Cyber Risk Management Solutions
6 Considerations for Your Next Security Assessment Vendor

6 Considerations for Your Next Security Assessment Vendor

Information security assessments are a necessity in today’s cyber insecure world. Be sure to consider these 6 things when you select a security assessment vendor. 

security assessment vendorRisk assessments (often referred to as security assessments) are a critical part of any compliance program.  More often than not, these risk assessments are required to be performed by an external party.

Hiring a firm to perform a risk/security assessment can be a daunting task.  With little to go on we often we fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc.  And often that results in poor performance or obvious cookie-cutter results.  How then should we approach the task of ensuring we get value from our security assessment vendor?

After years of performing risk/security assessments and gap analyses for various companies in different vendors I’ve noticed some themes and want to share six items to look for when selecting a vendor.

Fortunately, these are items that can be teased out in negotiation long before signing the contract.

6 Factors to Look for in a Security Assessment Vendor:

1. They consider People, Processes, and Technology

This one seems like it should be obvious.  Isn’t that what a security assessment vendor should be doing?  In theory, yes. However, as you have probably experienced that is not the case most of the time.


Human nature. Believe it or not, auditors are human too and with that comes comfort zones, preferences, dislikes, and biases.  If you have an auditor who came up through the ranks as an accountant or another non-technical analytical personnel, you’ll have someone who is very comfortable with the processes of security but may not understand the nuances of people or the technology supporting the business.

The same can be said for a highly technical individual with no people skills or the adamant extrovert who crammed well enough on the technical side to pass the PCI QSA test by whiskers.

A good security assessment vendor will have the processes and procedures in place to ensure that; one, only well balanced individuals are selected to be auditors and two, even treatment is given to all aspects of security.  Just because an auditor is more comfortable in one area than another doesn’t give them leeway to abandon other areas.

2. Spreadsheet mania

This one is a bit counter-intuitive. Spreadsheets and auditors are like mac and cheese, they just go together.

However, let me ask you one thing.  Have you ever had an auditor that you felt truly understood what you did and how you did it?  I haven’t. Most of the time they sit across a table with a laptop open entering in your responses into a spreadsheet like an automaton.

Sure they’ll ask some questions to get a better understanding, but only enough to answer what the spreadsheet wants to know.  Spreadsheets are great for identifying risks in technology or gaps in processes, but what about people?

Whatever happened to the art of conversation, I ask? 

Here at Cybriant, and any other good security assessment vendor, all the technicalities of the spreadsheets can be asked beforehand, or after.  What we’re there to do is understand your risks and that includes what and how your people perform their daily duties.  I have story after story of finding major risks to an organization through conversation that a spreadsheet approach would have never caught.

Let me give you a great ‘for instance’. 

I was performing a security assessment for a college and knew of the locked, secured, shred bins as well as the policies dictating its use.

However, after conversing with a funding representative I had to ask,

“So do you actually use the shred bin upstairs?”

“Of course I do!” was the response.

Based on other answers I probed some more; “well, I put the credit card information in this cardboard box beside my desk when I’m done with them and once a week I dump the paper in the shred bin”.

Need I say more?  When considering a vendor try to have a conversation with the auditor who will be assigned to your account.  Do they ask good questions?  Are they personable?

3. They talk to more than just the nerds.

I wonder if you caught something odd about the story above, other than the blaring PCI violation.  As part of a security assessment, we were speaking to a funding representative, not a technical resource.

While technical resources are an absolute must when interviews are concerned, so are the rank and file.  Processes, policies, guidelines, standards, security controls, technology, those are all good and well, but users have an uncanny ability to destroy all our good work without even trying sometimes.

As such it is imperative your assessor speaks with others in your organization. Often external assessors are brought in to verify what the technical staff, or leadership already suspects.  However, because of our insistence on interviewing non-technical personnel, we have found countless security risks that were unknown.

When assessing your potential vendor be sure to ask who all is considered for interview candidates.  If it’s just technical staff and minimal leadership, back away slowly.

