About this session
Big enterprises, startups, scaleups, mature in security and just starting their journey - we all from time to time find ourselves in a situation when we wonder what’s next? What should we do to make this company secure? Are we doing the right thing? Cybersecurity assessments help to get the answers and find a way forward. We will talk about frameworks and approaches, how to start self-assessments and what to look for in third party offers if you need help. At the end of the presentation you will know what type of assessment you need now and what first steps to make.
Dinis Cruz - 00:03 Welcome to this open security summit session in April 2023. We have Anna who’s going to walk us through cybersecurity assessments finding the Way Forward. Over to you, Hannah.
Anna Lezhikova - 00:15 Good evening, everyone. Right and like, it’s rainy, stormy, cold autumn morning here in Wellington, New Zealand. 05:00 a.m. That’s why for ##give me if any mistakes or slow down or anything like this, but I’m really happy to be here at the Open Security Summit again. You can hear from my accent that I’m not native English speaker. I’m originally from Russia, but I moved to New Zealand over ten years ago now and I work as cyber security consultant at company called Defense here in New Zealand. We provide a lot of different services, including just general consulting that I do. I lead assessment practices in our company means I’m in charge of defining how good looks like when we do assessments for our clients, like cybersecurity assessments. That’s why I decided I want to share my experiences, because I do this with multiple clients often, and I just wanted to share how we approach this and what benefit comes out of it and what you can do.
Anna Lezhikova - 01:33 Because this is, I find, a very useful thing. Every company at some stage go through this. So let’s have a look. Why are we doing cybersecurity assessments finding and why? I call it fighting. Way forward. What I see every day is that cybersecurity is complex, very complex. We cybersecurity specialists often assume some knowledge and just the state that exists. It exists only in the area that we can see in our professional area. When we go outside, it’s not as developed as we think. We go outside more and more because cybersecurity today is not information technology, not information security area anymore. Today we’re talking about curioperating models. What does it mean? It means that today’s security is part of business function, just every business function. Because decades ago, even a few years ago, for some companies, digital, like Cyber was only part of the business. Maybe they were using email or something like this, then eventually file storage.
Anna Lezhikova - 02:59 Today, I assume you won’t be able to find many businesses not having digital footprint at all. For majority of businesses, being digital is just like the core business. It means that cybersecurity is part of the core business, not the It function anymore. When we go out of our It box and embed security in everything now, it’s just that all the relationships, everyone involved, so many different people with different levels of understanding, different functions like needs operates securely. This is really hard to grasp with just an eye, even a small company, it’s almost impossible today to just one person to keep it under their head and come up with roadmap solutions or any kind of security programs. That’s why we need some kind of structured approach to understand what’s going on. I think it’s the same. We could talk about assessments first, but what is an assessment in general?
Dinis Cruz - 04:09 Google just a quick one on the point you just made, right? I think one of the things that’s interesting that you’re touching is the idea that security is now much more than just even an It function, right? Because we need to think about security as embedding in the whole company wide operations. Which also leads us that when we think about fixing and driving change more and more, like my big paradigm shift was that realizing that we’re not talking about improving a bit of security here. We talk about changing how sometimes the business operates. It’s about driving change because if you can’t change sometimes some business process or some business activities, business funding, you won’t be able to change security. Because security is almost we sometimes measure the side effects of certain security or some of business practices.
Anna Lezhikova - 05:05 Exactly. That’s why when we talk about security, we don’t talk about technology anymore. We talk about people processes, technology, and the proportions of this can be different. We in defense, we believe that people part takes 50% of all security activities when the processes are 30% and technology only 20%. What I see among clients a lot is that people still do this. Security equal it. That’s why often people who in charge of security are part of it. Like their security manager will report to CTO or It manager CTO or something like this, right? So it’s still there for me. It’s the same situation as with knowledge walk. We just saw a shift just recently from conveyor like this production factory floor to a knowledge Walk to say, oh no, it’s different, you can’t just use this 40 hours week or this workshifts or these things. You just really need to find new ways of organizing work for knowledge work.
Anna Lezhikova - 06:19 That’s like the remote work coming in and this like the rejection of the remote. No, you need to be in the office. No, you don’t have to be in the office for this type of profession. You need flexible hours because you can’t just produce knowledge on a clock, right? Like a pavlov’s dog that oh, now you need to produce that. You produce knowledge from eight to twelve. You build this in your timesheet, right? So it doesn’t work. A lot of people realize it and it’s already wider spread knowledge with security we see in the same picture, it’s against just started spreading knowledge, that it’s not just it function anymore. Because digital is the core type of functioning for any company today. I highly recommend to Google and to look into secure operating models. That’s the topic that talks about this, looks into this problem. We’ve got a very cool expert in this in our company.
