Part 3 – Sonar sweep: Security assessments for safe navigation

A storm is raging. Critical systems on board suddenly fail. Had regular security checks been carried out, such a failure could most likley have been avoided. In this part of our series "Navigating the stormy waters of IT Security", we look at the importance of security assessments to systematically uncover blind spots and keep your business on course. For more insights into cybersecurity, check out part 1 on governance and part 2 on risk management.

Preparation: Securing the waters with the help of external guardians

Like a captain who enlists an experienced navigator for a major sea voyage, companies can similarly call upon internal or external security experts, according to their needs. Such help is especially beneficial for smaller teams that might lack the necessary expertise or resources. These experts, whether from within the organization or hired externally, provide an objective perspective and are well-versed in the latest threats. Their expertise is crucial in uncovering hidden vulnerabilities and ensuring that the company's cybersecurity strategies are both current and compliant.

Security assessment at different levels: A comprehensive examination

Just as a thorough inspection of every part of a ship ensures its sea-readiness, security analyses serve a similar comprehensive purpose, covering various levels:

• ‍Enterprise Level: These analyses encompass the entire ship, ensuring all systems and teams are ready for action.
• ‍Product Level: Here, the readiness and reliability of your lifeboats—your products—are examined.
• ‍Project Level: Each project is like a special mission or a dinghy outing, each with its own security requirements.
• ‍Supplier Evaluation: Suppliers are like the providers of provisions and equipment. It is essential to ensure they deliver reliable and secure products, akin to functional life jackets and fresh food.‍
• Infrastructure Level: This corresponds to the hull and rigging of your ship. A robust infrastructure keeps your ship together and ensures safety at sea.

This structured approach ensures a holistic security posture, enabling the identification and fortification of potential vulnerabilities at every critical point.

Control and effectiveness: Design and operation

Assessments must cover not only planned security measures (design) but also their effectiveness in operation. Regular reviews, such as penetration tests and bug bounty programs, help verify that your cybersecurity strategies are effective under real conditions. This is comparable to the regular safety checks on a ship by the coast guard or the captain, ensuring all systems and equipment function reliably in an emergency.

The three pillars of security assessments: People, processes and technology

A comprehensive security assessment considers the three essential pillars: people, processes, and technology.

In the people category, the focus is on how well staff are prepared for cyber attacks. This includes regular training on current threats like phishing and ransomware, and assessing the effectiveness of security training.

In processes, the focus is on reviewing and optimizing security protocols. Procedures such as access rights management and incident response plans are analyzed to ensure they function efficiently in the event of a security breach.

The technology aspect includes the technical review and evaluation of security systems and devices. This encompasses the evaluation and testing of firewalls, intrusion detection systems (IDS), and advanced detection and response platforms (EDR, NDR, XDR) to identify vulnerabilities and strengthen overall security.

Supplier evaluations: Self-assessment and external audits

Evaluating suppliers is a critical component of security assessment. Suppliers can conduct self-assessments using questionnaires to confirm their compliance with contractual requirements, similar to fishermen declaring the size, origin, and freshness of their trout deliveries. These self-assessments can be supported by certificates and external reports like penetration test reports, which not only confirm the declarations but also check compliance with security standards. Alternatively, companies can employ their own experts or external firms for detailed reviews and audits through audit rights. Ongoing random checks and detailed inspections ensure all requirements are met, similar to ensuring life jackets meet standards.

Regular reviews and continuous improvement

An essential component of the security analyses are the annual ISMS (Information Security Management System) audits. These audits are comparable to regular inspections of your ship, ensuring it remains seaworthy and prepared for new challenges. They review whether security measures, such as the implementation of Two-Factor Authentication (2FA) and Mobile Device Management (MDM), have been successfully deployed and identify new residual risks. Discovered risks require the implementation of further measures. This process of continuous improvement is comparable to ongoing maintenance and upgrading of a ship to ensure it withstands the harsh conditions at sea.

Charting the course: Security assessments as the captain’s duty

Security assessments are an indispensable tool in every company's IT security strategy. They provide the necessary clarity and systematic approach to effectively manage cyber risks. Much like a captain who meticulously inspects his ship before setting sail, it is crucial to frequently evaluate and refine your security protocols. By exercising audit rights and engaging external experts when necessary, you ensure robust protection for your business against the unpredictable challenges of the digital landscape.

‍

‍