For many organizations, rapidly implementing work-from-home initiatives over the past year due to the COVID-19 pandemic required quickly rolling out new processes and deploying new technologies without adequate time for attention to Information Security standards.

Perhaps your company recently acquired a new line of business, and you want to make sure the integration won’t adversely impact security. Or maybe you have been seeing all the news lately on ransomware attacks and don’t know how prepared your organization is. Is there an efficient way to gain expert insights to address these scenarios and others?

Yes, it’s time for a security gap assessment.

Why Get a Security Gap Assessment?

Not only does a security gap assessment point out the issues critical to improving your information security program, but an assessment by an expert third-party can provide an unbiased perspective that can validate or provide a counterpoint to assist with critical decision-making. Further, a comprehensive assessment will develop a baseline of the current state of security specific to your environment. With those findings, the assessor can provide detailed, prioritized, and actionable recommendations on how to get to your desired future state so your organization can better meet its objectives.

Note: A gap assessment is not an audit. Audits are often checklist-focused, with controls-in-place and controls-not-in-place ratings. While they may include remediation recommendations, audits often lack an in-depth discussion or roadmap for improving maturity in the business context. A well-executed security gap assessment is a collaborative exercise with your organization’s security stakeholders to increase understanding, determine strengths and areas for improvement, and chart a course that matches the needs of the business. However, a security gap assessment can help organizations prepare for an audit by proactively highlighting gaps and areas of lower maturity.

What is Involved in a Security Gap Assessment?

An assessment begins with a discussion of the business and critical priorities to ensure that the assessment focuses on the appropriate context, i.e., what’s really important to you. The assessor will ask questions around key business processes that either directly concern or can impact security, such as governance, data management, configuration management, access control, or supplier management. By discussing these security controls in depth, the assessor can determine how well the organization has addressed each control.  The assessment concludes with the delivery of a report that details findings and provides prioritized recommendations for improvement.

Within an assessment, a straightforward, five-level maturity model can be applied for each control, e.g., 1) ad hoc, 2) repeatable, 3) defined, 4) risk-managed, or 5) optimized for the business. For example, if security awareness training is well-documented and provided to all employees annually and when significant change occurs, that control may be rated at a level 3. However, if the business has taken the extra step of developing specific role-based trainings for privileged users based on an employee's level of access and systems rights, that may be rated at a level 4.

Some frameworks, such as the Cybersecurity Maturity Model Certification (CMMC), require a more rigorous approach to capability maturity modeling, with strictly defined maturity levels incorporating detailed practice and process requirements.

A security gap assessment can also be performed against specific security standards such as the NIST Cybersecurity Framework (NIST CSF), ISO 27001, and many more. Organizations that structure their security programs around recognized standards benefit from the work of many companies, teams, and individuals who have refined and codified a collection of best practices as a broad set of security controls against which one can evaluate, measure, and track progress. These frameworks are well-known to the industry community overall.

In the case of ISO 27001 and some other compliance frameworks, one can also achieve certification, which may be desirable depending on business priorities. Possessing certifications can reduce time spent in addressing client reviews of your Information Security program, as certifications demonstrate a higher level of seriousness about securing critical assets, personal data, and intellectual property. Many companies also advertise certifications to win additional business and reach a broader target market.

What are the benefits of Security Gap Assessments?

• Inform staff, management, or the board of the current state of security in the organization
• Identify security issues and help plan for effective remediation
• Prioritize security spending and deploy people and assets more effectively
• Document progress in security maturity and track trends in improvement over time
• Aid due diligence in mergers and acquisitions
• Provide assurance to customers that security is a key priority
• Determine how well sensitive data is protected in the environment

Over the past year, many companies have been forced to find quick solutions to urgent security issues. Regardless of how your company has weathered COVID-19, working with an expert third-party on a security gap assessment can provide the big-picture view necessary to move forward with confidence. Wherever your organization is in its security journey, the more visibility and situational awareness you have, the better you can make decisions that are right for your business.