Anna Lezhikova - 07:23 My colleague, I might talk to him just to talk him into presenting this idea at this forum next time. Yeah, cool idea. Yeah, I’ll talk to him. So, moving forward from this, what our assessments are, because now we agree that this is everywhere now, and now we need to assess everything. If we go to assessment just in general, if you Google assessments first, just like assessment, the first one will be about education, about people, like students, all the stuff, how we assess people. Seconds will be assessing systems and first people, then systems. In general, I would say it’s the process is of evaluating or appraising something to determine its quality, value or performance. We just look at something and say, this works like this. We also define good or bad. Is it works well enough or not? So, very simple.
Dinis Cruz - 08:31 If you take this right, isn’t there a case to say that there’s lots of areas in the business that also care about this? I work one of my jobs is a big company in the UK, and then there’s parts of the business that have nothing to do with Cybersecurity, that care about this, that are focused on managing quality, managing value, managing performance. That could be throughout the supply chain, that could be on HR operations, et cetera.
Anna Lezhikova - 09:04 What’s the name of this? Just with the abbreviation for the index when they ask, would you recommend this company? Yeah, MPs. So we do MPs in big companies. We do pay employee MPs, right? Internal one. It’s assessment.
Dinis Cruz - 09:28 Exactly, yeah.
Anna Lezhikova - 09:30 That’s why when you will do that’s why for example, in defend as a practice lead, I am working like not only cybersecurity assessments for consultant led assessments, but also I’m in charge of the general framework of assessments of all areas in the company, including Microsoft 365 and all engineering stuff and architecture and things as the framework. What does it mean to assess what are the steps in the procedure? We will talk about it here, but today we will be talking not about assessments in general, we will be talking about cybersecurity resilience assessments, because this is the one that you start with, this is the one that I would say is the system health check. In our case, cybersecurity systems, the whole system. Cybersecurity lens or the health check and the health check, it can be triggered by different things. You’ve got something not working or pain somewhere, you go to the doctor and doctor says, I’m not sure, I think it might be this, but let’s do this blood test and some maybe scans or ultrasound, who knows, right?
Anna Lezhikova - 10:47 Sometimes you feel nice, but you still go for the health check because this is your regular one and you’re aging and you really want to know maybe something already changing going on. You don’t want to be proactive reactive, you want to be proactive. So that’s the same principles. And I really love this joke. Because it applies to cybersecurity assessments a lot for me as a consultant, I come across it every time, is that a patient, like a person comes to the doctor with them, complains that, I got pain everywhere. The doctor asks, Where do you have pain? I have pain here. I have been here. I have been here. Doctor looks at his finger, Doctor, am I dying? Doctor looks at his finger, says, not sure your finger is broken. Right. I see. It also like, we’ve got this problem with this cybersecurity thing. I look at this now, unfortunately, it’s not this cybersecurity or information technology problem, it’s a business problem.
Anna Lezhikova - 11:50 That’s what you mentioned, and you have to change your business process.
Dinis Cruz - 11:57 Couldn’t you rename this to say cybersecurity assessments finding a business system health check?
Anna Lezhikova - 12:05 Yeah. As a business system health check, yeah, good point.
Dinis Cruz - 12:08 Because there’s a direct correlation, isn’t it? There’s a direct correlation between the things that we raise in cybersecurity, which to be side effects, and business health check, which are operations that are not working effectively.
Anna Lezhikova - 12:22 It’s when we talk about cybersecurity assessments finding. If you do any assessment, it will be any system health check. Right. For example, you do your Microsoft three six five assessment. You are checking your health of your Microsoft Three Six five ecosystem. Right, just in general.
Dinis Cruz - 12:44 Cybersecurity, I think, has a very interesting property, which is, if we can connect the dots, we can connect a problem with its side effects and its risk. In a way, if you think about it, like if you apply risk analysis to the outcomes of your assessment, and if you then connect your risks to your threat agents and your assets and your values and the probability and your incidents, the health check becomes a lot more significant. Because it’s not just this is bad or this is normal.
Anna Lezhikova - 13:18 We’ll get there. We’ll get there. That’s the thing that I see a lot in the industry, and that’s what we offered differently. And we’ll talk about it. So yeah. About this business patience. Yeah. Another thing to be careful is that sometimes people misplace, like, confuse audits and assessments and just be careful when someone says, oh, we need to do assessment, and sometimes they mean audit and vice versa. When some people say, oh, let’s do the audit, but actually they’re doing assessments, but there is difference, and there is difference in that. That for standards. So for the audit, it’s documented criteria. Sorry, I’ve got a typo in here. Anyway, so fix it. It’s documented criteria and it’s very strong, like, very strict. Like, you’ve got your like, for example, 27 ISO, twenty seven K one. It’s a certificate, like certification. They’ve got very strong strict requirements and you have to check everything.
