The Case for a Structured Approach to a Prescriptive Cybersecurity Assessment

Within the assessment world, there are two basic approaches to consider, a prescriptive assessment and a descriptive assessment. Though the content may be the same, the process is significantly different, and the process chosen may have a substantial impact on the results.

A prescriptive cybersecurity framework assessment is one that outlines specific actions or steps that an organization must take to comply with the framework's requirements. This approach contrasts with a descriptive assessment, which simply describes the organization's current cybersecurity posture without necessarily offering specific recommendations for improvement.

Prescriptive cybersecurity frameworks such as HIPAA, PCI-DSS, etc. are often used for assessments in highly regulated industries where compliance is mandatory such as healthcare, finance, and State or Federal government organizations. Other prescriptive frameworks such as CIS (Center for Internet Security), NIST CSF, etc. are adapted to use in general maturity assessments. Regardless of the particular use case, prescriptive frameworks ensure all controls and directives are reviewed.

A Structured Approach Matches the Need for Prescription

With the requirement for all controls to be addressed in a prescriptive assessment, a structured approach is the optimum way to ensure all needs are met.

Structured Assessment Flow

The general flow of a structured cybersecurity framework assessment involves:

1. An executive management review, with an alignment of strategic business objectives with cybersecurity/information security initiatives, current known risks and associated activities, and cybersecurity goals and current in-flight projects
2. Subject matter expert (SME) interviews regarding specific controls, safeguards, or directives
3. Scoring each control and directive using objective criteria and document the revealed gaps
4. An interim stakeholder review, showing assessment scores and gaps
5. A presentation of strategic business and tactical risk mitigation recommendations

If the target of the assessment is improved cybersecurity readiness, a prescriptive assessment will find detailed and specific tactical items to address and then build the strategy from there. Whereas a descriptive assessment will find general issues and drill down to quantify specific issues and develop a strategic remediation plan.

Structured Assessment Benefits

Structured assessments can provide several benefits to organizations, including:

• Standardization: Structured assessments provide a standardized set of requirements, guidelines, and controls that organizations can use to benchmark their cybersecurity posture. The organizationally defined benchmark should be compared against industry norms and used to define organizational maturity. Over time, repeated structured assessments help an organization recognize where they have improved and what they need to work on.
• Long-term View: Every assessment is a snapshot of the cybersecurity posture of the organization at that specific time and, if done regularly, a clear pattern of improvement is easy to recognize and communicate to stakeholders. Repeated assessments show an organization where improvements need to be made according to a baseline and scores generally improve over time. In some instances, scores may decrease, such as lack of executive support, mergers and acquisitions, improper onboarding of new employees or vendors, and even the addition of new technologies within the environment.
• Fixed Focus and Duration: A structured assessment defines the specific controls and objective scoring criteria an organization will use to measure the current state maturity and measure ongoing improvements to its security posture. The fixed nature of a structured assessment leads to a definable level of effort and resource requirements which reduces the burden on all stakeholders.
• Common Language: A structured assessment provides common terminology for communication between the organization, its stakeholders, and regulators. Common terminology provides clarity in articulating cybersecurity posture and demonstrates a commitment to security which can be marketed to customers, partners, and other stakeholders.
• Scalability: The fixed focus and duration nature of a structured assessment provides the repeatability and dependability needed for large organizations to conduct thorough and efficient assessments within multiple lines of business. The results can be collected by individual units and then aggregated to provide for comparison across units and to generate an overall cybersecurity profile. Scalability allows the organization to make decisions at the individual unit or higher organizational levels depending on the granularity of the finding and mitigation requirements.
• Assessor Expertise: Because a structured assessment relies on defined controls, safeguards, and directives, the quality associated with it is reliant more on the SMEs assigned to provide assessment responses. This leads to a decreased burden for an experienced assessor and enhances the opportunity to assign the assessment to a less-experienced assessor.

The well-defined nature of a structured assessment lends itself to consistent, standardized results, scalability, and potentially, a reduced cost. The target remains an improved security posture, regardless of the type of assessment.

Downsides of a Structured Assessment Approach

Here are some scenarios where a structured cybersecurity framework assessment could be problematic:

1. Over-emphasis on scoring: Organizations may become overly focused on complying with the requirements of the framework rather than on truly understanding and mitigating their cybersecurity risks. An example of this would be when an organization is targeting a “number” and not improving security. Getting to a “3” for a specific control may increase the score, but it won’t necessarily improve the protections. An organization may have all the controls active and mature and still not have the quality necessary to avoid compromises. Just because an organization is compliant with a cybersecurity framework, it does not necessarily mean that it is immune to cyber threats.
2. Blanket approach: Structured cybersecurity frameworks may not be appropriate for all organizations, especially those with unique business requirements or operating environments. A one-size-fits-all approach does not consider the specific needs of an organization and may result in missed requirements and unnecessary expenses or restrictions.
3. Version-specific: Structured cybersecurity frameworks must be revised to keep up with rapidly changing cybersecurity threats and technologies. Relying on strictly structured frameworks may result in using outdated or irrelevant requirements, missing new technologies or capabilities, and reduced security maturity. Version changes in a structured framework may create a comparison challenge when baselining against previous versions or previous assessments. A detailed “crosswalk” should be created to provide up-to-date comparisons and reduce conflicts.

In summary, while a structured cybersecurity framework assessment can be helpful for organizations, it is important to recognize its limitations and ensure that it is used as part of a broader cybersecurity strategy that is tailored to the specific needs of the organization.

A Note About Subjectivity

An audit is typically a third-party determining the organization’s compliance against a prescriptive framework. In an assessment, the assessor and the organization determine the organization's level of compliance. An assessment is primarily a tool for improvement whereas an audit is used to ensure compliance.

All assessments contain subjectivity, whether they are prescriptive or descriptive. All respondents are communicating their current understanding which may be flawed by circumstance, perspective, and recency bias.

• Evidence reduces bias. Requesting policies, procedures, standards, and other documentation should reduce the inherent bias and improve the scoring of the assessment.
• Minimizing subjectivity, as much as reasonable, is a goal of both prescriptive and descriptive assessments. But it will always be present.

Making All Assessments Better

Regardless of the type of assessment, there are specific steps that can improve the value of the assessment to an organization.

1. Select a framework as a basis and stick to it: Changing frameworks frequently will hinder the communication and adoption of the framework. Find a general framework and approach that works and use that.
2. Customize the assessment: Organizations should customize the assessment to their unique business needs and security risks. A combination of frameworks, using some of each, may optimally meet the requirements. Some may have specific technologies that need to be addressed, such as OT, IoT or mobile devices. Continually adjust security controls to identify new risks and emerging threats.
3. Rinse and Repeat: An assessment should be viewed as a continuous process and not as a one-time event. Set a cadence to regularly assess the organization, in whole or in part. Compare results to determine improvement and next steps.
4. Focus on risk: Organizations must focus on prioritizing security controls and mitigations based on risk, not on other non-critical issues. Improvements can be made everywhere, but only those that will truly reduce the organization’s risk are the ones that should be undertaken. Regular risk assessments are required to adequately determine the priorities.
5. Score maturity, then quality: Start by achieving a level of maturity, which is defined by activity, meeting the requirements. Then, move towards scoring quality to show the effectiveness of each control in reducing cyber risk.
6. Use the results: Evangelize the results throughout the organization. Cybersecurity is a team sport, rather than a technical problem. Get the entire organization to embrace the fight against malicious actors disrupting your environment or pilfering assets. Use the results to prioritize vulnerability scanning, patching, and penetration testing efforts.