It is easy to get lost in lengthy checklists and spreadsheets during a cybersecurity risk assessment. While the detailed checking of vulnerabilities and safeguards is important, it is equally important that you allow yourself some time to step back and ask yourself – does this look right?
Like in a home construction project, the sum of all the small and detailed steps does not always add up to what you expect or want. Small variations – such as angles being off by a fraction of a degree – can add up (or worse, compound), leaving you with a door that won’t shut or a last piece that won’t fit where it should.
To check that your work is plumb and level, here are some checks and thought exercises I’ve found useful:
- Whatever methodology you used, have you cross-referenced against at least one other methodology or authoritative source. Some of my favourites are the CIS Top 20, the OWASP’s Cheat Sheet Series, and NIST’s Minimum Security Requirements for Federal Information and Information Systems.
- Think of the worst breach scenario for your client – the one thing that they really can’t have happen. What is in place to prevent this from happening?
- Review 3 major breaches that have recently been in the news – did your analysis cover these types of attacks? Is your client well-positioned to defend against them?
These are a few things that have served me well. Stretching the construction analogy even further, the end product is stronger when it is made up of several layers of laminate where some go with the grain, others against it.