An organization’s level of cybersecurity is in fact the sum of many factors, and not simply the result of adding a technology or an expert. Cybersecurity is not a tangible or concrete concept, nor is it naturally measurable. However, the consequences of cyberattacks are very real.
So, how do you approach cybersecurity? If cybersecurity is the sum of several activities, where should we start? The diagram below illustrates, in the form of a decision tree, the various universal cybersecurity activities that all organizations will need to carry out at some point.
As illustrated in this decision tree, there are many ways to implement cybersecurity in your organization, and it is crucial to understand when you need it, especially if you are just starting out on your cybersecurity journey.
The first case to consider is a company piloting a new project, such as rolling out a new technology, developing an application, or simply upgrading its infrastructure. Such an organization will benefit greatly from carrying out a threat and risk assessment early in the project, to avoid introducing new cybersecurity risks and jeopardizing its success.
Threat and risk assessment (TRA)
A threat and risk assessment identifies potential cyberthreats and vulnerabilities introduced by the project, either directly or indirectly. This involves examining the cyberattack landscape specific to a given industry and matching it with a methodology for modelling cyberattack scenarios. Regulatory compliance will also be considered where necessary.
All risks and threats are documented and rated according to their likelihood and impact. Mitigation recommendations are provided to reduce cybersecurity risks to an acceptable level.
Who can benefit from this service?
- Organizations concerned about their cybersecurity when carrying out strategic projects.
- Organizations requiring cybersecurity risks to be identified and assessed.
- Organizations requiring projects to comply with existing cybersecurity standards and best practices.
- Organizations combining information technology (IT) and operational technology (OT).
Addressing cybersecurity issues early in a project’s lifecycle helps avoid introducing new risks or circumventing them while there is still time. A project is considered as being intrinsically secure (secure-by-design) when cybersecurity has been considered from its outset. For many organizations, these assessments are carried out systematically for every new project involving IT or OT technology.
Outside a project framework, a company may decide to structure and invest in its security efforts.
Let’s take the example of a company worried about cyberattacks, but unaware of its current cybersecurity posture and with no roadmap for improving it. The first thing to do would be to carry out a cybersecurity maturity assessment, which could be compared to a general vehicle inspection.
Cybersecurity maturity assessment
It is an objective, 360-degree assessment of your organization’s cybersecurity practices based on more than 350 verification points. Because cybersecurity results from a variety of activities, the maturity assessment looks at all the activities that directly impact your cybersecurity posture, not just the technologies you have or don’t have. These activities include cybersecurity governance, awareness, vulnerability management, and access management.
A cybersecurity posture assessment will provide a complete picture of the organization’s maturity level, as well as a roadmap determining the next cybersecurity investments required to raise that level.
For cybersecurity managers, the maturity report becomes the tool of choice for informing senior management about the current situation, and justifying the resources and budgets required to achieve the target. When conducted periodically, it provides objective evidence of the company’s progress.
Who can benefit from this service?
- Cybersecurity managers or the Chief Information Security Officer (CISO) concerned about the company’s cybersecurity posture.
- Organizations concerned about prioritizing cybersecurity investments.
- Organizations wishing to monitor their cybersecurity posture over time.
With an up-to-date, comprehensive profile of its cybersecurity posture in hand, the company will be able to strategically prioritize its efforts and initiate its cybersecurity progress. During this phase, it will put in place cybersecurity policies, detection tools, a rigorous process for monitoring vulnerabilities, and so on. Its cybersecurity will improve, and subsequent maturity assessments will objectively demonstrate this.
A company that has significantly developed its cybersecurity may wish to verify or even demonstrate to its clients and partners that it has exemplary cybersecurity and complies with the various recognized cybersecurity standards. After all, investment in cybersecurity can be seen as a competitive advantage! To demonstrate this, it will need to conduct a cybersecurity audit and choose a cybersecurity standard with which to compare itself. A cybersecurity audit is much more detailed and time-consuming to carry out than a maturity audit, so the company needs to have already acquired a certain degree of maturity.
