10 Steps to an Effective Security Maturity Assessment

Addressing the sheer volume and evolution of cyberattacks is daunting for even the most security-conscious IT teams. It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them.

Only by understanding their risks can organizations target limited security dollars to the technologies and strategies that matter most.

So how can companies arm themselves with the information they need to make informed decisions about cybersecurity?

Many cyberattacks take advantage of basic, often unnoticed security vulnerabilities, such as poor patch management procedures, compromised or weak credentials, targeted phishing, application vulnerabilities, and lack of sound security policies.

And the pandemic that began in 2020 only complicated the threat landscape with a sudden increase in remote workforces and unplanned digital transformations ― among other changes forced upon organizations to maintain business during quarantine.

Even the most secure network is likely to have some unknown vulnerabilities, making an effective security maturity assessment a critical first step in the effort to protect data.

Vulnerability scanners are useful tools for identifying hidden network and host vulnerabilities. However, for many organizations, vulnerability assessments are highly technical and are carried out mostly for compliance purposes, with little connection to the organization’s business risks and executive security budget decisions.

Security maturity assessments typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than considering the affected business and its mission-critical processes. Often, criticality does not consider compensating controls including network segmentation, enhanced authentication, or API/Web/IPS security gateways.

These assessments can also identify a single vulnerability several times, recommending multiple patches and upgrades where a single, comprehensive security solution could address all of them holistically.

Ideally, a sound security strategy should tie business impact and an organization’s overall security strategy to the results of a vulnerability assessment. This enables an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively.

Getting maximum benefit from a maturity assessment requires an understanding of your organization’s mission-critical processes and underlying infrastructure, then applying that understanding to the results.

To be truly effective, your security vulnerability assessment should include the following best practices:

1. Take an active role.

Stakeholders should take an active approach to finding out what the current state of security is. It is important to effectively screen potential vendors, engage in the scoping process, provide security consultants with what they need to do the job, and assist in facilitating the success of the process.

When key stakeholders decide to get involved in the process as active participants, the knowledge gained from collaboration efforts will help enable the business to leverage the results more effectively.

2. Identify and understand your business processes.

Identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy and competitive position.

There is no way for IT to do this in a vacuum. In many organizations, it requires collaboration between IT and designated representatives of the business units, the finance department and legal counsel.

Many organizations put together security strategy task forces, including representatives from each department who work together for several weeks to analyze business processes and the information and infrastructure they depend on. Those with significant domain knowledge are the most valuable resources in this discovery process.

The primary objective is to document the way processes are done and understand what that process looks like real-world.

3. Pinpoint the applications and data that underlie business processes.

Once the business processes are identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend.

Again, this can be accomplished only through collaboration between IT and other business players.

From extensive collaborative discussions, you may discover applications that are much more crucial than expected. For example, email may be a critical application for one department, where in-house instant messaging carries more weight in another.

4. Find hidden data sources.

When searching out applications and data sources, make sure you consider mobile devices such as smartphones and tablets, as well as laptops and desktop PCs. While some data may reside in a static location, the overwhelming majority will exist and interact in an ecosystem of devices and information pathways.

Collectively, these devices often contain the most recent, sensitive data your organization possesses. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data flows between these devices and data center applications and storage.

While considering the internal workings and movement of data, give thought to information that has migrated outside of the organization’s figurative four walls. To understand this external footprint, determine if your business users are sending business emails over public channels such as Gmail or Yahoo mail.

Another often hidden category to investigate is your software development environment; they are inherently less secure than production environments. Software developers and testers often use current ― sometimes mission-critical ― data to test new and upgraded applications.

5. Determine what hardware underlies applications and data.

Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications.

For web/database applications, you may be talking about three or more sets of servers — web servers, application middleware and database — per application. Identify the data storage devices that hold the mission-critical and sensitive data used by those applications.

6. Map the network infrastructure that connects the hardware.

Develop an understanding of the routers and other network devices that your applications and hardware depend on for fast, secure performance.

It is important to determine if specific subnets are designed to contain sensitive assets such as Windows domain controllers, or a particular business unit, such as Development or Human Resources.

Understanding how data gets from point A to point B is essential—and knowing where a particular type of data lives is critical.

