What does your cybersecurity “posture” look like, and how do you figure that out?
Figuring out your present cybersecurity posture and how that might affect your business is an essential part of the work needed to plan for any necessary updates or improvements. A good posture tends to mean that your organization can work on maintaining current standards and possibly improving your security over the next period. It also assures upper management and shareholders that you attend to your duties as required.
But what do you assess, and how do you evaluate it? Those are excellent questions, indeed!
Your assessment, by coincidence, should start from the beginning. What exactly are you securing?
Starting your assessment
Before you can assess something, giving it value or quantifying it in some form, you must know what you are evaluating. Are you assessing a home? A business? A student’s learning in your course? Maybe you are looking at a new car and need to know whether it is worth the price being asked. So, you look at the entire body of the object or item to be assessed and ask yourself: “What should I be seeing, and what is its value?”
Cybersecurity is no different. You need to know the entirety, in general terms, of what you should be looking at and its value to the organization.
Cybersecurity is about data, the systems that process and store it, and the people who work with it. Those are the broad-stroke things your assessment will cover.
A little bit of what you are looking for with each part of this assessment is:
- Data
- Where is it coming from, going, and stored?
- How does it move from one point to another within your network or systems?
- How is it being used within your organization?
- What regulatory or legal requirements are there related to the data you use?
- Processing
- How is your data processed? Is it processed by personnel within or without your organization?
- Are the systems you use to process your data able to do so efficiently and safely?
- Is the data stored safely when it isn’t in use? Is it easily accessible to your employees but less so to those that aren’t authorized to access it?
- Do you control how your systems are used when they aren’t used for work purposes (Acceptable Use Policies)?
- People
- Are your people trained in their specific duties and capable of performing them in a way that doesn’t cause data corruption or loss?
- Do your staff members and management personnel receive regular training in best cybersecurity practices and awareness training about threats to cybersecurity?
- Do you randomly check and update your staff’s knowledge, skill, and willingness to adhere to cybersecurity policies and procedures?
You can and should look at a lot more in the three areas above, but what is listed is a good starting point for your assessment. As you work through this initial discovery phase, you will find that some things will become less important to look at than others, which is also part of this process.
Next step – detailed information gathering and evaluation
Once you have discovered what needs to be assessed during your cybersecurity posture assessment, you need to find a way to evaluate each item and give it a value within the organization as it pertains to the overall posture. You will use this value to gauge whether your organization has met the needs/requirements for that item and to what extent.
There are several ways to “score” your security measures for each, but a simple method would be to give each item a high and low score range, like 0-5, and then assess the actual score. A high score might increase the risk of problems, while a low score could be less risky. Making sure you give an accurate rendering of that risk value is very important as it will allow you to make firm decisions about how you might improve that score down the road.
Let’s see an example from a small office and look only at whether the personnel is trained and up-to-date in cybersecurity awareness.
The office has five persons working in it, and they are all mandated to accomplish cybersecurity awareness training annually. They must pass the test at the end of the training before they are certified as complete. In this case, you could say there are five people, annual training requirements, successful testing requirements, and possibly even a measured group discussion when all have received their training to reinforce that training. Each of those areas could impact the overall assessment of that office’s cybersecurity training requirement.
For instance: 3 out of five are fully trained and certified, one is still in the course, and one hasn’t started. You could assess the overall level of training as a three out of five, as it is partially complete. This would be part of your “People” assessment category in the cybersecurity posture assessment.
You could also break it down into individuals and, with some math, create a grid that better describes the situation. Like this:
| Name | Training Started | Training Complete | Test Passed | Score (1-5) |
| John | Yes | Yes | No | 3 |
| Carla | No | No | No | 1 |
| Liza | Yes | Yes | Yes | 5 |
| Dan | Yes | Yes | Yes | 5 |
| Ralph | No | No | No | 1 |
| Final score is the sum of all scores, divided by 5 | Score | 3 |
The evaluation of the data you have gathered here will be added to that in other areas to complete the overall picture of your organization’s standing.
With a bit of planning and a simple methodology, the posture assessment can be accomplished without much trouble. It can be simple to plan, gather the information, evaluate it, and display the results from the assessment while also allowing you to show an accurate rendering of your organization’s position. This eventually will lead to better planning and implementation of improvements.
How will this Affect You
Each component of an assessment may take some time to gather the information for and then evaluate, but the result is a document that can fuel any corrective actions that need to be taken to improve the performance of your security measures and strengthen your cybersecurity posture. This information goes in front of your upper-management group so they can see the present state and plan for the future state of your cybersecurity program. The results are potentially visually informative and should be timed for delivery before any fiscal funding decisions are made.
A further benefit to creating a cybersecurity assessment is that you can show your entire organization the effectiveness of your efforts to keep it moving forward by securing what it values and uses most. The data that drives your ability to do your work.
What should you do
Knowing your cybersecurity posture is never a bad thing, even if it shows a need for improvement. Without that knowledge, your ability to plan effectively and grow as a business is hampered or possibly even denied. Take the time, make an effort, and secure the future of your work.
Northstarr Recommendations
Discovery and assessment are all part of cybersecurity and IT operations, and Northstarr System Solutions is ready to help you with both. Let us bring our expertise and experience to your aid.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!
