The beginning of the year is a great time to review your security posture. You have many options available to you as to how you conduct security review. The most common ways that we see companies approach a review of their security program generally falls into two approaches.
The first approach is companies looking for a security program review. This is intended to be a broad look at your overall security program and the security capabilities that exist within your company. A security program review always has an assessment component to start however the security program review also looks into security capabilities and the maturity of those capabilities. A good example of a security program review exists within the NIST Cybersecurity Framework. The NIST Cybersecurity Framework measures your security program and specifically the ability of your company to:
Identify - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect - Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect - Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The second most common way is through a security assessment measuring your company against and comparing to an established security or regulatory framework. Some examples of this would include PCI-DSS, HIPAA, or ISO 27001 to name a few. Typically, in this scenario companies are looking to comply with or conform to an established security compliance or regulatory framework. Usually companies looking to pursue this type of assessment are looking to comply with or conform to one of these standards.
While a security assessment can be used for security maturation efforts, a security assessment is generally a step toward conforming to a compliance standard and trying to grab some solid security practices on the way.
2 Questions to ask to determine if a security program review or security assessment is right for your company:
Are you, first and foremost, looking to comply with HIPAA, PCI-DSS, MARS-E 2.0 or another regulatory framework? If yes, a security assessment might be right for you. A roadmap or remediation plan would set you on the path to comply with said security framework.
Are you looking for a strategic security roadmap that measures your capabilities today and give you a path to mature your security posture in the future? If yes, then a security program review might be right for you.
If you're unsure how to answer the above questions and still need help, give us a shout!
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.