Posted on Apr 22, 2020
Technology is constantly changing, and so are cyber risks and cyber criminals. To be sure your organization is always in the strongest position possible it's important to make sure your organization maintains a strong cybersecurity posture, and that you know how to evaluate it properly.
The cost of not doing so is considerable, according to the Ponemon Institute’s Cost of a Data Breach Report, the average cost of a data breach is $3.92 million, a cost that stretches over several years, and may not include other losses, like the loss of your customers’ trust.
A strong, well-evaluated security posture is your best defense against cyber criminals, mistakes, and other issues that can result in a breach.
Cybersecurity posture is an organization’s overall defense against cyber-attacks and bad actors. A company’s cybersecurity posture includes all its controls, including everything from policies, to cybersecurity solutions it may have purchased. In other words, cybersecurity posture is the collective security status of all an organization's software and hardware, services, networks, and information. It also represents how secure an organization is as a result of all of those tools and processes.
Typically, an organization evaluates its cybersecurity posture by deciding what its specific security goals are — what specific business goals an organization has, and what particular requirements need to be met – and choosing a specific risk management framework so that all assets can be prioritized from most to least vulnerable. This will let the security team more easily evaluate the organization’s security posture going forward. That’s a thumbnail sketch, however. There’s a lot more that goes into evaluating security posture, and many mistakes that can be made.
Cybersecurity isn’t one-size-fits-all. Your cybersecurity goals should align with your organization’s business goals and objectives. If you’re a healthcare organization, for example, your cybersecurity goals should reflect that, protecting patient information, and adhering to the regulations set forth in the Healthcare Information Portability and Accountability Act (HIPAA).
Even if your organization isn’t in a tightly regulated industry, you should be certain that your mission-critical data, networks and systems are prioritized and protected, along with the most sensitive information your company handles.
If you’re simply trying to evaluate your cybersecurity posture based on what works for other organizations, you may leave some of your own most important information and systems unprotected.
Your organization is more than just your company. It stretches beyond your company itself and into your extended enterprise, an ecosystem that includes your third (and sometimes fourth and fifth) parties. Third parties are your partners, your vendors, and your contractors. They’re the supply chain that helps you fulfill your mission, and they often have access to your data and networks. They can also deepen your risk; according to Ponemon’s Cost of a Data Breach Report, if a third party is involved in a data breach, the cost of the breach increases by more than $370,000. If you’re not evaluating their cybersecurity posture as well as your company’s, your evaluation is incomplete.
Cybercriminals are constantly evolving and changing. They change how they attack, the tools they use to attack, and they also change their targets. For example, a report from Ponemon and Keeper found that over the past three years, the number of small businesses that have suffered a cyberattack has increased. Social engineering scams are also on the rise. In order to keep up with bad actors, you need to continuously monitor your organization’s security posture, so that as soon as there’s a problem you’re aware and ready to respond.
Security is not something that you can be outsourced to the Chief Security Officer and the security team. Security should be a core value at your organization, and the best way to achieve that is buy-in from leadership. Once your CEO and board show that security is important to them, the rest of the organization will follow suit.
Security is everyone’s job. Everyone at your organization should be trained in cyber-hygiene, and that training should be ongoing. Everyone should know what phishing is, what social engineering is, and how to avoid both. They should also know who your security team is, and who to contact if they suspect they’re being targeted. If your company doesn’t have a strong security culture, the job of your CSO and security team will be twice as difficult as it would be otherwise.
The simplest way to understand your security posture is often by using a self-assessment.
SecurityScorecard can help you easily evaluate your cybersecurity posture, as well as those of your vendors and others in your extended enterprise.
Our simple A-F rating system gives you a quick snapshot of your organization’s security performance across our 10 groups of risk factors, and makes it easy to demonstrate your cyber health to your company’s leadership at a glance. We then offer step by step remediations for any vulnerabilities that turn up during the evaluation process.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.