By Andrew Roberts, Chief Cybersecurity Strategist, cStor, a MicroAge company
When we start a journey, whether to a distant land or to a more mature cybersecurity posture, we can’t plot a course until we know our starting point and desired destination. If we’ve selected a cybersecurity framework, such as the NIST Cybersecurity Framework (NIST CSF) or the Center for Internet Security’s Critical Security Controls (CIS CSCs), and have chosen alignment with that framework as our destination, then we know where we want to go. How can we determine where we are starting from?
One of the most effective ways to determine our present state is to conduct a Gap Analysis of our environment. A Gap Analysis thoroughly examines policies, practices, systems, and controls to determine the current state of cybersecurity in the environment. It then compares that current state to the chosen framework and highlights the differences, or gaps, where things fall short. The Gap Analysis report will play a key role in creating a cybersecurity roadmap.
Before starting a Gap Analysis, there are 5 key points to consider that will help ensure the process will be successful.
Who should be performing the Gap Analysis?
One option is to complete the Gap Analysis internally, using your own team. This option may save some money upfront but often makes the process take much longer – typically several months instead of a few weeks. Often, this introspection provides results that contain zero surprises – because the internal team will see the environment the same way they always see it – and their long-standing blind spots may skew the results. Internal teams likely have never done this type of exercise before so the final report may also lack the clarity that is needed to use the results for action.
Outsourcing will both speed the process and ensure that the results include an open, unbiased view of the environment. The report will be high quality and very actionable. When outsourcing, select the assessor carefully and be confident they have both the skills and the independent objectivity needed to provide an unbiased opinion.
What should the Gap Analysis Cover?
When defining the scope of the analysis, look beyond just the framework and seek balance. Include both IT and non-IT people and resources. Include as much of the environment as possible to ensure proper coverage, while trimming out unnecessary areas and duplication to keep the project budget in check. Just be careful not to trim too much or you risk missing out on some important information and risk creating a roadmap that isn’t as accurate as it needs to be.
When should the Gap Analysis be completed?
When an organization is ready to move towards improved cybersecurity, start the Gap Analysis as soon as possible. It can be tempting to delay the start to give time to “fix a few things” or “finish this project”, but that can lead to delays that never end. Remember, a Gap Analysis is not about labeling you as good or bad, it’s about getting a clear picture that allows forward progress. Now is always better than later, without exception.
How will the Gap Analysis be conducted?
A quality analysis will include a combination of inquiry, observation, and verification/testing. All three are necessary to make sure you get to the core facts and avoid bias. It may be tempting to simply run through a questionnaire, but that process won’t give you accurate results. This information will be critical to the future of cybersecurity in the organization; avoid the ‘easy button.’
If possible, have the analysis completed by people who are very experienced in this type of work and/or with an audit background. It takes a special skill set to gather data and use it to paint a clear picture. Seek out professionals with the appropriate skills to accurately measure risk and present that in the context of your unique environment.
What kinds of output are needed from the Gap Analysis?
If you’ve ever seen the report that often comes out of a penetration test, you know that those can be hundreds of pages long, heavy on data, and light on the direction. A Gap Analysis report can often be similar unless you set clear expectations regarding deliverables. Make sure you will get solid information and will be able to digest the facts presented. The deliverables should be about quality and usability, not just quantity.
A Gap Analysis, when done properly, will be a tool that propels an organization into the future. If it is done poorly, you will be left no better off than you are today. If you choose to do it on your own, plan and execute carefully and don’t be afraid to reach out to others for advice. If you outsource, choose a skilled partner with experience delivering quality, actionable results.
Ready to improve your cybersecurity posture?
Performing a Gap Analysis is a critical first step to creating a successful cybersecurity roadmap. Thankfully, the experts at cStor and MicroAge have you covered. Start your cybersecurity journey on the right path by calling us today at (800) 544-8877.
“As the Chief Cybersecurity Strategist for cStor, Andrew partners with clients to help them achieve great accomplishments in their cybersecurity, governance, risk and compliance programs. He is building a successful cybersecurity practice by focusing on client success, sales enablement and partner alignment. Andrew brings a wealth of experience in audit, advisory and cybersecurity leadership and freely shares that knowledge to help put clients on the path to success.”Andrew RobertsChief Cybersecurity Strategist for cStor, a MicroAge company