing external audits that validate security processes are in place, such as:

  • Conducting external vulnerability scans
  • Planning for disaster recovery & incident response tests
  • Conducting phishing and social engineering tests
  • Conducting external penetration testing

Without a realistic security budget, there is a significant risk that an organization may fall short on these scenarios. This can lead to significant gaps and weaknesses in your organization’s cybersecurity policy.

The frequency and sophistication of employee training

Cybersecurity training should be made available to all employees. This is a key area to look for, as training is absolutely essential. Cybersecurity is a highly technical industry where relevant, important security information needs to filter down to every single employee. Security training strengthens employee’s knowledge and understanding of cybersecurity risk management putting each employee in the best position to uphold your organization’s cybersecurity policy.

Collaborating with a skilled cybersecurity vendor will ensure training compliance and improve team understanding of the latest risks and trends in cybersecurity, as well as knowing what the best practices are to reduce the risk.

Cybersecurity training in many industries, such as the financial sector, is mandatory and enforceable by the regulator. There are huge benefits of having teams who are aware of the latest cybersecurity trends and able to spot phishing, scam phone calls, malware and virus attachments.

Technical red flags

You may be surprised by the number of issues that are discovered with organizations that are missing even the most basic technical safeguards to protect the integrity, availability, and confidentiality of data. Reviewing the results of your malware scans is not enough, businesses need to be proactive in providing the basic security requirements:

  • Secure Networking – The network is the first line of defense in cybersecurity. Strong network authentication, encryption, restricting public internet traffic, and blocking common ports on the firewall are the first steps to improving security. Furthermore, network analysis and scanning using Intrusion prevention systems, content filters, email scanning tools, and isolating network assets should all be in place
  • Asset Management – It is important to identify all pieces of equipment owned by the business. An asset list will catalog servers, laptops, tablets and any other infrastructure device. Good asset management reduces waste, capital expenditure and above all else acts as a baseline for the support teams who will know what equipment is available and where it is located.
  • Patch Management – A regular patching schedule is the first step to securing software and operating systems. Vendors publish security patches that prevent exposure to the latest software vulnerabilities and exploits
  • Passwords – Securing a network using unique and complex passwords that are enforced company-wide will help to provide an immediate level of protection. Taking this further and testing user accounts and system accounts for weaknesses using penetration testing software such as Nessus or Backtrack will proactively scan for weakness and non-compliance. Processes can be drawn up to harden password policies or maybe offer training to the worse offenders

There are many further technical safeguards that can be implemented, but these basic first steps will help to prevent misconfiguration and backdoors into your environment. Credible cybersecurity providers recommend an annual internal audit and roadmap check-up is performed. This process will review existing technical safeguards, identify weaknesses, and then suggest recommendations based on industry best practice, as well as a roadmap on the best way to implement the changes.

Technical risk assessments should be revisited and assessed annually to verify that expected controls and new technical safeguards are in place and functioning as designed. The upcoming year should also be planned on a remediation roadmap to continue the security improvement initiative, thus creating an evolving security design which is constantly enhanced.

Improving an organization’s security posture requires a continuous improvement initiative and security program. Outsourcing this responsibility to an external provider can reduce the burden and security concerns to an expert team who can evaluate your organization objectively, and design a program that is unique to your organization. Look for trusted advisors that will check-in on your progress regularly and a technical team that can ensure you have the technical capabilities to adopt an InfoSec strategy.