In general, I would do something like this:
Gap-analysis (Maturity Assessment)
Start by performing a gap-analysis (or maturity assessment, if you like), against a well-known framework. Personally, I am a big fan of CIS V8 Critical Security Controls. You are most likely able to perform this yourself with internal resources. If you decide to use an external consultant, make sure your internal resources are involved and work closely together with the consultant.
Short about CIS V8 before we continue:
CIS Critical Security Controls is a framework that consists of 153 safeguards spread over 18 controls. The framework covers all NIST functions: Identify, Protect, Detect, Respond and Recover. CIS V8 consists of three implementation groups (IG1-3) where IG1 is safeguards providing you with a basic cyber security hygiene, IG3 is safeguards protecting you against targeted attacks, and IG2 is something in between.
Once you have identified all gaps, gather all missing safeguards in one table and do a quick and dirty risk assessment of them. No need to complicate things, you could for example do something like this:
Compliance score
Level | Description |
|---|---|
1 | Nothing in place |
2 | Parts of the safeguard in place |
3 | Most of the safeguard in place |
4 | Safeguard in place |
Risk Score
Level | Risk |
|---|---|
1 | Low risk |
2 | Medium risk |
3 | High risk |
Complexity/cost score
Level | Risk |
|---|---|
1 | High complexity/cost |
2 | Medium complexity/cost |
3 | Low complexity/cost |
You multiply the risk score with the complexity score and get a priority score between 1-9. The missing safeguard with the highest priority score should be prioritized as the first safeguard you implement since it will reduce your risk the most compared to the complexity/cost of getting it in place.
Below you see an example on what this could look like:
ID | Function | Safeguard | Compliance score | Action required | Risk score | Complexity score | Priority Score | Action owner | Target date |
|---|---|---|---|---|---|---|---|---|---|
9.5 | Protect | To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. | 3/4 | Configure DKIM. SPF and DMARC already in place. | 2 | 3 | 6 | Olav Østbye | 01.12.2022 |
9.6 | Protect | Block unnecessary file types attempting to enter the enterprise’s email gateway. | 0/4 | Enable and configure file type blocking in O365. | 3 | 3 | 9 | Olav Østbye | 01.12.2022 |
Management dashboard
You then choose the universal language of traffic lights to clearly express the risk to management (compared to doing it with numbers).
TLP | Status |
|---|---|
🟢 | All safeguards in place |
🟡 | Almost all safeguards in place |
🟠 | Some safeguards in place |
🔴 | No safeguards in place |
Create a dashboard of this overview, either in a report, powerpoint, Notion, or whatever you prefer. You should be able to explain in business words what the different controls do and which risk they reduce, and as such - within a one hour meeting - provide your management with a full overview of the cyber security maturity and the risk in the company. You are now already miles ahead of many companies, well done.
CIS V8 Controls | Status (TLP) | High level summary |
|---|---|---|
1 - Inventory and Control of Enterprise Assets | 🟢 🟡 🟠 🔴 | |
2 - Inventory and Control of Software Assets | 🟢 🟡 🟠 🔴 | |
3 - Data Protection | 🟢 🟡 🟠 🔴 | |
4 - Secure Configuration of Enterprise Assets and Software | 🟢 🟡 🟠 🔴 | |
5 - Account Management | 🟢 🟡 🟠 🔴 | |
6 - Access Control Management | 🟢 🟡 🟠 🔴 | |
7 - Continuous Vulnerability Management | 🟢 🟡 🟠 🔴 | |
8 - Audit Log Management | 🟢 🟡 🟠 🔴 | |
9 - Email and Web Browser Protection | 🟢 🟡 🟠 🔴 | |
10 - Malware Defenses | 🟢 🟡 🟠 🔴 | |
11 - Data Recovery | 🟢 🟡 🟠 🔴 | |
12 - Network Infrastructure Management | 🟢 🟡 🟠 🔴 | |
13 - Network Monitoring Defense | 🟢 🟡 🟠 🔴 | |
14 - Security Awareness and Skills Training | 🟢 🟡 🟠 🔴 | |
15 - Service Provider Management | 🟢 🟡 🟠 🔴 | |
16 - Application Software Security | 🟢 🟡 🟠 🔴 | |
17 - Incident Response Management | 🟢 🟡 🟠 🔴 | |
18 - Penetration Testing | 🟢 🟡 🟠 🔴 |
You might as many others end up with many yellow, orange, and red traffic lights here. This might point in the direction of a big lift being required. If so, I suggest picking out three controls to focus on for the first 6 months, and then revisit. You can of course pick important safeguards on other domains which you start working on. Note however, that driving more than 2-3 security projects is usually quite hard, if not impossible.
