By Chris Cronin, ISO 27001 Auditor, Partner
Cybersecurity is no longer a concern for just internal IT. All levels of the organization today should have a keen awareness and involvement when it comes to cybersecurity. That level of engagement should start at the top within the corporate boardroom
and emanate downward to the mailroom. As management becomes cognitive of the potential damage that a single cyberattack can have upon companies today, they find themselves forced into attaining a literacy of the types of threats that could potentially jeopardize the organization at large. But that does not mean that all security analysis is appropriate for all levels of an organization.
Very often we see IT departments sending the results of vulnerability scans and penetration tests to executives or board members to communicate the current state of security. But most executives and board directors are not security experts and would not understand the significance of that kind of information. Or worse yet, would not know what decisions to make based on that information. Board directors and executive do, however, understand risk assessments. This brief article will describe the difference below.
Two commonly-implemented, important types of assessments are used to ascertain the security of an enterprise: the vulnerability scan assessment and the risk assessment. Both are important in reinforcing the security of the company, but both serve distinct functions and are performed by different people.
The Vulnerability Assessment
While the words scan and assessment can be interchangeable, the function of this activity is to detect and classify weaknesses within the enterprise that can be potentially exploited by a perpetrator, thus making the company vulnerable to an attack. Such vulnerabilities could be open ports in the perimeter firewall or local software firewall application on a server. Basically, this assessment identifies your exposure to being attacked. It could be recent security patches missing from a Linux web server or outdated firmware on the datacenter routers. Vulnerability scans are performed using a vulnerability scanner, such as Nessus. The scans can be conducted by internal IT but are often outsourced to a third-party Security Event Management (SEM) firm that specializes in vulnerability assessments. Some third-party firms provide a wider provide a wider perspective, as they have visibility on emerging ransomware attacks or issues. The collected data is then analyzed by the application itself and consolidated in a ready-made template report. The intended audience for a vulnerability scan is IT management, as the report is technically oriented and would not be appropriate for company executives or board members. The vulnerability scan report helps IT to better understand the cybersecurity risks to its platforms. The results of the scan can also be subsequently analyzed in a risk assessment, however.
The Risk Assessment
A risk assessment identifies, analyzes, and evaluates risk. It takes into consideration the impact and likelihood of a threat exploiting a vulnerability. A risk assessment also requires a skilled professional to conduct properly. The purpose is to:
- Identify what assets could be affected by a cyberattack including intellectual property, customer and HR data, server hardware, application systems, laptops, etc.
- Determine the various threats and vulnerabilities that could affect those selected assets.
- Prioritize security efforts and ensure that selected cybersecurity solutions, policies, and safeguards are appropriate for the risks at hand.
A risk assessment offers businesses a report on their risk rating and recommended controls to reduce their risk. It is a more comprehensive look at an organization’s vulnerabilities, outlining the complete view of its exposure. This process requires more than tools, but a cohesive look at a business’ threshold of risk with analysis by a seasoned professional.
Defining the scope of the risk assessment is a critical first step of the process. While conducting a risk assessment of all assets is possible for a small company, it is unrealistic for a large corporation. The scope clearly defines what is covered and not covered during the assessment process such as which systems, applications, network appliances, databases, hardware, etc. A risk assessment could be limited to the web application infrastructure for instance. The intended audience of the report should be considered in defining the scope as well.
A risk assessment helps ensure that resources are targeted at the remediation efforts that are most appropriate for a specific organization. It is also designed to allocate resources according to priority and reasonableness suitable to each unique situation.
Do you know reasonable?
A Combined Approach
Vulnerability scans are continual assessments of your security. Risk Assessments show whether those vulnerabilities can be accepted, or prioritized for remediation with reasonable safeguards. Both of the vulnerability scan and risk assessment play an important role in bolstering the security of your company’s enterprise.
Routine vulnerability scans supplemented by penetration tests should be a habitual part of your company’s security plan as the risk environment changes over time. A risk assessment should be implemented on an annual basis to assess and address new risks that could threaten the company and involved parties. All of these proactive security endeavors will help mitigate breaches and security related disruptions that could damage the reputation and bottom line of the organization.
The Right Information for the Right Audience
Vulnerability scans and penetration tests inform technicians and help them make decisions. Risk Assessments inform leadership and help them make decisions. Because each role has its own level of responsibility, they require different kinds of information to help them be effective. Both of these analyses are critical for managing security, but must put the right information in front of the right audience. Enhance your risk strategy. Assess your risk threshold.