Anna Lezhikova - 14:32 Do you meet or not? With this assessments, it’s general guidance. You can follow these standards, but you don’t have to another quality of our assessments is that systematic. Assessments, you can use any framework, it’s very flexible. You can change it to meet your current business requirements or accompanying or any of the situational requirements. With the audits, it’s documented procedures. That’s why you have to be certified to be an auditor. You have to learn there are rules and that’s quite strict. Most important one, I think the biggest difference between audits assessments is the trust. With audits, you can’t check the box if you don’t have the evidence and you really dig deep and show me this and this. With assessments, we don’t do this because for assessments, speed is more important than the digging deep and we just ask questions and people will say something like the answer say, yeah, we do this or we do that, and it’s good enough for assessments.
Anna Lezhikova - 15:43 We don’t observe, we don’t go to logs or anything like this to prove that they’re doing this. This is very important to understand because when you do your internal assessment, don’t dig deep, just really look at what’s happening, talk to people, and it’s good enough for this type of evaluation. Any questions here?
Dinis Cruz - 16:06 No, I think it’s great. I think you can add there’s definitely some memes that you can add to this, right?
Anna Lezhikova - 16:12 Yeah. But just be careful.
Dinis Cruz - 16:17 Because I think that there is that thing where I won’t say it’s on the two worlds of do you want to be compliant or do you want to be secure? Right. Actually, if you want to be compliant, you can do an audit. Right. If you actually want to be secure or safe, you actually do assessments and you need to have the feedback loop and then you have those maturity models of understanding where also but also the assessment allows you to add a context because you want to then start to put things within. Again, I think security, we do a lot of this service by focusing sometimes too much on audit type things on the assessment exact checklist right. Which can actually cause a lot more damage than other things, where if you can have an assessment and you have context, then you can adjust much more the risk appetites of what you’re operating on.
Anna Lezhikova - 17:13 Audits work perfectly with tech side of security and also well with processes. Audits don’t work well with people and that’s why you need assessments. It means that when you do the audits, you miss 50% of your security activities. Right.
Dinis Cruz - 17:31 I would even argue even on the first one, they don’t work very well. Right.
Anna Lezhikova - 17:34 Anything that still better, but on people, they just don’t work at all. You can’t checklist. That’s why but you need all of this because you need audits, like you said, for compliance and for other regulatory obligations. Right. But just people misuse these words often.
Dinis Cruz - 17:56 Like they just the key. There is evidence. Right. I think the other key word that you have there is evidence right. On this. Actually, Billy just made a really good point. Billy, I’ll just make you a co host. You can chip in, right, if you want to. Right? You want to just make your point. You just send on the chats if you’re able to.
Speaker 3 - 18:22 Can you hear me?
Dinis Cruz - 18:23 Yeah, we can.
Anna Lezhikova - 18:24 Perfect. Hello.
Speaker 3 - 18:25 Hi. Pretty much every business I’ve worked in, I’m not really a cybersecurity professional or anything. I’m learning right now, but not necessarily dealing with security. Anytime there is any kind of an audit or something like that.
Dinis Cruz - 18:51 Everybody.
Speaker 3 - 18:52 Is told about it. We’re all on alert, ready for this. Usually on a specific day and a specific shift that the auditor is going to be showing up and everybody is behaving themselves and is being perfect just to pass that audit, completely defeating the entire purpose of it.
Dinis Cruz - 19:21 You’re compliant on July 22, right. And then October 714, which is the.
Speaker 3 - 19:27 Dates of you need those surprise audits where they just show up.
Dinis Cruz - 19:34 Or you need but then this is the thing again, it uses the definition if you go to an evidence space, you can ask for evidence that has happened throughout a period of time. Once you go versus a trust based so yeah, we’re doing it to evidence, then you cannot just act in one day. Right. You actually have to show that you’ve been acting like that throughout the last six years.
Anna Lezhikova - 20:02 Absolutely. Yeah. When you trust base because you talk to people and gather this information, analyze it, and you are human and you talk to people not by you not ask the questions, but pull these things like conversations. I can tell you as an assessor that it’s very difficult to hide things. You can fill it, you can see it, how people talk about their controls and procedures. Okay, let’s move on. We’ve got a few more slides to cover. Okay, so another thing that we’re not talking about assessments, they’re not rules, but something that we have to keep in mind. The assessment should be fair and fair, I mean, that you should not paint the picture better than it is internally or externally. You should really be honest about what’s happening and it should be valid. You can’t just come up with things or pretend that you see something or don’t see something.
