What is a Cyber Security Review (CSR)?
A house built on sand will not stand strong against the elements. Much like a security improvement plan will not build resilience against threats without first identifying the current level of cyber maturity. A CSR lays the foundations by providing a clear risk review of the threat landscape, assets, and vulnerabilities by using widely recognised good practice and frameworks such as NIST Cyber Security Framework, CIS 18 and others. By having a clear understanding of where you are, an effective roadmap of improvements can be created to get you where you want to be.
Why does my organisation need a Cyber Security Review?
A CSR is an essential step for any organisation attempting to improve their security posture. From a small startup looking to implement security at the outset, to large businesses wanting to achieve a ‘best of breed’ status. The CSR gives a strong indication of the ‘as-is’ cyber security position for all types of organisations.
Implementing a CSR also prevents organisations falling into two common cyber security pitfalls:
Poor investments
A CSR is a strategic investment. It ensures that further investments in security are the right ones, making budgeting more effective and demonstrating return on investment. Organisations that invest without a review will risk making poor decisions into what security products, services and solutions they need.
False sense of security maturity
How do you know where you are going without understanding where you currently are? Without establishing your vulnerabilities and what threat actors are likely to target your organisation, it is difficult to calculate the level and scale of the cyber risks you face. This will ensure you are equipped to implement the right controls and put the right processes and procedures in place to build resilience.
How does a Cyber Security Review identify areas for improvement?
At NCC Group, our cyber security consultants approach a CSR in seven steps:
Step 1 - Engagement management
Identifying the key stakeholders at the start is important in order to outline the scope of the assessment and work out deliverable timescales. If key stakeholders are not included in the CSR, this means key pieces of information can be missed.
Step 2 – Business context setting
At this stage, cyber security consultants will gain a deep understanding of the organisation including business-as-usual operations, vital systems, business strategies, governance and compliance profile, documentation, and technologies. All these contribute to understanding the attack surface as well as the appetite for change when it comes to improvements.
Step 3 – Business impact analysis
What impact would a cyber incident have if one occurred? Understanding the consequences of an incident on critical functions and assets means the right processes and solutions can be put in place to build resilience and improve response procedures.
Step 4 - Cyber threat assessment and profiling
Knowing who is targeting your organisation is crucial in order to defend against their attacks. Through open-source intelligence and industry threat intelligence, a detailed review of the threat actors, vectors and motivations can be made. NCC Group dedicates 3,400 days of threat intelligence research per year to provide insights into the world’s current threat landscape. Our expertise in this field mean we provide the very best analysis when conducting a CSR.
Step 5 – Cyber controls maturity and industry benchmarking
Using a common and widely recognised framework such as NIST Cyber Security Framework provides assurance when assessing the level of maturity based on existing controls such as incident readiness against a ransomware attack. By using industry benchmarking alongside this assessment, organisations have a desired goal based on their competitors.
Step 6 - Analysis and reporting
Once the five assessment stages have been completed, is it time to build on those findings. They are clearly summarised in a report including key recommendations, the roadmap to improvement, and remediation activity to pursue.
Step 7 – Debrief and next steps
Support from the board and other key stakeholders is essential for any security improvement plan. This step means that the findings, recommendations and roadmap can be presented to demonstrate the benefits of making the fixes and improvements.
Why should I use a trusted security partner for a Cyber Security Review?
There are four benefits to working with a trusted cyber security partner for a CSR:
- External expertise – It may be tempting to do a security review in-house if you have a skilled team to do so, but this can lead to confirmation bias. A trusted partner would be impartial and possess knowledge of frameworks and methodologies to conduct an accurate assessment.
- Efficiency – Working with an external cyber security organisation allows your teams to continue with business-as-usual.
- Compliance – Having an external review demonstrates that steps have been taken to ensure your organisation is compliant to industry standards.
- Support with remediation and security improvement – It may be the case that your organisation needs expert support implementing the findings from the review. Working with a trusted partner who completed the CSR will be able to get to work on making the improvements happen without impacting on business-as-usual.
Cyber Security Reviews (CSR) are the best first step towards creating a cyber security roadmap.
Learn more about how Cyber Security Review works and how it could help improve your organization's program on our website, or reach out to a CSR expert.