What steps are involved in a cybersecurity risk assessment?
In the video below, Mike Smith explains his opinion on the 11 steps involved in a cybersecurity risk assessment, and the order in which they should be taken.
Want Mike’s recommendations on the best vendors your company should quote for help with your cybersecurity risk assessment? Click the button below to ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards and in 2011, he was honored as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on LinkedIn, Twitter or SpiceWorks.
Transcript
Your company is approximately mid-sized, you have around 100 to 5,000 employees, and you’re looking at doing a cybersecurity risk assessment.
And you’re wondering, “Hey, what are the steps to doing that?”
So I’ve gotten that question quite a bit, and I wanted to make a video of, in my opinion, the steps your company should go through or the steps that are involved in a cybersecurity risk assessment.
Shortcut
But before I get started, just a quick reminder, if you’d like my recommendations on companies that can do a cybersecurity risk assessment for your company based on your company’s specific needs, which companies you should look at and quote, reach out and contact me via email or phone (714.593.0011). I’m a broker for all the major cybersecurity risk assessment vendors that you can use, and based on your company’s needs, I can quickly tell you which small handful of companies that you should be quoting. More on that at the end of the video. But in the meantime, back to the different steps.
So in my opinion, there’s really 11 steps to go through. I know that sounds like a lot, but I’m breaking them down pretty detailed here. So bear with me.
Ask why
The first step is to understand why. Ask yourself why. “Why are we looking at a cybersecurity risk assessment?”
I know that sounds like a little bit of a silly question, but it’s actually not because some people will come in and they’ll say, “Hey, we’re looking at a risk assessment because our insurance says that we have to have that.” Or they’ll say, “We want to sign up a new customer and one of those customers’ requirements is that any vendor they deal with has to do this on a regular basis.” And then other companies come to me and they say, “Hey, we want a cybersecurity risk assessment because we’re just honestly starting to become more and more concerned about our company’s cybersecurity.”
So, depending on the reason why is going to depend on how seriously you take some of the other steps. So that’s the very first step is determine the why.
Framework
The second step is try to identify what framework, what security framework that you need to follow, or maybe it’s multiple frameworks.
For instance, do you need to follow HIPAA? Do you need to be PCI compliant? Do you need to follow CIS or any other type of security framework? Maybe your insurance is dictating a certain type of framework that you follow. So know that upfront or at least have some ideas.
If you don’t have to follow a specific framework, do you have any in mind, like NIST, that you’d like to follow? So just think about that and know that upfront, so that you can tell a vendor that upfront as you go to approach them for a quote.
Talk to an Expert
The third step in a cybersecurity risk assessment is after you’ve determined the why and after you’ve determined a framework, at that point, speak to an expert. Try to figure out, okay, what other frameworks are out there?
What do they think based on our industry that we should be following? What other things that we should be doing? At that point, it’s good to engage an expert. Once you know the why and you know what framework, talking to an expert is really the next step.
Determine your risk tolerance
And the reason why it’s important to talk to an expert especially is to start determining your level of risk tolerance. What is your company’s level of risk tolerance?
So as you’re talking to the expert, you’re talking to them about the framework you want. You’re talking about your network and how you have it set up and your servers and your whole layout of your company’s setup. Talk to an expert about, “Hey, what should we really be worried about? What are the biggest things that we should be concerned about? And what things aren’t that big of a deal, depending on what framework that we’re trying to follow?”
And that will help you determine, “Okay. What are the things that we should be focusing on? And what things can we might be able to tolerate an incident within?” Whether it’s the endpoints, or whether it’s your network, or whether it’s your servers or cloud environment, things like that. So determine what your risk level is. That is number four.
Create a posture
Number five is to decide on a posture. So this is your security strategy. Posture is a fancy word to say, “What is our overall strategy?” So you’ve determined your why, you know what frameworks you’re following, you’ve talked to an expert, you know where your priorities are in terms of what your risk tolerance is. And at that point, you create a security strategy or a posture.
