Cybersecurity Risk Assessment Common Findings: Continuous Vulnerability Management

What are the most common findings of a cybersecurity risk assessment, within the CIS Framework, Control 7: Continuous Vulnerability Management

In this video, I explain the 3 most common findings within this control: 1. Continuous Monitoring; 2. Automatic analysis; and 3. Predetermine high risk items.

Want my recommendations on the best vendors to quote for a formal cybersecurity risk assessment for your company? Click the button below and ask me today.

About Me

Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

So just to kind of give you a brief overview, I don’t know if you guys remember, but I’ve done a series on this and it’s and it’s all based on like if you were to hire a company to come in and do a cybersecurity risk assessment for your company, what are the most common findings that those risk assessment folks find within organizations is and I broke it up by the CIS, you know, the CIS controls because there’s a lot less controls in that one than this.

So I’m using that kind of as my framework to walk you through. And yeah, so I went and spoke to a cybersecurity engineer for one of the service providers that does risk assessments. And he told me what their common their most common findings are for each control of the CIS framework. So that’s what I’m gonna talk about today is control number seven. What do they find most often in companies when they go to do a risk assessment?

Which Cybersecurity Risk Assessment vendors should you quote?

before I get too deep into it, quick plug, if you like my recommendation on the best risk assessment companies to come and give your company a formal risk assessment, just reach out and contact me, by email or by phone (714.593.0011). I’m happy to help. More information on that at the end of the video. Also, don’t forget to hit the Like button and subscribe to the channel. I’d really appreciate it.

Monitoring but not analyzing

Okay, so what are the most common findings with CIS control? Number seven contain you with vulnerability management? Obviously, if you’re not continuously monitoring things, then that’s a big deal, right? So I asked this engineer who goes in all the time and assesses companies and gives them a formal assessment. What are the most common findings with this control and what he said to me was that the thing that they find most often is companies are actually continuously monitoring, but which is great, but they’re not continuously analyzing anything. So that’s what he said is is, you know, you don’t have to have to continuously analyze, you have to continuously monitor. But sometimes companies get overwhelmed because they’re like, well, we’re not analyzing it. And then they just kind of push it off and they never analyze it. But you want to analyze it periodically.

Automate analysis & Predetermine high risk items

Okay. So and then there’s also things you can do to automate things that they’re finding. So for instance, you can automate new things that are that are finding. So the snapshot that you took on that analysis maybe a month ago, what is being found that’s new compared to a month ago? What are the differences? So you want to capture those. You can capture those automatically and then once you capture those differences, you can actually rate those differences in terms of risk. So if you find a difference between 30 days ago and today in terms of the continuous monitoring, that’s great. But if the difference is so slight and it’s really low risk, it’s obviously not going to go up to the top of the list of things to do. But if it’s something that’s within what you call high risk area, then that’s something that you need to work on right away.

3 Most common findings

So those are the three things. So make sure you’re monitoring continuously, analyze occasionally and set it up to automatically analyze occasionally so that it’s just pulling out the differences. It’s finding from time to time and then set up ahead of time some risk ratings of different categories of risk so that, you know, when you do get a difference, that pops up in the analysis from 30 days ago, you’ll know right away. Is that something that we’ve considered a high risk for your company or low risk for your company? And that will tell you the priority. It gets something that’s going to be handled right away is or something that’s going to go on the to do list to do sometime in the next month. All right. So I hope that helped a little bit. Give you some insight, some things you might want to clean up before you get a formal assessment so that those are just some easy things. You can do that. So you don’t want to pay for someone to come in and give you a formal assessment and they just knock away and some easy things that you can handle even before they got there.

Conclusion

So hope that helped a little bit. If you’d like my recommendations on the best cybersecurity vendor to quote for a formal risk assessment, reach out send me an email, give me a call (714.593.0011). I work with all the major cybersecurity vendors and what I’ll do is I’ll ask you a few questions that will reveal to me which niche you should be focused on and which vendors that you should really be quoting. And I’ll introduce you to those vendors. The best reps at those vendors to work with oversee the coding process to make sure you get the best pricing out of your chosen vendor. And the nice thing is, is you don’t have to pay me anything. The service providers pay me, my broker fee so you don’t have to pay me anything. There’s absolutely no reason to not at least reach out and get my opinion on this stuff. All right. I hope this helped. If so, don’t forget to hit the like and subscribe button that it really helped me out a lot. I really appreciate it. And I will see you on the next video.