Not Another Assessment, Please!
For most of us, the specter of yet another cybersecurity risk assessment around the corner is daunting. Did we not just have a consulting firm conduct a cybersecurity assessment and provide us a 50-page report? And didn’t we in the same period have internal audit, external audit, and a regulator conduct similar activities? Didn’t we also have to do the same thing when we purchased cyber insurance?
It is fair to say that in medium and large-sized organizations, especially in the public sector, there is a plethora of assessments and audits, all of which come down to the same questionnaire process. Someone asks dozens or even hundreds of questions under different initiatives, using different frameworks and templates, involving multiple people and numerous meetings. We never seem to be able to make this a repeatable process. In the end, we are completely exhausted conducting assessments, answering audit questions, and collecting evidence for compliance. To make matters worse, often these initiatives will leave us with lost time and frustration, or at best with a long report and a list of incoherent recommendations for us to fix or implement.
The Purpose of a Cybersecurity Assessment
Conducting cybersecurity assessments is essential for businesses to understand an organization’s risk posture. The primary objectives of a cybersecurity assessment are to identify risks, and to keep stakeholders informed. Consequently, boards, the executive team and senior management can make better decisions to prioritize risks and provide the necessary support and funding to mitigate them. Assessments based on industry standards may also enable benchmarking against peers in the industry.
In short, assessments are crucial to understanding cybersecurity risks and/or compliance risks, and it is the first step in the improvement process.
Prepared by Omid Hamed, CISO Division Board Member, CIO Association of Canada