Vulnerability Scan
The sixth step, in my opinion, is to run a vulnerability scan. And what a vulnerability scan is, in my definition, is a scan that you’re using software to fairly relatively inexpensively scan all of your environment for security risks.
Acquire Tools
And based on that, number seven in my book is acquire the right tools or experts to address those gaps based on the framework you want to follow, based on your risk tolerance. So what the vulnerability scan will show you is, “Hey, what do we need to address?” And then from there, keep talking to those experts about what tools can address those.
Policies & Procedures
Number eight is going and developing policies and procedures based around the tools that you’re using and your vulnerabilities and what the experts say and the framework and things like that. So develop policies and procedures written down that your company can follow.
Training
Number nine is train. Train your folks to follow the policies and procedures. That might include going out and purchasing cybersecurity awareness training. Or that might just be training internally. Or that might be including things like simulated phishing attacks on employees’ emails, things like that. But train, train, train based on your policies and procedures.
Hire a Penetration Testing Service
The 10th item, in my opinion, is something that some companies will try to do as the very first thing. But in my opinion, the 10th item is running a penetration test. In my opinion, you don’t want to run a penetration test to really test your environment until you’ve done your best to set it up properly. Because in the beginning, you’re going to run a pen test and get all kinds of information back, and you’re not going to know what to fix.
But if you’ve already gone through all these steps, then you run a penetration test, and you know where you really want to run the penetration test. A penetration test… a true penetration test, in my opinion, is when you’re hiring a company to come in with certified ethical hackers to try to break into your company at your most vulnerable areas. So it’s not cheap to run a pen test.
So if you’re running a pen test, you don’t want to be having certified ethical hackers try to break into a certain server that you don’t really care about. So you want them trying to break into the high-end servers, the things that you’re really concerned about. So you want to run a pen test that’s focused on exactly what you need, not in general covering everything because you can run a pen test on everything from web servers to internal servers, to cloud servers, to email, to social engineering finding people’s information on the dark web, you can do physical security. So all those different types of things can go underneath the pen test. Well, you don’t want to do all that until you really have narrowed down what your needs are. So that’s why, to me, it’s one of the last things you do.
Adjust and Start Over
And based on the pen test, number 11 is to then go back, take the findings of the pen test, fix the problems, and start the whole process over.
So that’s the 11 steps, in my opinion, is you first start by organizing everything you need and what your stance is, what your posture is. And then go through fixing it, acquiring the tools, hiring the experts. And then the very last thing is doing the pen test, and then adjusting from there. So in my mind, those are the 11 steps that you go through in order to do a true cybersecurity risk assessment for your company.
Now, if you’ve done those or you want some help with doing some of that stuff and you want to know which companies should we go to, to hire an expert, to help us with these things.
Need some recommendations?
Don’t just start Googling out there. You’re going to find all kinds of information. You’re probably going to end up with the wrong vendors. Just shoot me an email, give me a call 714.593.0011).
I work with all the major vendors who do cybersecurity risk assessments. I can definitely help you find the right ones quickly. I’ve been doing this for 18 years. So I know all the players in the market and I know which companies your company should be using. And I know that as a mid-sized company, your IT staff is probably pretty thin and you don’t have a lot of time to research the stuff or deal with the problems of finding a bad company doing it for you. You don’t have a lot of time to make a lot of mistakes. So reach out, call me. I’m happy to help.
And as always, if you like the video, don’t forget to subscribe to our channel, so we can get rid of all the commercials on it, and like the video. And I’ll catch you on the next one.
Want Mike’s recommendations on the best vendors to quote, to help you with a cybersecurity risk assessment for your organization? Click the button below and ask him today.
Related Content
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]
Cybersecurity Risk Assessment Template: Email and Browser Protection
What is the best template to use for a Cybersecurity risk assessment, for email and browser […]
Cybersecurity Risk Assessment Template: Audit Logs
What is the best template to use for a cybersecurity risk assessment, for Audit Logs?
In this video, I […]
Cybersecurity Risk Assessment Common Findings: Continuous Vulnerability Management
What are the most common findings of a cybersecurity risk assessment, within the CIS Framework, Control 7: […]