AUDIT – that five-letter word that no business leader looks forward to hearing. Today, security-related audits are a critical (and often stressful) part of doing business. Audits not only ensure you are meeting industry standards, but they serve as an important gauge of your overall security posture.
Are you prepared for a security-related audit? Or, when it comes to audit readiness, do you have a false sense of your level of preparedness (even worse, do you have a false sense of your level of security)? Audits are taxing enough, the last thing you want to worry about is whether your company has done enough to be ready.
Unfortunately, companies often make a common and potentially costly mistake while preparing for a security audit. Many company leaders are unaware of what security-related services will meet their actual needs. Specifically, business leaders often find themselves trying to determine whether they need a gap analysis or a risk assessment. The good news is this mistake is avoidable.
There is no doubt, non-compliance is a real concern, but the even bigger concern is improper engagement in adequate and appropriate security measures leaves your company more vulnerable to attacks. According to the National Cyber Security Alliance, the stark reality is that 60% of small to medium-sized businesses shut down within 6 months of a cyberattack. Utilizing the appropriate services to test your overall security posture will help ensure you identify and eliminate existing weaknesses.
Why are so many confusing the two?
Gap analysis and risk assessment – it may seem that each service provides relatively the same information and could be used interchangeably. However, these services are distinctly different. Confusing a gap analysis for a risk assessment could have severe consequences. For example, the Health and Human Services guidelines require a risk assessment for healthcare organizations to meet Healthcare Information Portability & Accountability Act (HIPAA) compliance. Therefore, a gap analysis alone would not meet the required criteria, (although HIPAA mandates a gap analysis is completed as part of the risk assessment).
Another time confusing the two could pose a problem is when a company is trying to become ISO 27001 certified (international information security standard.) Having a gap analysis doesn't check the box for the risk assessment requirement.
What is a Gap Analysis?
This process measures a client's security posture against their specific industry standards determining if the client has reasonable and appropriate safeguards in place to protect their information. A gap analysis does not provide comprehensive insight or examination of all of your security processes. It simply “spots gaps” as the name of the service indicates while providing you with a narrow analysis of your required security safeguards/controls.
One specific example of a service that encompasses a gap analysis is a controls audit. TechGuard offers an Internal Controls Review which provides your company with a complex and comprehensive security assessment of your IT/computing environment to specifically determine adherence with the Center for Internet (CIS) basic, foundational and organizational security controls. CIS controls are both administrative and technical in nature. This snapshot of your company's security posture helps determine improvements necessary to enhance your security efforts.
What is a Risk Assessment?
A risk assessment provides a comprehensive evaluation of the client's risks and vulnerabilities to ensure compliance with regulatory controls and/or security best practices. The risks/vulnerabilities are assigned risk levels for prioritizing. This assessment includes technical and non-technical vulnerabilities and is wide in scope.
Often included are policies and procedures involving workstations, servers, applications, mobile devices, and all communications equipment. The assessment determines the likelihood and potential impact of the threats found. A close look at comprehensive security measures such as patch management, encryption, and anti-malware solutions are assessed. Some of the tasks to complete the risk assessment may also include internal and/or external penetration testing, vulnerability assessment, physical security assessment, and social engineering. Services for a risk assessment may vary depending on what your organization's needs are.
How are they different?
Summed up, a gap analysis looks at the security controls that have been implemented in an area of interest. A risk assessment is a comprehensive look at the security vulnerabilities of an organization as a whole. A gap analysis is part of a risk assessment because once the vulnerabilities are discovered and ranked, then the next steps include looking at what processes are in place and making adjustments when security gaps are discovered.
How do they work together?
A risk assessment includes a gap analysis of your company's cybersecurity providing the appropriate recommended next steps of action.
Which do I need?
Your company needs both services. Many regulatory bodies require a risk assessment and a gap analysis is not comprehensive enough to meet the requirement. Companies often opt to implement a gap analysis because it is a better fit for their security budget. Risk assessments are more comprehensive and therefore a more costly service. It is important to keep in mind that beyond passing your audit, a comprehensive assessment of your overall security posture is a real value add to your company.
How do I justify the costs?
Explaining the ROI of security services for your company is really pretty simple. According to Ponemon's 2018 Report, the global average cost of a breach is $3.86 million. Prevention planning is much more economical than experiencing a breach due to a weak security posture.