ISO 27001 and NIST-CSF are the most popular standards in the IT world. In the OT realm, NERC-CIP, APTA OT-CMF and IEC62443 are also frequently used. Clients may also request SOC2 audits. Audits based on standards are more comprehensive and time-consuming to carry out but enable you to demonstrate your cybersecurity posture in relation to trusted standards specific to your industry.
Cybersecurity audit
A cybersecurity audit is an in-depth assessment of the IT security measures in place. The primary objective of the audit is to benchmark against best practices and highlight any major gaps.
Companies can choose to assess themselves against industry-specific standards, such as ISO 27001, NIST-CSF, NERC-CIP (Energy), APTA OT-CMF (Transportation), IEC62443, etc.
A cybersecurity audit validates the application of policies, controls and best practices, but does not test them on a technical level (these activities are conducted through a vulnerability assessment or penetration testing).
Who can benefit from this service?
- Cybersecurity managers or CISOs wishing to demonstrate the company’s cybersecurity to a third party or client.
- Organizations wishing to track their cybersecurity posture over time.
Reports resulting from cybersecurity audits will usually highlight deficient or missing cybersecurity activities.
The vulnerability assessment and penetration testing should be conducted periodically according to the cybersecurity standards chosen by the company.
Vulnerability assessment
A vulnerability assessment allows an organization’s cybersecurity to be concretely tested, by ensuring that there are no software vulnerabilities or security misconfigurations that could be exploited by cyberattackers.
This assessment is performed by vulnerability management specialists and provides a complete scan of all infrastructures. OT systems (SCADA, ICS, IOT) can benefit greatly from a vulnerability audit. The tools used and expertise required in this case are not the same as for assessing IT infrastructures.
This exercise will often reveal the presence of systems that are unknown, obsolete or that have simply been forgotten over time. The audit report will provide a detailed status of the infrastructure and suggest the most effective mitigation measure for the risks identified.
This type of assessment needs to be done regularly, especially in critical or fast-changing environments. Reports are often used as evidence when demonstrating cybersecurity to a third party or client.
Who can benefit from this service?
- Organizations performing due diligence.
- Organizations with a recent cybersecurity incident or near-miss.
- Organizations whose network has undergone significant change.
Penetration testing is the most advanced activity designed to test the security of a system or platform. Given the scale of the task, it is only used for critical or strategic systems. Penetration testing has the advantage of simulating a real cyberattack, just as a cyberattacker would. This is an excellent way of demonstrating the real impact of a cyberattack on a company.
Penetration testing
Penetration testing is the best way to test critical assets, hard-to-detect vulnerabilities, exploitable configuration errors and security flaws within applications. It is the logical next step after a vulnerability audit.
Penetration testing is performed by specially trained security professionals (ethical hackers), who use the same tactics and techniques as real-world cyberattackers to simulate a controlled attack. Penetration testing will demonstrate in concrete terms the different real-world impacts of cyberattacks, which will help the organization understand its risks.
Flaws are documented according to their likelihood and impact. A risk mitigation action plan is provided to the client.
Who can benefit from this service?
- Organizations performing due diligence on highly exposed assets or critical systems.
- Organizations concerned about the security of a third-party solution.
In conclusion, the approach to cybersecurity is highly dependent on the needs and maturity of the organization.
For projects already underway, a threat and risk assessment enable cybersecurity risks to be anticipated and mitigated right from the design phase, thus supporting a “secure-by-design” approach. This is particularly useful for companies involved in strategic developments.
As for the cybersecurity maturity assessment, it offers a 360-degree view of cybersecurity practices, enabling organizations to effectively prioritize their investments according to their current level of maturity.
Once a company has achieved a certain level of maturity, it may choose to demonstrate its commitment towards cybersecurity by undertaking a cybersecurity audit. Based on recognized standards, this audit provides external validation of the effectiveness of the company’s cybersecurity policies and controls.
Lastly, for a more concrete assessment, vulnerability assessment and penetration testing focus on detecting and mitigating specific vulnerabilities. These activities are essential for maintaining a robust cybersecurity posture, particularly in critical or constantly evolving environments.