Anna Lezhikova - 21:07 They really need to be, like we say, no evidence, but it should not be fantasized too much. Some people think about it, but you need a bit to have use. That’s why I use cross examination kind of techniques and to make sure that whatever information comes is true. They need to be reliable means. That what I mean by reliable here, that though it’s not freestyle, there’s still structure and procedure to assessment. It means that you can repeat it and then you can compare results. When you see the numbers there and some charts and findings, that you can build your program or do some actions based on this. Useful, this is important one because often I see reports that have a lot of information, they’re huge and they’re very informative and interesting from the, again, expert point of view. When you give it to business and they read it and they just look at you and we don’t know what to do next.
Anna Lezhikova - 22:22 Sometimes I come across these clients that had this assessment, some kind of assessment some long time ago, and say, yeah, we’ve got this document but we didn’t do anything because we didn’t know how to act on it.
Dinis Cruz - 22:38 Yeah, I think there’s some interesting sorry, there’s some properties that come out of it like unreliable repeatable. It’s interesting because again, you’re almost making it focus on the quality outcomes we want to get to be useful means it should be actionable, something should come out of it, right? You want to make sure that people understand it and you can repeat it like reliable. If you make the same assessment every month or every week or every six months, you should produce similar results, right? Or else you don’t get that, right? That’s why I like the definition of assessments because it forces us to also measure these properties, which is what we want to be.
Anna Lezhikova - 23:23 Indeed. Of how this assessment fit into the cyber. Like, we’re talking about cyber resilience now. We will talk about just in general assessments. We will talk about cyber resilience or sometimes it’s called maturity. We prefer to call it cyber resilience. And I’ll just explain why. This is the kind of paradigm I came up with, I utilize for my work today. That’s when we talk about good security posture or mature security, that’s some kind of baseline that we want to get to. The company starts their security journey, so they want to get to some state, this is a good state of security and they create the security program to get there. I see a lot of companies at this stage because a lot of companies just start in their security journey. They use assessments, they do assessments at the beginning. This is where we are. That’s how assessments really help to shape the security program, showing the gaps.
Anna Lezhikova - 24:31 Because to be honest, I see companies that just like really zero. No, they still have some. Microsoft is doing good job there because as soon as the company sign ups for Microsoft, they fed all these bits and pieces like they sold to them. Some of these bits and pieces are about security. Just it’s embedded in there like Asia Ad or just going to the cloud in general or some other defender. It’s there and it means that they’ve got some controls. What they’re missing, like majority of cases is the program, some good plan, some understanding like thinking around, okay, this is where we are from cybersecurity resilience point of view where we need to move to. We do assessments for them and assessment report is a huge help to define this program to the good posture for mature companies at any level of maturity. The problem is then as soon as you get to this point, it’s good enough.
Anna Lezhikova - 25:49 There are some companies, I’ve seen some companies are amazing and this luckily we have them and I wish we had more. People and companies are growing in this area so they achieve this good state. But the environment is constantly changing. The thing about resilience is that for me, I define resilience as being able to adapt to withstand the change and stay secure when the environment constantly changes. You constantly redefining your good and you check how you’re doing to the redefined good. That’s what the people not mistake kind of thing they’re doing today. They define this is the good place, we assessed against it and then in a year we assess again and a year assess again. The thing is that the good definition changes. You need to change this defined good and then check against this new good. So there’s two parallel processes happening. It’s like juggling things, but for the mature companies it’s not about just security program, but how to change your goals, how to make sure that you check against your risks all the time, how do you embed the change in threat environment and the staff.
Anna Lezhikova - 27:34 So how to keep this security posture. Again you use assessment to check how you are doing.
Dinis Cruz - 27:44 On that, do you also measure the cases where security happened because you embedded pieces and where security happened because you had to put energy on it? For a good example, let’s say that you arrive at the first time of the company, a lot of the security activities are going to happen because you put energy into it, right? Almost you have to use a security program to move the needle. If you go back to your initial point, which is a lot of times what we’re doing is we’re changing business processes and we change how the business operates. There’s going to be times where you actually change how the business operates so that the next iteration of the business is already at a good level of security. You almost don’t have to put energy to basically to keep or maintain that state. And I think that’s a very interesting.
Anna Lezhikova - 28:35 Way to you still have.
Dinis Cruz - 28:41 To, but it’s almost like it’s the place where you actually got security because you change how the business operates versus the more whacka mole where you have to go, okay, let’s keep improving the security which basically via security program, right?
