Do you know your gap?

As a CISO, one of the most critical aspects of managing a company’s security program is understanding its risk exposure and any inconsistencies in security control coverage. It is these inconsistencies that are troubling for a security executive. Understanding their context and impact to business operations is crucial for the maturity of the security program and the organization overall.

For the CISO to address gaps in their security program, they must first proceed with conducting some type of risk assessment and reviewing the results. Some know this process of assessment and review as conducting a “gap analysis.” Typically for this process to be considered unbiased, it should be conducted by an independent or impartial resource such as an external partner or an internal source not directly involved in security operations. However, the organization approaches conducting a gap analysis, the result should be a report that highlights findings to include risks, recommendations and compliance requirements to any specified standards that apply to the business.

As one can see, a gap analysis can be a strategic tool that provides dividends for security programs in many ways. As a CIO and CISO, I have used this tool to establish a risk baseline for my security and risk management programs. I have used it to document improvements in current security initiatives and to highlight how security provides value to the organization through reducing hazards to critical business processes. It is important to understand that executive leadership should champion gap analysis efforts and the resulting report. These provide visibility into businesses risks, enabling executives to make detailed decisions on how the risks should be managed.

The process to conduct gap analysis covers numerous stages and will be different for each organization due to business operations and compliance requirements. With this in mind, I want to provide some common steps a CISO and business should expect their assessor to follow in conducting a gap analysis of current security and risk management controls.

1. Obtain management support: As a CISO or security manager, you can conduct an assessment at any time, but doing so regularly isn’t as important as doing so thoroughly. If you want to be effective and make improvements, then you should get some support from executive leadership. I would propose that you do this type of assessment annually and use its information as part of your program’s report to the board or management team on current risk exposures to operations.
2. Define the scope and objective: What is important here is to note that the gap analysis process can cover the entire security program and its controls or it can select a specific segment to assess, and the findings will represent the overall program. In doing a partial assessment, businesses can save time and resources, and if it doesn’t go well, then a decision can be made on conducting a full assessment and gap analysis. The CISO, assessor and stakeholders will select the risk framework and methodology to use for the assessment and what resources will be required. 
3. Create an assessment schedule: Now that the assessor has the components of a plan, it’s time to put them together, so the CISO and business has a schedule of events. I have seen assessments fall apart despite having the best methodology, tools and people, because the assessor never put together a plan that accounted for current business operations. So when the assessors came on site to start, they found that what they wanted to do for the assessment impacted the business units and the whole process quickly ground to a halt. Remember, the purpose of the gap analysis is to identify risk hazards, not create them.
4. Review and agree on the assessment plan: As with the previous stage, after the assessment team has created their plan, it needs to be given to the CISO and business stakeholders. This will ensure that all parties who are part of the review understand the schedule and the processes to follow for communicating any problems. It is critical for the success of this initiative that everyone understand the assessment plan and agree to help with the process.
5. Conduct information gathering: This will be one of the most tedious parts of the whole assessment. Typically, depending on the framework the CISO and organization selected, the assessor will use a security control matrix as a template to grade how well the business is implementing its security controls. The information collected about the specific area under review will consist of reports and documentation on whether a security control or methodology is in place and what its level of maturity is. 
6. Interview key stakeholders: Part of collecting information for the assessment involves interviewing key stakeholders in the business units or teams. Sometimes a security control is not a piece of technology but a business process. To assess how well that process is being followed, the assessor needs to speak with employees. Note, this shouldn’t be an adversarial discussion but rather a quick review to annotate that the employee understands the policy/process and can demonstrate they are following it correctly.
7. Review supporting documentation: This part of the gap analysis process is where assessors work with the CISO and security team to answer questions about some of their findings. It is at this stage that the assessors may want to talk about some of the issues they have noted and ask about any documentation or information that can be used to clarify the discovered hazards. It is important that the assessor spends time in this stage to work with the CISO and team; they need to make sure they have collected as much information as possible to provide a true risk picture for the organization.
8. Verify the information collected: All of the hard work is almost completed with the risk assessment. However, the assessor now has a large amount of information that must be reviewed to verify its applicability to the gap analysis process. I have inadvertently collected information on processes or business units not in scope for an assessment, and it’s in this stage that the assessor should remove these types of inconsistencies, so the standing data left behind is more accurate and applies to the agreed-upon scope and objectives.
9. Note potential risks: After all of the data has been verified to be relevant to the area under assessment, it’s time to note gaps in the standing security controls. This stage is when the assessor takes the business’ selected risk management framework and notes the security controls that were missing, immature or misconfigured. When I have done risk assessments for businesses, it is in this stage I like to not only list the issues with a security control but explain the impact to business operations if the control was exploited by a cyber-criminal. This explanation helps provide the business context and helps prioritize which issues should be remediated first. 
10. Document your findings: By this stage, the assessment is completed, and all of the findings need to be collected together and documented. The size of the risk assessment effort will dictate how long it will take to review all of the information and have it reviewed by a second source to confirm its validity. Usually, the assessor will go offsite back to their company or department and begin to write up their findings. What is important here is the CISO remains available to answer any questions, to ensure the findings are as accurate as possible.    
11. Develop the assessment report with recommendations: As we wrap this process up, the assessor develops a report for the CISO and the organization’s leadership team. Normally the report will have multiple parts; the first section of the report is developed for high-level executives, and is short and to the point. It will state the objectives of the assessment, the methodologies that were used, and the final standings (gap analysis) concerning the company’s overall risk baseline. The second part of the report is where the assessor goes in-depth explaining each of the processes used to measure risk, findings for each segment under review, and references used to validate security controls and their maturity. The final section of the report is recommendations to remediate findings. Again, this section will list multiple references and can be very technical in the analysis of risk hazards. Note that each section is for a different audience. I have found I am most effective in writing these types of reports when I take my information and look at it through the lens of telling a business value story about risk. It’s best to keep it simple and not get lost in the data.
12. Present report and get acceptance: The final stage of conducting a gap analysis is for the assessor to present their findings. It is an industry standard that the organization will review the report and accept the findings once all questions are answered. It is also a good idea for the CISO to be at this meeting to address the findings and answer their leadership team’s questions.

This whole process may seem convoluted at first blush, but actually, it is quite easy to follow once you understand it. Many businesses know they need to do risk assessments to meet regulatory requirements but fail to do so because they don’t understand the assessment process. Businesses also often have issues with the findings of their gap analysis reports, uncertain of how to take the information and make it actionable to manage the company’s risk. But by following this process, they can efficiently and effectively move forward with their first gap analysis.