Three projects I usually see after an assessment like this is:
#1: Identity and Access Management - The need to either get a IAM solution in place, or to start implementing one you already have available. HR driven identity, MFA, federation (SSO), recertifications, RBAC, Joiner - Mover - Leaver processes, and so on.
#2: Mobile Device Management - Centralizing control of your computers and define a blueprint for different user groups. Roll it out together with hardening, application control, local host FW, DNS settings, and more.
#3: Email and Web Browser Protection - Getting SPF, DKIM and DMARC configured. Setting up blocking of attachment types. Configuring sandboxing and scanning, and so on.
If you have many yellows, you might end up with a big backlog of missing safeguards and do not necessarily need several projects to get them closed.
Cyber Security Defense Balance
If you want management (and maybe yourself) to better understand the Cyber Security Maturity of the company; create a diagram where you count the safeguards against the NIST functions —> Identify, Protect, Detect, Respond, Recover. With this diagram, you can visualize how balanced your cyber security defense is (or not). You can also explain why it is so important to have a well-balanced cyber security defense. I usually say something like: We need to know what we have in order to protect it, we need to protect what we have, if someone is able to break in we need to detect and respond to it, and if someone succeeds in an attack we need to recover from it. I know this is not a perfect explanation, but business management will understand it. Remember that they own the business risk, and yes, Cyber Security Risk == Business Risk.
Perfect, now everyone has a good understanding on where you are, where you are going and what business risks the organization have. If you want to be even more popular, try to find ways of enabling the business and IT with your Cyber Security Strategy (yes, we are there now). For example: Zero Touch Deployment to increase the business' ability to grow fast? SSO and user lifecycle management to make the workforce more happy and more efficient? Rail guards for developers making it easier for them to deploy secure code? This also requires you to be strong within the business domain, but I am quite sure you are able to bring something good to the table. Remember that in 98% of the cases, the business you work in does not live because they want to do cyber security, they usually sell something or provide something, and they do cyber security because internet is not a safe place, and they need to reduce that business risk to an acceptable level.
What you probably will find
I can already now tell you what you probably will find: People want to do sexy and cool stuff, maybe do a deep dive into the Kubernetes cluster with security within each pod. Maybe collect all logs, feed them into the SIEM and build detections. Maybe buy and use expensive security tools that are next generation AI that “solve everything”. However, after getting everything on the table and doing your quick and dirty risk assessment, I am quite sure the actions to be prioritized are basic stuff like: Hardening. Email Security. Training and Awareness. Patching. Passwords. Recertification of access. And so on. These are not the subjects we security professionals usually like to talk about, but again - you want to reduce the risk the most compared to cost/complexity/hours.
Deep-dive or high level? Full audit style?
I usually like to do things on a high level looking at the big picture, and not do a deepdive into all applications, every repo, every subnet, and so on. I usually pick out 3-5 business critical / sensitive applications where we do a deep dive in addition to the high level maturity assessment. CIS usually have a framework for big applications, like Office 365, which you also can use. If not you need to understand what responsibility falls on the customer, and what responsibility falls on the vendor, for example IaaS vs PaaS vs SaaS vs FaaS, and adjust the assessment accordingly.
I also like to perform these assessments together with the organization and not as a typical audit. If we can all agree that we want to get all gaps on the table so we together can create a strategy on which actions to close first, then the result will be much better compared to performing a typical audit where there is little trust between the auditor and the ones interviewed. This also requires management to clearly define the intention of the assessment. By doing this together, you will also save time compared to collecting evidence after evidence.