Anna Lezhikova - 28:59 Yeah, you change the business and business changes. Even if this stuff is still like just imagine that you change the business and you’ve got much better security posture now. You would think, we’ve got less things to do now, but the threat environment changes.
Dinis Cruz - 29:24 Yeah, I don’t think we have less to do because yes, you’re right. Also you increase the things you want to change. Right. But your scope increases. I think it’s interesting to measure how much of real impact you’re doing, how much you’re moving from Whack A Mole to actually doing a lot more strategic things and already working on much more the medium and long term where the business is going. Because the business is also changing dramatically.
Anna Lezhikova - 29:51 Yeah. So you can measure whatever. What I love about this simple, this paradigm, it helps to just look at this from different angles and talk to everyone in the business. Because you add details in here with the like, if you apply to a company and admit to it for the company, there will be business risks, business processes, and it allows you to talk to business about it. And I agree with you. Like, security program here, it’s not classical security program. Security program is that they were talking about the secure operating model based on the Q operating model. It’s not just like, okay, let’s create policies now. Let’s do the configure our controls and stuff. Now, security program here would be we have a security steering committee that talks and reports to the board regularly. In this committee, we’ve got representatives from all business functions. We decide what we need to do with people, processes and technology.
Anna Lezhikova - 31:01 That’s why the security program should be not part of the It department. This is the top business level thing that driven by security Steering Committee.
Dinis Cruz - 31:16 How do you capture the data that you show there? You have tools that you use spreadsheets.
Anna Lezhikova - 31:20 How do you capture data to you’re talking about assessments.
Dinis Cruz - 31:23 Well, the output of the assessments and then the translation from the assessments to.
Anna Lezhikova - 31:27 The we’ve got 20 minutes to cover the slides. Okay, so when we’re talking about cybersecurity assessments, we do not invent Bicycle, we use frameworks. Actually, you can use any framework, including ISO Twenty seven k One, because they’ve got a set of controls. You can use any set of controls as your question points. But again, we’re not doing audit. You see this is 27 one k, it’s not about audit, but it’s using this structure, their approach, how they slice this elephant. Right. I call it a butcher map. You can use any butcher map in here. The most user, like the two ones that I use almost every day are NIST CSF and CAS Cybersecurity 18. Cybersecurity controls for New Zealand is also very important. One is NZ. Ism that all government agencies use. I think for Europe, it will be something like GDPR guidelines or some other stuff.
Anna Lezhikova - 32:34 ISO Twenty Seven k One is also a good framework because it’s not the controls one twenty seven k two, but this one is called Risk Management Certification. It really helps to understand your controls, how they related to risks. We will talk more in detail. I will use as examples NIST and CIS and we’ll look right now how assessment would look like and what we would use there. Assessment procedure that I use and that I looked at other solutions like tools and stuff and then that would be for most of them it’s the same. We get the context and just to really understand what we’re doing here, what the organization is about, especially for the external assessment, it’s very important to understand what this business is about. That’s where I have a meeting with the customer and I just ask so what’s your business? Tell me about this, so what do you do, what’s your crown jewels?
Anna Lezhikova - 33:39 What’s the most important to you, what’s your place in the industry? And all these type of questions. Then we create threat taxonomy. We either ask them, but not all companies have it and it’s not even the risk register because often it’s not usable for assessments. We just create this risk taxonomy to understand what the major risks for this company, depending on their industry or nature of their business. We gather data by conducting interviews, sometimes reading documents, but interviews is the main source of the data. Then I do analysis. All these interview answers I will record into a tool or spreadsheet and we’ll talk about it in more detail in a second. And then I score the findings. Again we’ll talk about it, what does it mean and what possible in there and then I will compile a report with all these charts and findings and recommendations and then I will present it.
Anna Lezhikova - 34:39 Again the presentation will the type of presentation will depend on who we are talking to. It just business or the business and experts, or just experts? It depends. Sometimes I do more than one presentation depending on for different audiences in the company. Let’s have a look into each step in detail where we’ll talk about tools and what’s possible. So, context gathering, it’s important to identify stakeholders. It’s not only for external, for internal assessments also it’s important to understand who will consume your report and whom to talk to, who will be in charge, like who will help you to get access to people you need to get access to. You need to identify main respondents, just like not everyone. You do not need to interview everyone in the company depending on the context. You really just, okay, I need to talk to CFO, COO and CTO for example, and plus to whoever is doing the security Manager because there will be technical questions about infrastructure network and devices and all this stuff.
