One of the tasks for top management is establishing a cybersecurity strategy. So far, so familiar. But how does management get the information required for this about existing vulnerabilities – which will therefore need to be closed? What needs to be included in a reliable current state analysis, and how can it be implemented on a practical basis, and at acceptable cost?
Before an organisation develops a security strategy, it should first answer the question “where are we on this now?” Analysing the current situation is necessary in order to determine effective steps and measures. The company management needs to face up with open eyes to own risks to the business, and to decide on the residual risk it is prepared to accept—because complete security doesn’t exist. Given the scope involved in this, the handling of cyber-risks definitely needs to be directed by top management.
If the analysis of critical data inventories—needed, amongst other things, to satisfy European requirements under the GDPR—identifies, for instance, that particularly relevant (personal) data is stored on webservers, the focus then needs to switch immediately to the protection measures previously applied in respect of this. If the current state analysis reveals that the webserver protection is no longer up-to-date, the next steps are clear. Gap analysis therefore ties in strongly with compliance, in a way that goes well beyond largely ineffectual box-ticking on checklists and therefore has real value in boosting data protection.
But how does the company management get hold of the information about any vulnerabilities that may exist—how does it set about structuring the gap analysis? It certainly can’t be achieved using selective measures. So while penetration tests, for example, are certainly valuable in evaluating the security level of an individual application, of the network or even of the company premises, that isn’t enough for a comprehensive current state analysis. Instead, when evaluating the defence measures in a larger, complex organisation, an extensive framework should be drawn on.
The pharma company Boehringer-Ingelheim employed the CESG Cybersecurity Framework in its current state analysis, for instance; this framework originates from a sub-organisation of the UK intelligence service GCHQ (and is now part of a programme known as “10 Steps to Cyber Security”, which aims to inform CEOs and executive boards about cybersecurity). It is largely self-explanatory, and does not require disproportionately sizeable resources in terms of personnel. The Framework focuses on measures that can be used to limit and control risks. According to the Framework’s creators, organisations become immune to 80 per cent of currently-common attacks if they adopt the measures recommended by the Framework. The measures are broken down into themes such as “malware prevention”, “incident management” and “mobile working”.
The information collected by working through the Framework then forms the basis for the schedule listing the measures needed in each case to limit the risks, and giving a weighting to the individual steps in respect of one another. This latter point is important, in order not to invest too much time on a complex problem such as developing a new firewall landscape when a similarly impactful result can be achieved with less effort somewhere else (for instance, installing a specific web application firewall). Of course, the schedule needs to be continuously updated, since the company is continuously evolving and developing. But new projects should not simply be dropped in at the top of the list, as otherwise the older vulnerabilities that are likely to be particularly easy to exploit are never closed.
After the first round of measures is completed, arranging for an independent assessment of your own organisation’s resilience and a comparison with other companies in the same sector is advised. A recommended approach for this is to collaborate with an independent establishment such as a university, to design and implement a survey of this kind. After this, top management should be able to give reliable statements at any time on the organisation’s resilience status.