4. They see the big picture

Very similar to the spreadsheet item, there is one item that seems to elude a vast majority of assessment firms, big-picture thinking.

After performing dozens of security assessments I have come to the realization that most findings can be distilled into what we call Cybriant: Risk Themes. These are overarching risks that are not part of any framework but contribute to the overall security profile.

Examples of Cybriant: Risk Themes are a company culture that ignores security or lack of proper network design which exposes several risks.  While our assessments do include specific risks we also include any Cybriant: Risk Themes to help guide the organization towards the most efficient method of addressing the outlined risks.

Ask to see a sanitized assessment, do they address risk themes?

5. They give a roadmap to success

A good security assessor understands technology to the point that they can provide a roadmap that addresses the most critical findings first and how to fix them. This is absolutely critical to a successful implementation of remediating security risks.

Tell me if this sounds familiar.  A security assessment vendor performs a security assessment and you receive a PDF containing page after page of faults with your environment, and that’s it.  No recommendations on how to remediate, no path towards completion, no way of knowing which ones really do pose the highest risk to your organization.

When choosing a security assessment vendor it is critical that they consider what technology you have in place and the most efficient path towards remediating the identified risks.

However, they can only do that if . . . . .

6. They understand technology

In previous points, it may have seemed as if I were discounting technical knowledge.  Let me squash that rumor now.

A disturbing trend in the security assessment world is the tacking on of technology auditing to other fields such as accounting.

I like my CPA and trust them with my taxes, but I wouldn’t want them to pass judgement on my BGP network.  Just because you can sit in a CISSP boot camp and memorize enough to pass the test doesn’t mean you understand the nuances of a system or network design.

This trend is resulting in strict adherence to spreadsheets above any extenuating circumstances and discounting of any client explanation.  That in turn results in frustrated and dissatisfied clients.

Above all, an assessor needs to understand technology well enough to understand how your organization uses said technology and any potential downfalls therein.  When determining which security assessment vendor to select be sure to have your technical talent probe the assessor for technical knowledge.

Some of the brightest most capable employees and coworkers I have ever had the privilege to work with do not have college degrees or certifications; however, by what metric do we normally measure a potential employee?  The reason we do this is because it is very difficult to assess whether a potential candidate has the “right stuff” so we fall back on the defacto standard.

The same can be said for how most security professionals choose a security assessment vendor.

Hopefully, I have given you the tools to look past the standard fodder of evaluating a security vendors and equipped you to ask intelligent questions and look for signs that you have found the diamond in the rough.

Jason Hill

Jason Hill

Director of Strategic Services

Jason is an accomplished Infosec Speaker, AlienVault certified instructor and engineer, Risk Assessor, Security Consultant, and Security Trainer.


Learn More About Our Assessments

5 Key Reasons You Need a Cyber Security Assessment

5 Key Reasons You Need a Cyber Security Assessment

You probably need a cyber security assessment, especially if you are wondering whether you need one. Here are the top 5 reasons, you should start today. 

Keep reading and we’ll help you understand different types of cyber security assessments, why you may need one, and the main benefits of a cyber security assessment.

What is a Cyber Security Assessment

When you hear the term “Cyber Security Assessment” you can assume that a “Risk Assessment” is what is being implied.

The goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals” – NIST Cybersecurity Framework

The NIST Cybersecurity Framework has five main categories: Identify, Protect, Detect, Respond, and Recover. These categories provide a set of activities to achieve specific cybersecurity outcomes and reference examples of guidance to achieve those outcomes.

The Frameworks provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations or it can be focused on the delivery of critical services within an organization. Different types of entities – including sector coordinating structures, associations, and organizations – can use the Framework for different purposes, including the creation of common Profiles.

Framework for Improving Critical Infrastructure Cybersecurity

At Cybriant, we highly recommend the NIST Cybersecurity Framework. The very first category of NIST, Identify, explains the need for a Risk Assessment. If you need more advice or recommendations on deciding which framework is right for your company, read the article we recently posted “Is My Company Secure.”