Anna Lezhikova - 35:52 Then we. Describe business context, just what this business is about and what’s important for it, and create threat taxonomy. So, threat taxonomy, there’s a lot of guides, you can just Google it and there will be a lot of just like lists, like trees of all possible threats. I have my guide, I just use it for my conversations. I get this from conversations with people. Just what’s important for you? What the worst thing can happen? What will happen to a business?
Dinis Cruz - 36:25 I really like that. How do you store that tree?
Anna Lezhikova - 36:32 Yeah, so it’s just a document and for me, just like there will be high level taxonomy sorry, some of the stuff I can’t share because it’s intellectual property of the company and stuff.
Dinis Cruz - 36:43 Yeah, of course.
Anna Lezhikova - 36:49 Threat taxonomy for me just a tree. The high level will look like data loss, system compromise outages like unavailability that threats, right? There will be something like this. Then inside you’ll have different types. Data loss, you’ll have intentional data loss, unintentional data, like unintentional data exposure, intentional loss like breach from the system compromise. It will be credentials compromise or network perimeter breach or something like this. If you Google, you can find it online. There’s different things because if you are doing assessments internally, it’s a nice thing to have. A mature company will have it done because usually it’s one of the things we also offer. Where I do thread taxonomy, like thread workshops, right, so you do like in the business, you’ll have it, but if the business is not mature enough, especially if it’s a small company, we do assessments for company with the ten people size, why not?
Anna Lezhikova - 37:59 They also need for the organizations.
Dinis Cruz - 38:02 Do you have thread trees that are customized to specifically business sectors or particular teams? You isolate a little bit that taxonomy?
Anna Lezhikova - 38:10 No, for myself, I just found out that the difference between business so it’s more about stage of the business than the industry. There is huge difference. For example, differences like health, for example banking, like finance, health finance and then everyone else, because we don’t go deep into physical security here, there’s of this from my experience, physical security is in most of the cases well covered because it’s health and safety. There’s a lot of regulations.
Dinis Cruz - 38:49 No, I was thinking more in terms of the different maturity levels of different parts of the organization that will have different threads, but also the assets that they have. If you look at a part of the organization that deals with healthcare data, it’s very different from an organization that deals with public information or a part of organization that deals with let’s say CVS or HR data, right? Each of those actually has different threads and different threat actors, right?
Anna Lezhikova - 39:15 I found out that all organizations there will be something like for all of them, there will be shared common threads like all the same. Everyone is susceptible for data loss and system compromise. Right. What’s important is the details. I do the report, I put there like in what form exactly for this business, the threat can be materialized. Right. I was thinking about, okay, we can have different taxonomies for different industries at the blueprint to use. Then, I don’t know, it’s just at the blueprint level, it’s the same for everyone. At the detail level, it’s different for everyone.
Dinis Cruz - 40:04 Of course. Yeah, cool. Absolutely.
Anna Lezhikova - 40:07 Yeah. So data gathering, what do we do? So interviews and documents. Yes, and interviews I really enjoyed because it’s kind of of interrogation and cross examination, but in a friendly manner. Because what you try to find out truth, you try to find out who’s the murder right. Murderer kind of thing. Sometimes I feel like they are acute poor or trying to what do you really mean? What are you really doing here? Because sometimes people really do not understand how these things connected to security and why are asking this? I explained that, this, how it can be exploited. That’s why it’s important that you are doing this or this and this area things. A lot of education happened in Drew and interviewing because people didn’t think about a lot of things before they were asked. I really love assessments as a part of eye opening for people.
Anna Lezhikova - 41:05 When you start asking the question what about this, what about that? Oh, we didn’t think about this, we didn’t know it’s connected to our cybersecurity and all this stuff. Now, you know, thank you so much. They start thinking in this direction. So I really enjoy this documents. Just what I usually do is just to really look at the information security policy few standards, their existence is already a good sign. I don’t go deep into the detailing, that’s the audit job. It’s nice to look at these documents to see the security culture. You can see information security policy, the main one, it just tells about the maturity of the company straight away tools. This is an important one for most of the cases. There are some tools on the market. Unfortunately I have to come across a good one yet. For self assessment, for internal assessments, when you do it not as a consultant, as a business to a company, like to many customers, but if you just do it for your company, there are some stuff, they’re all the same.
Anna Lezhikova - 42:20 What’s important is not the quality of the tool, but the understanding how to apply it. We’ll talk about in the next slide. If at the beginning you even don’t have to have a tool, you can use a spreadsheet. What you do, you take NIST for example, and NIST got all these categories and functions, categories and subcategories. Each subcategory you turn into a question about the subcategory and then you have a column for information about answers. There will be scoring column for score, we’ll talk about it and then you take all the scores into the next tab and then you create charts. I’m sure if you look up online there will be something that people might be shared because we use our internal one. My personally developed spreadsheet for CS assessments. I just conduct interview, I will just put all the answers into the boxes, then I will score it and then all the score goes into this charts.
