A CISOs guide for measuring your security

Eze Adighibe Headshot
Eze Adighibe
Information Security Manager
20th April 2022

Importance of business security

Measuring risk is key to business continuity. A growing attack surface will present many businesses with challenges of how to manage their enterprise assets and maintain a robust cyber security posture. An expanding remote workforce, increasing levels of data and the continuous rollout of evolutionary solutions can all present hackers with potential entry points to exploit if security measures are not in place.

Poor business security can also fall foul of compliance standards like ISO 27001 which requires organisations to develop an Information Security Management System (ISMS) aligned to the business for better management of its information security, and PCI DSS (Payment Card Industry Data Security Standard) focused on the implement of specific security controls to protect payment card data. Therefore, it is of vital importance for businesses to understand their current level of security and implement the right controls to strengthen it.

Businesses can significantly improve their cyber resilience by having a security expert, such as a virtual CISO (Chief Information Security Officer), perform regular reviews of business units and processes at organisational and individual levels. A vCISO can highlight the impact of poor security hygiene through risk assessments, while building strategies to strengthen your security posture, and help your business take steps to develop a cyber secure culture.

Furthermore, assessing your business’s security posture is important for understanding your vulnerability to cyber threats that could affect your employees, supply chain, and partners. This blog discusses 5 useful tips on how your business can measure its security and enhance its resilience against a growing threat landscape.

1. Review your existing security controls

Effective risk management is crucial to securing information security and maintaining business continuity. By conducting a comprehensive risk assessment of your operating environment with the help of a vCISO, you can gain a clear understanding of the effectiveness of your business’s existing security controls, processes and practices.

A vCISO will take a holistic view of the entire business, from its daily operations and staffing structure to business objectives and strategies. This will provide a top-down understanding of your organisation and ensure security objectives align with business goals. By understanding where your business is most at risk and where security gaps exist, a vCISO can help deliver a detailed plan of action to improve security controls and support the achievement of business goals.

By evaluating assets critical to business operations and the extent of security controls they require, you can streamline your cyber security and invest in solutions that will make the most impact. This can help you make the most out of your security budget by targeting it in the right places and measuring its impact more effectively.

2. Assess your ability to quickly respond to cyber threats

Effective threat detection and response is key to proactively preventing and containing cyber threats. Ask yourself these questions:

  • What are your current processes for detecting security threats?
  • Are you regularly updating software and applications?
  • Does your IT team have the necessary skills and experience for tackling cyber threats?
  • If your organisation experienced a cyber attack, what would you do?

It’s crucial that threats are proactively monitored and once detected, remediated efficiently to secure your business and minimise disruption. However, you don’t have to do all of this yourself. Many security vendors provide a combination of managed SIEM solutions and Security Operation Centres (SOC) services to undertake reliable threat detection and response on your behalf.

Once you understand the areas of your business security that require attention, you can invest in threat monitoring and incident response tools (or services) to improve your cyber resilience and improve the way your business measures its security.

3. Test the vigilance of your employees

Employees are your business’s most vulnerable targets. Cyber criminals will look for the path of least resistance to breach a company’s cyber security. Meaning without adequate cyber awareness training, employees will be susceptible to common attack vectors such as social engineering. In 2021, our data showed that phishing was the most common type of cyber attack, and that’s because phishing relies on impersonation and human error. So, if your employees are unable to identify signs of a potential threat, your business is vulnerable to opportunistic and preventable cyber attacks.

However, when effectively trained, employees can become your best first line of defence. Cyber awareness training should be deployed to the entire company, from employees to board members. That way, everyone can understand the fundamentals of good cyber security and how to avoid common threats such as phishing or ransomware.

You can measure the effectiveness of this by conducting regular phishing simulation campaigns to validate employee’s learnings. You can also go one step further with red teaming that simulates real-world attacks of human responses and your physical premises. Red team testing will help you understand whether your employees could withstand genuine hacking methods, assess your ability to detect and respond to threats, and strengthen your defences to prevent a real breach.

By measuring how employees respond to simulated attacks, you can understand where knowledge gaps exist and whether employees are acting with security best practices in mind following their training. Maintaining a strong cyber security culture within your organisation is key to preventing common cyber attacks and data breaches.

4. Analyse your business’s security landscape

Businesses that are aware of their security environment have a greater chance of protecting their information security. New devices and applications are being added to enterprise networks regularly. As such, these devices and applications require monitoring and maintenance to ensure the continuous identification and application of patches and updates.

When systems are left unpatched, or unregulated personal devices are used to access company servers, this can present hackers with opportunities to exploit vulnerabilities due to gaps in security. A SIEM solution can monitor network activity across all users, devices and applications, detecting threats and improving transparency across your business’s infrastructure. By identifying where your business is most at risk, through monitoring and recording changes to your network and infrastructure, business security can be maintained.

5. Regularly conduct audits and pen tests

Conducting regular audits, risk assessments, and penetration tests are important activities for measuring business security at different points in time. It’s recommended to conduct a penetration test at least annually, as they can identify vulnerabilities and misconfigurations that could pose a potential security risk to your business.

Certain information security standards and regulations (such as PCI DSS, ISO 27001 and the GDPR), require businesses to demonstrate good security practices and controls that will protect personal data. Additionally, conducting regular audits and assessments is a useful way to measure your business security by benchmarking whether your business is keeping up to date with the latest threats and changes to compliance requirements. They can help you to be proactive in updating security controls, as well as providing better defences against existing and emerging cyber threats.

In summary

Understanding your business’s security risk is an important step towards strengthening your overall level of cyber security. By accurately measuring your business security, you will be in a better position to understand where you are most vulnerable, how to address those weaknesses, as well as implementing processes and controls to mitigate cyber attacks or breaches.

This can be a lot to handle, especially if you don’t have in-house resources or expertise. If that sounds all too familiar, then your business may benefit from using an experienced virtual CISO who will take a holistic view of your organisation and provide actionable steps through comprehensive risk assessments. They will help you identify, plan, detect and respond to cyber vulnerabilities, all while managing risk on an ongoing basis.

Measuring your business security shouldn’t be a one and done exercise. With a threat landscape that continues to evolve, conducting regular risk assessments and implementing strong security controls will ultimately help your business improve and maintain its cyber security.

Eze Adighibe Headshot

Meet the author

Eze Adighibe Information Security Manager

Eze’s role as a Lead Consultant and Virtual CISO has made him a driving force behind the cyber and compliance strategy for a variety of organisations. He takes a strategic view in his blogs, often giving insight in how to get the most out of security and compliance investments.

Secure your organisation’s future today with the help of a virtual CISO.

Learn how our vCISO can provide your business with cost-effective, experienced and independent guidance to manage risk and help your business make strategic security decisions.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.