Which opens up another door; we are a hybrid organization with stuff on-premise and in cloud...
You now have a great opportunity to make things very complex. What I usually do, is to look at both cloud and on-premises together where applicable. In most cases, it is quite clear to me which safeguards are in scope for cloud and which are not, depending on the delivery model. If this is unclear for you, you can use the CIS Controls Cloud Companion Guide which tells you which safeguards are in scope for IaaS vs PaaS vs SaaS vs FaaS. Below you see an example from the Guide on Control 9 - Email and Web Browser protections.
Here is another pro tip. A framework is a framework - it is not perfect for everyone. It is however usually more than ok for most of organizations. But you need to understand the organization, technology, processes and people. If you do not, this can get messy quite quickly. It is completely ok to say that some safeguards or even a full control is out of scope, just add a short justification for it.
If you feel that CIS V8 crashes too hard with cloud, I suggest looking into the Cloud Control Matrix (CCM) from Cloud Security Alliance (CSA). You could for example pick out some of the domains and use them instead of CIS controls, or just do CIS V8 for on-premises and CCM for cloud - this is up to you.
When to re-perform?
Hard to say, and of course very dependent on the organization. If you did a full CIS V8 assessment October 2022, I would follow up the gaps on a monthly basis. In 2023, I would focus more on applications you did not cover in the 2022 assessment (deep dive). You can also consider another assessment method, for example buying a cloud security assessment. This would follow the same principle as using different penetration testers each year, as every penetration tester has a different skillset and will most likely have different findings. Performing another CIS V8 assessment, and maybe even with the same people, will most probably not bring any new findings (given that the environment has not changed completely).
Knowledge needed for the one leading the gap-analysis (maturity assessment)
You will find cheap gap-analyses on the market today, no doubt. Almost everyone will claim to be able to perform a maturity assessment against any given framework. Maybe not strange when a framework is something that describes how something should be, and you can then just ask and note down the gap. It is however not as easy as that, and here are some things to consider:
- What type of company is offering the assessment? If it is a company mostly doing consultancy within Cyber Security, then it is most likely a good fit. If it is a “one stop shop” then it depends on the consultant, make sure the CV you get is for the one who will perform the assessment. Be careful if it is a company selling SW and HW, many of the actions will most likely be to buy SW and HW from them. You would want someone who can offer a “trusted advisor” role.
- The consultant performing the assessment should have several years experience in the industry. You should expect a strong candidate within all controls who also has good understanding of business. Certifications like Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP) and Certified Information Security Manager (CISM) will show that the candidate has a strong overall understanding of cyber security independent of the technology in play (vendor neutral).
- Personality also matters here. Find someone who is a good communicator and able to talk to many different people and lead workshops. Ending up with a “typical auditor” does not create the trust needed to get all gaps on the table.
Policy as Code (PaC) - the solution going forward?
There is so much you should and could do within Cyber Security. I completely understand why people quite fast get exhausted when working within this field, especially those in-house resources working on defending the organization. Going forward, I think one of the solutions could be cloud and policy as code (where supported). For those of you unknown to policy as code, it is quite simply writing code to define the rules of the environment (programmatically policies). Here are some examples:
- No data to be hosted outside EU
- No public buckets without the key value tag env:public
- Only allow encrypted communication
Policy as code is mostly used on the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) level, where we see better and better support for doing Policy as Code.
So, why is this relevant for a maturity assessment? Well, if policies are defined in code it is much easier for everyone to verify that the policies are enforced. This also reduces the chance for human mistakes. Just think of manually configuring 50 virtual machines versus defining everything as code once, and then pushing it to the environment. Much easier to assess afterwards as well, just check the code.
Closing remarks
If you still are with me here at the end, then thanks for reading my article. Feel free to reach out if you disagree, have questions or just support my view. You can also find this post on LinkedIn where you can share and discuss so everyone gets in on the fun.
I need to end this article with a saying that a CISO in Norway just shared (not sure if he was the first), but I immediately fell in love with:
Be security smart - from the start.
Stay safe!