Anna Lezhikova - 43:27 I have this charts by function, by device, by type of the control. They’re called save cards and sales and then Nissan the same. You also put recommendations in another column that will help you to see. We’ll talk about it in the analysis, how I look at the recommendations and then compile a report. With tooling I can show you one tool for CIS 18. It’s a nice tool that you can use for self assessment. But can you see this? Can you see my browser?
Dinis Cruz - 44:08 Yeah.
Anna Lezhikova - 44:11 The links to all this stuff will be at the final slide. There will be links to all these resources so people can just look at it, take a screenshot or whatever. This is like CSS control system specification. It’s an open source document that is shared on GitHub. You even can edit it by creating a pull request. What I love about it is that if you go to a control, it’s got all the different explanation of this control even more than in the official documentation. You’ve got safeguards for this control and for safeguards you’ve got inputs and what do you need to so this one be careful with this one. I don’t use it literally like it is, because it sounds like audit. Like you really gather evidence and you count things like how many unauthorized devices compared to authorized devices you have in the system and this type of stuff.
Anna Lezhikova - 45:16 Reading through this will really give you a good picture of what we’re talking about in here. If you need to go to more measured stuff later, this also got all these formulas and metrics how to measure the stuff. So this one is also good. You can use this metrics as part of your security program, but don’t take it literally. If you go to self assessment, you don’t have to collect all these metrics and calculate them. You can if you have time and it’s required by your organizational style. If there is need for this and budget for this time budget, you can, but you don’t have to just take it with not pinch of salt. Just like you don’t have to do all the steps literally how they recommend it here, but it’s a very good example how you can turn assessment into metrics later for your cybersecurity program.
Anna Lezhikova - 46:20 Yeah, in general you can just start with the spreadsheet and it works. Analysis. So this is very important one. That’s where the threat taxonomy plays the key role and how it says, like why I’m saying that unfortunately, Chat GPT so far cannot help in here. That’s another point that I will talk about it later . That you can have self assessment or you can invite outsource it invite like a consultant. That’s where the consultant really pays off in analysis, because this is a tricky thing. You record findings for each control or safeguard or subcategory. It depends on the framework you use. You score them. And scoring can be different. Depends. For the NIST one, it’s very popular. One is like zero. The control is not existent, nonexistent one will be exists, but not none efficient. Two is partially efficient and three is fully efficient. But what does it mean?
Anna Lezhikova - 47:41 That’s important part. We look at the control and we do not check it. Yes, it exists, it works. We look at the control and if this control reduces the risk that related to the thread that we defined, then we mark it as efficient. Sometimes if the control is just not fully implemented, but how it was implemented is this reduces the risk for this company a lot because the risk is low, then we can market efficient because it’s enough. Sometimes the control is implemented in full. Some like technical control, but in our case, for this question, for this subcategory, for example, the threat introduced threat, like we found out, defined in the South Threat Taxonomy, the risk that introduced by the threat is not reduced at all because this technical control exists. Another control process, control for example, is missing. Even if it’s a checkbox, yes, we’ve got inventory, but if this inventory is not connected to detecting unauthorized devices, who cares, right?
Anna Lezhikova - 49:02 Something like this. That’s why it’s very important to understand these links between each safeguard and risks and threats and then you evaluate them only in the light of these risks and threats. Not just like yes, we have it, and now swearing to have it. That’s the pitfall a lot of self assessment and often outsourced assessments fall into. Again, that we mentioned before, it’s not a checklist here. You really need to involve this understanding of the business context, business functions and relations between all the things inside of the business and outside of the business. That’s where your expertise, knowledge and general knowledge comes into play. That’s where you can think about the safeguard and say yes, it’s efficient. No, it’s not efficient. The same thinking is used in the recommendations. Okay, you don’t have this what you need to have to reduce this risk in this control area and it’s not possible just by checking.
Anna Lezhikova - 50:11 So whatever ask, we need this control. Okay. We need to have MFA for everything. MFA for everything? Yes. We recommend I’ll just use it as an example. Just imagine that for your company it will be very difficult to implement it for everyone for different like for cultural reasons. For example, people are very conservative and they would reject for example, most of your workforce would reject it. Right? They don’t use mobile phones much, something like this. For you, the risk would be very low because most of them don’t have access to much of the system. You don’t recommend them to roll out MFA for everyone. You would recommend to roll out MMFA only for admin accounts, for example. That’s when we do recommendations based on the business context because the main goal is to achieve the balance between doing the business and being secure because security in most cases is slowing down the business.
