Cybersecurity Assessments

An important first step on the path to a secure environment

CyberSecurity related assessments vary from overall and strategic to very technical and tactical. They are designed to build upon one another with each providing its own set of information for the others to be more efficient and effective. These assessment tools and procedures also contribute to the overall security philosophy and framework by constantly measuring its efficacy.
  • Risk Assessment: higher-level and strategic; 

    • identify critical assets and value, 

    • identify risks to critical assets, 

    • define the likelihood of a threat to those assets, 

    • impact that threat could have on assets, and 

    • identify/recommend countermeasures to reduce and defeat against possible threats. 

  • Security Assessment: more technical “architectural review”; evaluate the people, processes, and technology as it specifically relates to cybersecurity.

  • Penetration Test (a.k.a. Pen Test): highly specific and technical evaluation of weaknesses in countermeasures. 

    • Often a manual process with some automated tools. 

    • Requires highly specialized skills and expertise. Expect a higher price tag.

    • A cheap/lowest-cost Pen Test only results in a false sense of security.

    • Usually done as a snapshot/single event to validate Vulnerability Management (see below). 

    • Should be performed on a reoccurring basis (not recurring) according to overall framework and policies

    • A good Pen Test should do two things: 

      • identify new vulnerabilities, and/or 

      • validate the assumptions about the current cybersecurity posture, thereby providing a feedback loop back into the security program.

    • The Pen Test allows an organization to truly understand how effective their security is from a “hackers perspective”.

  • Vulnerability Management (Vulnerability Assessment, Vulnerability Scanning): evaluate, rank, and patch technical weaknesses on a routine basis (e.g. daily, weekly, monthly, quarterly). 

    • Usually delivered via automated tools and software by a professional provider. 

    • Considered the starting point for a Pen Test. It is NOT a Penetration Test itself (don't let any vendor tell you otherwise).

    • With any specific vulnerability, the best solutions will provide greater context, beyond the vulnerability itself, and therefore better threat scoring, reducing false positives and unnecessary panic.

What is the driver behind seeking any of these assessments? 

Are you interested in how vulnerable you actually are,
or are you just trying to “check the box”?

Have you chosen a cybersecurity framework? 

If so, how do you measure it’s effectiveness and how often?

With help finding the right cybersecurity companies, to review your security and receive a free consultation, and to implement a new strategy to protect all of your business assets, please contact Cloud 9 Advisers, now.

Security (PDF)
Contact Us