By Andrew Roberts, Chief Cybersecurity Strategist, cStor
When embarking on a journey, whether it’s to a distant land or to a more mature cybersecurity posture, you can’t plot your course until you know your starting point and your desired destination. If you’ve selected a cybersecurity framework, such as the NIST Cybersecurity Framework (NIST CSF) or the Center for Internet Security’s 20 Critical Security Controls (CIS 20 CSC’s), and have chosen alignment with that framework as your destination, then you know where you want to go. How do you determine where you are starting from?
One of the most effective ways to determine your present state is to conduct a Gap Analysis of your environment. A Gap Analysis takes a thorough look at your policies, practices, and systems to determine the current state of cybersecurity in your environment. It then compares that current state to your chosen framework and highlights the differences, or gaps, where you fall short. This information will play a key role as you create your cybersecurity roadmap.
Before you start a Gap Analysis, there are 5 key points to consider that will help ensure the process will be a success.
Who should be performing the Gap Analysis?
One option is to complete the Gap Analysis internally, using your own IT and/ or Cybersecurity team. This option may save some money upfront but often makes the process take much longer – typically months instead of weeks. You may also find that this introspection provides results that contain zero surprises – because your team will see your environment the same way they always see it – and their long-standing blind-spots may skew the results.
Outsourcing will both speed the process and ensure that you are getting an open, unbiased view of your environment. If you do outsource, select your assessor carefully and be confident they have both the skills required and the independent objectivity needed to provide an unbiased opinion.
What should the Gap Analysis Cover?
When defining the scope of the analysis, seek balance. You will need to include both IT and non-IT people and resources. It’s also best to include as much of the environment as possible to ensure proper coverage while trimming out unnecessary areas and duplication to keep the project budget in check. Just be careful not to trim too much… if you do, you’ll miss out on some important information and risk creating a roadmap that isn’t as accurate as it needs to be.
When should the Gap Analysis be completed?
If you’re ready to move towards improved cybersecurity, start the Gap Analysis as soon as possible. It’s tempting to delay the start to give time to “fix a few things” or “finish this project,” but that can lead to never-ending delays. Remember, a Gap Analysis is not about labeling you as good or bad, it’s about getting a clear picture that lets you move forward. Now is better than later, always.
How will the Gap Analysis be conducted?
A quality analysis will include a combination of inquiry, observation, and verification/testing. All three are necessary to make sure you get to the core facts and avoid bias. While it may be tempting to simply run through a questionnaire, it won’t give you accurate results. This information will be critical to your cybersecurity future; avoid the ‘easy button.’
If possible, have your analysis completed by people who are very experienced in this type of work and/or with an audit background. It takes a special skillset to gather data and use it to paint a clear picture. You should also seek out professionals with the appropriate skills to accurately measure risk and present the analysis in the context of your unique environment.
What kinds of output are needed from the Gap Analysis?
If you’ve ever seen the report that often comes out of a penetration test, you know that those can be hundreds of pages long, heavy on data, and light on direction. A Gap Analysis report can often be similar unless you set clear expectations regarding deliverables. Make sure you will get solid information and will be able to digest the facts presented. The deliverables should be about quality and usability, not quantity.
A Gap Analysis, done properly, will be a tool that propels you into the future. If it is done poorly, you will be left no better off than you are today. If you choose to do it on your own, plan and execute carefully, and don’t be afraid to reach out to others for advice. If you outsource, choose a skilled partner with experience delivering quality, actionable results.