7. Identify which controls are already in place.

Document the security measures you already have in place — including policies, technical controls such as firewalls, application firewalls, intrusion detection and prevention systems (IPS/IDS), virtual private networks (VPNs), data loss prevention (DLP) and encryption — to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections and which vulnerabilities they address most effectively. This is the heart of the “defense-in-depth” strategy and may require some extensive research, including scanning websites and reviews and speaking with security company representatives.

8. Run vulnerability scans.

It only makes sense to run your vulnerability scans after you’ve understood and mapped out your application and data flows, and the underlying hardware, network infrastructure and protections.

The intellectual exercise that has been performed to this point is what allows security analysts to interpret the results of the scan clearly and with an objective focus on the critical aspects of the business.

One of the biggest mistakes companies make is using a scan to determine what to patch, instead of scanning to verify successful patching. This sets the organization up for more vulnerability rather than less.

9. Apply business and technology context to scanner results.

Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context.

Deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. After evaluating your staff’s level of knowledge and workload, you may determine that it would be helpful to partner with a company that specializes in all aspects of security and threat assessment.

Whether undertaking this task internally or getting outside assistance, your results need to be analyzed to determine which infrastructure vulnerabilities should be targeted first and most aggressively.

Consider the following:

The number and Importance of Assets Touched by the Vulnerabilities

If a vulnerability affects many different assets, particularly those involved in mission-critical processes, this may indicate that priority should be given to addressing that specific vulnerability immediately and comprehensively. On the other hand, if the scanner finds multiple vulnerabilities in infrastructures running less critical applications accessed only by a few users, they may not have to be addressed as aggressively. Triage should be performed based on the new knowledge acquired through the assessment process.

Existing Controls

If the vulnerabilities identified by the scan affect infrastructure that already has multiple layers of protection in place, some of those vulnerabilities may, in fact, be addressed already by existing technologies. For example, a vulnerability found on a server protected by application firewalls, encryption, and other countermeasures may not be as important to address as the same vulnerability found in a less-protected infrastructure used in testing and development, particularly if it makes use of data with stringent compliance requirements.

It’s important to weigh criticality against existing protections to determine which vulnerability could expose your business to serious risk.

Available Security Technologies

Your maturity assessment report may recommend scores of software patches and upgrades to address security holes. However, constantly applying patches and upgrades can drain time and resources.

There may be other security technologies that are more efficient and effective. For example, cross-site scripting vulnerabilities may be more easily and comprehensively addressed through a strategically placed web application firewall (WAF) than by constantly applying patches and upgrades to multiple components.

The key is to understand how the risk profile would change when certain security technologies and policies are applied.

Location

Cyberattacks frequently take advantage of the weakest links in your infrastructure—and frequently those weak links can be found at branch offices or among mobile and IoT devices.

If your scan reveals vulnerabilities at a branch office or another remote infrastructure, this could indicate that further investigation and protection measures are required.

Professional IoT security assessments, including standard discovery and assessment services and targeted evaluations of specific devices and platforms, can help you evaluate the vulnerability of the organization’s devices and establish an understanding of associated attack vectors.

10. Conduct penetration testing.

Once a maturity assessment is complete and the business feels it has remediated enough findings to improve its security posture, it’s critical to have a new set of eyes examine the environment and challenge assumptions.

Penetration testing is designed to push upon your security practices to determine whether a malicious actor can leverage a vulnerability that can be exploited to gain access to valuable information.

While the technical attack is played out, penetration testers will challenge the assumptions you’ve generated as part of your vulnerability assessment. Is the group of servers behind firewalls being monitored by anti-virus protected enough? Is the list of discovered entry points into critical applications complete, or can the penetration testers find a new method of access you weren’t aware of?

It is common for the business to be too close to the subject matter. A comprehensive evaluation with specific goals should be conducted by experienced testers — another reason to partner with an organization specializing in security solutions — to help the business gain perspective and visibility of areas of vulnerability not previously considered. This will help the business determine where to grow next in their security assessment lifecycle and overall security strategy.

Attackers will never stop trying to take advantage of vulnerabilities. If exploits exist, you need a process in place to continuously find and remediate your vulnerabilities.

Continuous security vulnerability assessments are an important part of effective cybersecurity. They can be invaluable, but only if their results are weighed in the context of the business and existing security infrastructure.

By analyzing maturity assessment output with business risk in mind and applying that knowledge to the development of a sound security strategy, CISOs and other IT and leadership executives can help their organizations make the most of their security budget and strengthen their overall security and compliance posture.