Cybersecurity Risk and Posture Assessment
CIS Assessment and Cybersecurity Strategy
Long View’s Cybersecurity Risk and Posture Assessment helps identify and analyze potential risks to an organization's information and information systems leveraging frameworks such as CIS and NIST CSF. The assessment evaluates an organization's readiness to protect itself against cyber threats by assessing its security controls, policies, and procedures. Included with the assessment is a focused and prioritized 3-4 year roadmap to address the findings of the assessment.
Benefits of a cybersecurity strategy:
- Improved protection of sensitive data and systems: A cybersecurity strategy helps to identify and mitigate potential vulnerabilities in your organization's networks, systems, and data, which can help prevent cyber-attacks and protect sensitive information.
- Enhanced compliance with relevant regulations: Depending on the nature of your organization, you may be required to comply with certain regulations or industry standards related to cybersecurity. Having a cybersecurity strategy in place can help you meet these requirements.
- Increased customer trust: Customers are increasingly concerned about the security of their personal data and having a robust cybersecurity strategy can help to build trust and establish your organization as a responsible steward of sensitive information.
- Reduced financial and reputational risks: Cybersecurity breaches can result in significant financial losses, as well as damage to an organization's reputation. Having a cybersecurity strategy in place can help to minimize these risks.
- Improved organizational resilience: A strong cybersecurity strategy can help your organization to recover more quickly from a cyber-attack or other security incident, reducing the overall impact on your operations.
What to expect from the strategy
Long View’s approach to writing a cybersecurity strategy is to ensure that the solution is right sized for your organization. All organizations have different requirements so one solution does not work for everyone; however, what we have seen is that strategies that are hundreds of pages long typically go unread and unresolved. Core to our approach that we strive for are the following principles:
- Incorporate established industry assessment frameworks as inputs to ensure that guidance and recommendations are based on systematic methodology and quantifiable data, rather than subjective feelings.
- Prioritize the implementation of basic security measures before proposing more advanced enterprise solutions.
- While it is not feasible to eliminate risk, it is important to prioritize the protection of critical assets, both in the short term and in the long term.
- The cybersecurity strategy should be developed with the needs and concerns of multiple stakeholders in mind, including business leadership, IT leadership, and the team responsible for implementing the strategy.
- The cybersecurity strategy serves as the foundation for a successful cybersecurity program and must be aligned with the goals and objectives of the business.
The Written strategy is typically comprised of 30 to 40 pages that has the following elements:
- Executive Summary that is two to three pages, providing your business leaders budget requirements to move forward, timeline, five key findings, and five calls to action expected from them to move forward.
- Assessment Methodology that discusses the frameworks leveraged in ten pages or less.
- Observations and Recommendations in ten pages broken down into three themes based on the findings that can be discussed at all levels of the business. Recommendations reference findings in the Appendix.
- Roadmap based on approximately ten initiatives/projects in alignment with the three themes discovered within the observations with high-level budgetary estimates and hours of effort to implement. Two additional simulated assessments are carried out to provide insight into where your organization may be part-way through and after completing the initiatives within the roadmap.
- Evidence is provided in the clickable Appendix for each framework assessed for when your organization / team wants to dive into the details.
What to expect from the workshops
Core to the assessment process are business and technical workshops. These workshops should not be considered an audit, and instead are intended to be collaborative and educational. These workshops are used to gain insight into upcoming projects, pain points, and educate the teams regarding security technologies and concepts.
The business workshops typically take 3 hours, spread out over 3 sessions so that they can be interwoven with the technical workshops so that information from one workshop informs the other. Goals of the business workshops are to understand the alignment of business goals and IT goals, effectiveness of processes and procedures, risk management, organizational structure, staffing, budget, and brainstorming regarding the roadmap. Stakeholders typically involved in these workshops may include IT Directors, CIO, CISO, CFO’s.
The technical workshops work through the safeguards that may or may not be in place that make up the 18 CIS Controls. These workshops are used to provide context to the security consultant performing the assessment to understand the gaps within both business and technical processes, and vulnerabilities that exist to the organization. These are interactive workshops that typically take up to 8 hours spread out over several days. Typically, these workshops involve staffing from security and infrastructure teams; both technical and management resources as it is important to understand how IT and security teams interact with the business.
After the workshops and strategy is created
Cybersecurity is an ongoing process! After the strategy has been created, the project includes up to four (4) 90-minute meetings to review and present findings to stakeholders within your organization. Typically, the first presentation is given to the team involved within the project and provides them an opportunity for review and to provide feedback for any corrections or revisions. The following meetings are up to you and your organization to determine what would help you move forward with the strategy. Examples of meetings include:
- Q&A regarding concepts or findings within strategy.
- Walkthrough of the strategy with stakeholders.
- Presentation to Executive team or other stakeholder groups.
- Focused brainstorming and planning of next steps with a Long View Architect and Account Manager.