Purpose of Cyber Security Assessment

The purpose of a cyber security assessment includes identifying:

  • Threats to your organization (operations, assets, individuals) or threats directed through organizations or nation-states
  • Identify internal and external vulnerabilities
  • The adverse impacts (harm) that may occur
  • The likelihood that harm will occur
  • Determination of risk

Cyber Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event and is typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.

5 Key Reasons You Need a Cyber Security Assessment:

A Cyber Security Assessment or Risk Assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact on the organization and the likelihood that such circumstances or events will occur.

Why do you need a cyber security assessment? Here are 5 key reasons:

  1. Compliance Requirements

Almost every regulatory compliance requirement includes a comprehensive Risk Assessment. In your cyber security assessment for compliance, you’ll be able to evaluate your compliance controls and understand your full range of risk exposure. An effective cyber risk assessment will help you prioritize risks, maps risks to the applicable risk owners, and effectively allocate resources to risk mitigation.

  1. Gap Analysis/Cyber Exposure

A gap analysis is a critical service when you need identifying any deficiencies between your security program and a specific regulation or framework. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”

  1. Identify Vulnerabilities

A cyber risk assessment will help you identify and locate vulnerabilities in your infrastructure and applications. This cyber risk assessment will help you determine your security flaws and overall risk. You’ll be directed to have a better understanding of your assets and help you reduce the likelihood that of being breached.

  1.  Asset Discovery

An asset is no longer just a laptop or server. It’s now a complex mix of digital computing platforms and assets which represent your modern attack surface, including cloud, containers, web applications, and mobile devices. Proactively discover true asset identities (rather than IP addresses) across any digital computing environment and keep a live view of your assets with a cyber risk assessment.

  1. Baseline

By going through a cyber security assessment, you will create a baseline. You’ll understand your security controls, what is working and what isn’t. This baseline will help you create a standard by which your company will assess your organization based on that standard.

Speaking of creating a baseline when it comes to a cyber security assessment, consider ComplyCORE.

compliance management systemComplyCORE is a Compliance Management System that will help reduce the hassle of compliance into a concise program. Learn how to make compliance simple.

Compliance Management System

Today’s compliance environment is an overwhelming assortment of never-ending checklists and to-do items. Not only are organizations required to adhere to a standard, there are often many standards that a company must adhere to adding additional complexity to an already frustrating situation. Pulled in many directions, today’s IT professionals often feel as they are descending into a fog of compliance.

There is also a constant stream of acronyms that businesses now must learn and adhere to be compliant. Each new entrant into the pantheon of compliance complicates and weaves an even more complex web of checklists, procedures, and policies. Each time new letters are added to our alphabet soup of regulations we must scramble to meet that specific list of requirements.

We have created a better way. Introducing ComplyCORE.

ComplyCORE reduces the fog of compliance into a clear and concise vision.  With ComplyCORE as your compliance management system each new compliance matrix that springs to life is easily and quickly integrated.  There is no scrambling each time an auditor for a specific regulation appears, it’s all part of the plan.

Take a look at ComplyCORE, our compliance management system:

Compliance Management System

Learn More about ComplyCORE

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, and Technology is the cornerstone of ITIL, but can it also be used to ensure a proper cybersecurity foundation? The answer may surprise you!

Let’s just get this out of the way. You are not secure. There I said it.

Let me qualify that statement: when I say you are not secure what I mean is that regardless of the money, talent, resources, or luck your organization possesses, your organization (or any other) cannot consider itself completely impervious to outside aggressors. Just like a Major in boot camp, let me tear your assumptions down for a moment so I can build them back up.

According to Gemalto, 82 records were compromised every second in 2017. It is widely accepted that the nation-state failure rate is as near to nothing to make no difference. There are spear phishing kits available to allow anyone, even your mom, to launch a targeted attack against you. You have to be right every time; a hacker only has to be right once. A bird in the hand . . . . . I could go on, but I think you get the point.

