Security assessment: the basis of a balanced security policy

It might seem obvious that an organization knows what the most important processes are, what their core business is. But with digital transformation advancing at a rapid pace, the emphasis may shift, priorities may change and certain customer segments may become more interesting. That’s why it’s a good idea to regularly stop and think about what the essential parts of your organization and your services are. You can then map out the security risks. After all, these can also change and move along with developments that the organization is going through.

In order to properly organize IT security, it is advisable to map out the key processes, applications and information flows and to equip them with appropriate control measures. A security assessment provides insight into which security components are essential and enables you to monitor and improve the effectiveness of investments. The assessment then forms the basis of successful IT security.

Establish security priorities

Ideally, you start by establishing the primary business processes. Which processes give your organization the right to exist? Look at the products you develop and deliver, the services you offer, the customers or customer segments that generate the most value, which business applications support the primary processes and which information is indispensable.

Consider the consequences if a primary database is breached. What happens if you are offline for a day or are in the news because data is on the street? What happens if your intellectual property is stolen by criminals? What is the damage? When you calculate the probability of occurrence multiplied by the magnitude of the impact, you can rank the risks and prioritize them.

Exposing vulnerabilities in IT architecture

Then it is important to make the link to the IT environment. These days, all business processes are inextricably linked to some form of IT support. With the list of business risks that was drawn up earlier, you look at the IT architecture and determine which IT components are associated with high-impact risks.

Think of (parts of) the network, business applications (CRM or ERP) or a production environment that is equipped with IoT solutions and provides sensor data. Here it is useful to place a piece of software in the network that can monitor and scan the network traffic. That way, risks and vulnerabilities are automatically exposed and you collect technical evidence to support a theoretical framework.

Mapping security measures

You will now have a clear picture of the business impact that cybersecurity threats can have and these are linked to vulnerabilities in the IT environment. The next step in the assessment is to determine which security measures have already been taken to avert the danger and to decide whether these are still sufficient.

Of course, you can also do this the other way around; by implementing a kill-or-cure remedy to protect a database and server that have fallen into disuse. In short, you determine whether the security measures you have taken are still in line with the impact of the risks you have reassessed.

There is a good chance that you will need to fix some parts that are out of balance. The results of this assessment will provide you with a solid argument for making new investments in IT security. The results of scanning the network traffic really help with this; the location of the vulnerabilities will be there in black and white for all to see.

From IT security assessment to roadmap

All things considered, a security assessment provides a good business case. You balance investments against the risks that you eliminate. The assessment is an excellent basis for outlining the security roadmap. The roadmap will help to outline a long-term strategy. So no more hasty decisions, but a clear overview with targeted solutions.

An important part of this is a priority list. If a business process is at risk from a security breach, investigate the cost of that impact. These findings are the result of the interviews and technical scan. You compare these threats against a list of common threats in the information security world, by for instance using the RAVIB method (Risk analysis for information security). By linking the CHANCE that an incident will occur to the IMPACT, you generate a list of RISKS.

How serious is the damage if your systems are down for a while? How much does it cost if rogue hackers get hold of certain data? How does it affect the integrity of your organization? This method makes it possible to take appropriate measures to prevent threats. These measures can be of an organizational or technical nature. If measures cover multiple threats and risks, move them up the list. You can also take into account the available budget and ambition level of your organization. In this way a suitable security roadmap is created.

A security roadmap provides guidance

With the roadmap in hand, you can get started with a healthy IT security strategy. The vulnerabilities of the organization have been clearly mapped out, which makes the plan manageable. This not only helps the IT team but also raises awareness among employees and policymakers. With the roadmap you have clear guidelines for your employees and you can draw up a watertight safety policy. If a security breach could cost your organization a lot of money, then you have good arguments to free up budget for a solution. A win-win situation for every layer of the organization.