By Madison Iler   /   Jul 13th, 2021

4 Steps to Build Meaningful Visibility and Strengthen Your Cybersecurity Posture

WCybersecurity posture meetingelcome to the final blog in my 3-part series on how cybersecurity collaboration between IT staff and an organization’s management team builds a stronger cybersecurity posture. With worldwide cybercrime costs predicated to escalate to $10.5 Trillion annually by 2025, it’s crucial for management to have visibility into their organization’s cybersecurity risks.

In this series, I identified three types of communication gaps that can impede cybersecurity collaboration, and then focused one blog on how to solve each challenge. Here’s a recap of the gaps and links to these blogs:

  1. Lack of shared context on cybersecurity threats.
  2. Organizational culture impeding communication.
  3. Visibility gaps that result from management’s lack of clear, consistent information on the organization’s cybersecurity posture and identified risks.

This post focuses on the third challenge on the list, how to maintain a level of visibility so that management has accurate, timely information on gaps and risks, including enough context to prioritize action items.

As discussed in the first blog in the series, on-going management training and security updates will help establish a shared understanding of the threat landscape to support effective internal collaboration. This shared context will also help to address visibility gaps now that management has a better picture of common threats and how various cybersecurity controls can reduce risk related to those threats.

4 Steps to Better Visibility for Management & a Stronger Cybersecurity Posture

Transparency between management and IT functions is essential to ensure that appropriate measures are taken to track and remediate risks and vulnerabilities. Communication gaps can result in critical security improvements not being prioritized or supported by necessary security initiatives and resource allocation. Here are four steps you can take to increase visibility and build a strong cybersecurity posture:

1. Collect information: Start by regularly compiling relevant reports, results, and updates that capture the status of the organization’s security posture and changes.

  1. The types of data you collect may include: internal reporting on patch levels, results of any internal audits or spot checks (e.g., user account reviews, training completion), summary and status of any security incident, vulnerability scan results, phishing test results, and any third-party controls assessments or technical testing reports. Also include risks or gaps identified informally by your IT staff.
  2. Tip: Running the monthly scans, creating reports, and conducting the audits and spot checks are only PART of step one. These actions are important, but on their own they don’t improve your security posture. It’s crucial to ensure the appropriate follow-on actions are assigned to appropriate resources and that your team successfully corrects the identified issues. If you identify recurring issues, dig into the root cause to prevent the gaps rather than continue to fix them after the fact. For example, scans that show the same vulnerabilities month-to-month are a red flag that your patch management process needs improvement.

2. Question the information: Management needs to ask good questions, and their cybersecurity awareness training should help them ask questions related to risk to the organization, such as:

  1. What does this report/these results tell us about our security posture?
  2. Does anything in this report concern you?
  3. Do these results surprise you?
  4. Do these results reflect changes over time? Good or bad?
  5. What threats could these gaps expose us to? Do any of these threats pose a risk to our financial health, data integrity, or reputation?
  6. Does this require follow-up work to resolve any identified issues? If so, do you have the resources needed, including the time, expertise, tools, and budget?

3. Give straight answers: IT staff should be forthcoming with their answers to make sure everyone is on the same page as far as security posture status and risk factors. Where possible, tie report results to threats and risks, such as which identified gaps may increase the likelihood of a ransomware infection. Don’t downplay risks because you sense the management team wants to hear good news.

  1. Transparency between management and IT functions is essential to ensure that appropriate measures are taken to track and remediate risks and vulnerabilities. Communication gaps can result in critical security improvements not being prioritized or supported with necessary security initiatives and resource allocation.
  2. Tip: If your organizational culture makes this challenging, see my previous blog on how organizations can encourage discussion, avoid the blame game, and build a strong cybersecurity culture.
  3. If you don’t know where your gaps are, consider a controls assessment and technical testing package from a third-party. A third-party assessor can bring a neutral perspective to your environment and focus on the facts, regardless of the internal culture or history.

4. Track identified gaps: Establishing a risk tracking process will help organize risk treatment and can also be a valuable tool to provide shared visibility for risks and remediation. In addition, having a tracking system helps all staff know that their reported risks will be taken seriously. Not all identified risks can or should be acted on immediately, but they should be risk rated and tracked and prioritized.

  1. For many organizations, a spreadsheet in a shared location is well-suited for risk tracking, although larger or more mature organizations may want to use a Governance, Risk and Compliance (GRC) tool designed for this function. Some IT/helpdesk software also includes risk tracking functionality.
  2. The tracking tool should capture cybersecurity risks identified from multiple sources and reports, plus any internally identified risks, regardless of if they were documented in a formal report. Don’t forget to include incident response items, such as recommendations from IR tabletop exercises or corrective actions in incident reports. Include the source and date for each risk so that supporting details can easily be located.
    1. Tip: It’s more efficient to consolidate related or duplicated findings and reference all relevant source reports.
  3. Use likelihood and impact ratings to establish risk ratings or include the risk ratings from the source report when possible. Use the risk ratings to decide on a risk treatment plan for avoidance, remediation, transfer, or acceptance. My previous blog on risk management offers guidance on how to approach risk treatment decisions, including looking for opportunities for risk reduction.
    1. Tip: Consider moving accepted risks to another tab to focus visibility on the risks you plan to remediate. But be sure to review the accepted risks periodically to see if their risk levels have changed and acceptance should be reconsidered.
  4. Assign action items, owners, and milestones for remediation tasks. Ask owners to update their items regularly, then review status and progress periodically for accountability and to identify any roadblocks such as lack of training, need for support from others, the need to outsource some services, budget approval, a lack of time/staff, or the need to prioritize other assigned tasks.
    1. Tip: For ease of review and assignments, consider bucketing the entries by department, application, or relevant topic (e.g., patch management, network security, training, etc.).

Establishing consistent and meaningful cybersecurity visibility within your organization is an essential part of building effective cybersecurity collaboration to support a strong security posture. Adopting some of the ideas in this blog series will have you well on your way to reducing your organization’s cybersecurity risk.

Would you like advice or support strengthening your organization’s cybersecurity collaboration or identifying gaps and vulnerabilities in your environment? LMG Security offers cybersecurity assessments, testing, and training to help organizations develop their cybersecurity programs and reduce risk. Contact us to see how our experienced consultants can support your cybersecurity goals.

About the Author

Madison Iler

Madison is LMG’s Chief Strategy Officer. She assesses organizations’ compliance with regulatory requirements such as HIPAA, and assesses the strength of their security program and overall security posture using widely-accepted frameworks such as the NIST Cybersecurity Framework. She previously served as a Senior Network Security Engineer for Lockheed Martin in support of the National Science Foundation, Security Engineer for SecureInfo, and Security Compliance Analyst for Raytheon Technical Services. Prior to moving into IT security, Madison worked in IT operations. She has also worked as a management consultant with McKinsey & Company. Madison earned her BA in Economics from the University of Colorado and her MBA from MIT’s Sloan School of Management. She holds her CISSP and HCISPP security certifications.