1. Are we only focused on compliance?
While companies aware aware of cyber risks, their investments are often driven by compliance rather than cyber risk management as part of a broader business context. Relying only on regulatory compliance often provides a false sense of security. In addition to abiding by necessary regulations, organisations must ask whether they are protected when it comes to permutations in playbook scenarios. – Reuven Aronsashvili, CYE
2. Is our staff prepared for a cyberattack?
You don’t just send an astronaut into space after handing them a pamphlet about rockers. Similarly, you cant just give your team some documents and say “Read this”. Set up a training program that lets you walk through the steps of what to do in case of an emergency. This will enable your team to act more efficiently during a real crisis. – Marc Fischer, Dogtown Media LLC
3. What would a hacker do?
An important question every company should ask after a security assessment is “What would a hacker do, and would we be prepared?’ Seeing the assessment from the attacker’s perspective is key, as the assessment will never be comprehensive. – Juliette Rizkallah, SailPoint
4. What’s the most pressing issue?
A company must be able to quantify and prioritise the risks it discovers during the assessment to mitigate them. This will minimize the risk of a breach, allowing the company to taje on additional strategic risks such as opening a new branch or aquiring a competitor. Prioritising mitigation of certain risks enables the company to grow. – Matt Kunkel, LogicGate
5. Where is the Trojan horse?
The one question every company must answer is “Where is the Trojan horse?” The largest fortresses and the best equipped armies have all fallen by the human element. Addressing the human element first is the most important step after a cybersecurity assessment. – Spiros Liolis, Micro Focus
6. Who is accountable for addressing vulnerabilities?
Companies must know who is accountable and assign “owners” to mitigate the most severe vulnerabilities of systems and processes that are identified by the assessment. Assessments often set out a roadmap of quantified risks and actions to mitigate. However, in the absence of clear ownership- the person on the team who will take up the mitigation- most of the findings stay in the system with deferred plans. – Hitesh Bhardwaj, Cloud4C
7. How could an attacker access our critical assets?
Organisations need to ask themselves how many different ways an attacker could access critical assets in a breach and whether current security controls have been tested to detect and respond to the threat effectively. Keeping this answer top of mind ensures the company has a clear picture of its security posture and is properly defending its most critical assets. – Stephan Chenette, AttackIQ
8. What will we do when we’re hacked?
You will be hacked. What’s your plan? How do you respond? How do you communicate with stakeholders? Do you have a response team in place? If after your assessment you don’t know exactly what you will do when an attack happens, it’s time to change that. – Michael Landewe, Avanan, The Cloud Security Platform
9. What level of risk do we want to live with?
The one essential question a company must be able to answer after conducting a cybersecurity assessment is “What is the risk exposure we want to live with, and therefore, what is the risk posture we will put in place?” This sets a clear objective and defines the target state, thereby establishing the recommendations you would take up from the assessment. – Jacqueline Teo, HGC Global Communications.
10. What level of security do we need?
The first question a company should ask is “What level of security do we need?” Cybersecurity is a balancing act between protection and cost. The level of consumer or business data you can process and store, the products you sell and the value of the intellectual property you create will all dictate the level of security you need. Then, you can turn to frameworks such as NIST to determine the controls you need to meet. – Sean McDermott, Windward Consulting Group.
11. Are our security controls working?
Most companies are accustomed to asking themselves “Is my enterprise secure?” after each cybersecurity assessment, while the essential question should be “are our security controls operating effectively and efficiently?” Asking whether the security controls are effective and efficient goes a step further in creating a common risk-management taxonomy for the orgaisation. – Dr Adewale Peter Obadare, Digital Encode Limited
12. How are we protecting users?
A key question to ask is “how are you protecting and insuring the identities of users and various applications?” If the user or application identities’ infrastructure is not secure and vetted, the rest of the security posture could look great but still be fully compromised. – Vipin Jain, Pensando Systems
13. Is senior leadership prepared to address the issue?
Do we have buy-in from senior leadership at the firm to address and resolve any findings from the assessment? Cybersecurity needs to be looked at with the same sense of urgency as other key areas of the organisation. When it is looked at as a cost center or afterthought, it will likely end up being a cost center at the most inopportune time (such as during a breach or unappreciated-staff exodus). – Nate Cote, Kanguru Solutions
14. How will we recover from a hack?
A question you should ask is “what is our business continuity or disaster recovery plan?” You will get hacked, and you will face an outage. What will your response be to the incident, and how do you mitigate the risk as much as possible? The assessment should not be designed to identify your blind spots and potential risks. Start with DevSecOps and your network and mitigate from there. – Damian Ehrlicher, Protected IT
15. When is our next assessment?
No matter what the findings are from the current assessment, the most important question is “when is our next assessment?” Assessments are just a point in time. The environments are always changing, and attackers’ tools and techniques are always changing too. Security assessments need to be more than just checking a box for compliance- they should be an affirmation that your tools, policies and procedures are actually working. – Saryu Nayyar, Gurucul
16. What do we need to do to achieve our ultimate business outcome?
A cybersecurity assessment must not be seen as an outcome in itself, but rather as a tool to build toward an outcome. “Assessed” is not the end state any company should desire- rather, it should be “fixed and remediated.” Thus, companies should be able to answer the question “what do I need to do to get to my ultimate business outcome?” The first steps in your journey are critical. – Craig Goodwin, Cyvatar