Anna Lezhikova - 51:18 This is your brakes. You need your brakes, but you don’t use them all the time. You still need the car. Keep moving. Right? So that’s the balance. To reach this balance, you really need to understand business context and the relationship between risk threats and security controls. And reports. We just do every report should have executive summary, some background and findings and recommendations and extra use information. So the charts would look like this. You can see this example of just like the charts from the spreadsheets I created. It’s very important to show the report language style meets your audience requirements. This is very important to have an executive summary in every report because some people who are busy and they don’t care about the details like on the sea level or the board, they still can understand what’s going on by just reading one page of it and presentation again, depends on the audience.
Anna Lezhikova - 52:27 And stick to the most important points. Don’t be boring. Honestly. Just security is not all complex, difficult and boring. Talk about business, don’t talk about firewalls and access like AJD details like security groups and stuff. Yeah, read the room.
Dinis Cruz - 52:46 Well, that’s the key, right? Make sure it’s relevant to your audience. Make sure you have business context. Right. Because then they really take it in and I really like that risk based approach right, to present to them.
Anna Lezhikova - 52:57 Yeah, because assessments are always about business, not about tech. This is, I think, the main message I would love to deliver today. They are way forward for the whole company. They’re way forward for the business, not for the It department or security team. As I mentioned already, so we have internal, external, we have initial, we have reassessment and reassessment. Just like when you repeat it. It’s very nice to see the progress. You can have extra charts like in time. Okay, were here, now we’re here. And this is what business really likes. This is like reassessments are really important for justifying your budget. This is what your main tool to get the budget for the next year, for your security function. That’s why it’s good to start them at some point. Now you can show how it’s improving so we can and that you need more.
Anna Lezhikova - 53:52 That’s important to have this balance between, okay, we’re improving, but this is how much left, how many gaps is still there? So please give us money. Right. This is resources I was talking about. So this is the NISS framework. This is just description. You can download their PDF with all the safeguards so to create. I’m sure there is a spreadsheet somewhere online I saw some time ago. Yes, they’re definitely there a lot of stuff available. Again, it doesn’t matter what tool you’re using. Most importantly is that you link whatever controls you’re facing, whatever questions you’ve got, you link it to business function, risk and threat, because it’s not important if you have it or not. If it’s not reduces the actual risk for the business.
Dinis Cruz - 54:49 Very cool, to be honest. What would be amazing is see if you can anonymize some of your actual reports and some of your visualizations and some of your examples, because that bringing a lot more to light, right?
Anna Lezhikova - 55:10 Yeah. Unfortunately, IP, this is like what brings this company, how I bring this company money. It’s just like because the tools are not available widely and open tools. That’s why we invent our own tools.
Dinis Cruz - 55:28 Well, there’s still a place in the market, right? It’s still a place in the market for this because you’re right, there isn’t a lot of good tools, which actually we talk about this on a chat GPT session. Right. I think there’s a lot of evolution that we’re going to see on these areas that really need context and analysis. I think the next evolution of GPT like technologies, where you can really isolate the data set, so you can say, look, here’s a big data set, go and consume it. Now you can query it. That’s going to be crazy powerful.
Anna Lezhikova - 56:01 Yeah. With assessments, I would be careful to go into the big data because I think from my experience, when I started this, I got AI and data background, technical background. So, okay, what can I do? How I can make it efficient, how I can just really the processes, how I automate stuff, how I make it, like, really, what can I do here from the tool perspective? When half a year into this, I just learned that the most important part in here is talking to people and applying this general analysis. You can’t replace it by no tool or no information.
Dinis Cruz - 56:44 Absolutely. But you can scale that analysis, right?
Anna Lezhikova - 56:49 I don’t know. I’m not sure. I don’t know. Maybe because currently I’m training my colleagues to do this, cybersecurity consultants, like they started in this journey and to train them. And when I explain them to them. What I do every time I understand how would automate because for automation, I really love this stuff. I’m a former software engineer that I really love coding and how would I code it. I understand that every time the most important insights come from conversations.
Dinis Cruz - 57:31 Yeah.
Anna Lezhikova - 57:36 Putting aside this, I confident there are a lot of things to use AI like open AI type of models in gathering data and organizing data for future analysis. I agree. Just in general, cybersecurity, I see a lot of yeah. Favorite location. Yeah.
Dinis Cruz - 57:59 Cool. Well, I think that was that’s all the questions we had here. Thanks for doing the session. This was really cool. The video will be available very soon and I’ll see you on the next one.
Anna Lezhikova - 58:10 Thank you so much. Bye. Really?