“But,” you say “I just bought something with ‘NEXT-GEN’ in the product description. That’s got to make me secure!” No, it won’t. Nothing short of throwing all copies of your secure data into a volcano will make your data completely secure.


people process technology


What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.

According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.

People, Process, Technology


Here’s one thing everyone in security knows: People like clicking on all the links! Hackers know this, even that rich Prince from Nigeria knows this! In Jim Collins book, Good to Great, he discusses how the leader of your organization is a like a bus driver and the employees are the bus riders.

You are a bus driver. The bus, your company, is at a standstill, and it’s your job to get it going. You have to decide where you’re going, how you’re going to get there, and who’s going with you.

Most people assume that great bus drivers (read: business leaders) immediately start the journey by announcing to the people on the bus where they’re going—by setting a new direction or by articulating a fresh corporate vision.

In fact, leaders of companies that go from good to great start not with “where” but with “who.” They start by getting the right people on the bus, the wrong people off the bus, and the right people in the right seats. And they stick with that discipline—first the people, then the direction—no matter how dire the circumstances.

While this may seem like a stretch in the cybersecurity world, the analogy holds true in the sense that everyone on board the bus must be on the same mission. We don’t want to let anyone (cybercriminals) on the bus or let any corporate secret fly out the bus windows.

Train your people and make sure policies are understood from the top down.


If that “next-gen” tool were able to keep you secure without your ability to understand and effectively use it, why isn’t everyone buying it and not the others? Because no tool by itself can effectively secure your data. You must be knowledgeable of what the tool is telling you, how to effectively deploy it, and how to customize it to your environment. If you don’t take the time to do these things you might as well have dug a hole and thrown the money in, it’s the same thing. Too many times I have seen a very expensive product simply create heat. The security product was implemented, but time was not dedicated to truly use the product. Now it’s ignored.

On the other hand, you could outsource the task of doing all that.….

Great! You’ve contracted an MSSP to watch your security for you. Job’s a good’n. Nope. I’ve trained many, many MSSPs, probably near fifty plus. I’ve been instrumental in starting two successful MSSPs. This experience has taught me several things of which one is critically important to this conversation.

It can be summed up by a question: How do you know they provide value?

Nifty charts? Awesome. Wizbang product suite? Sweet! Suites that cost more than your first car? Shiny. However, all of that is for naught if you have not educated yourself in the mechanics of what they provide. Most people outsource what they are not good at, wouldn’t a better idea be to outsource what you are good at? The more you know about the topic the less you must worry about whether that vendor is doing a good job. If you don’t stay current, educate yourself on cybersecurity and constantly engage your vendor, what value do they really bring?


people process technologyIt is said wisdom is the appropriate application of knowledge. You may have learned many things about cybersecurity, but if you can’t effectively use that knowledge in everyday life what use is it? This is where everything we’ve discussed above fits into “the framework”. I’ve described what a framework is and how to pick one in other blogs.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists by the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point in time audit and relaxing until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure.

Well, at least until George clicks on that link again.

Why You Must Perform A Security Assessment

Why You Must Perform A Security Assessment

Recently, we discussed why it is important to have a SIEM (Security Information and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it. For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series.This week’s post will cover why it’s important for your organization to perform a Security Assessment to analyze your organization’s operational risks.

One of the biggest issues facing organizations today is that security is an invisible attribute.  IT administrators will setup devices or services, configure the security parameters and rarely if ever, consider security settings again.  Organizations routinely write policies for user access and infrastructure and never update them.  Systems are tested and vulnerabilities discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it.  As Rob Joyce points out, Nation State Hackers and Advanced Persistent Threats (APT’s) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.

Everyone has blind spots which cause them to overlook important issues.  Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily.  And, often what was secure yesterday is likely not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program.  Assessments can help determine the best methods to prevent a breach, as well as protect assets and corporate reputations.

>>>>Why You Must Have a SIEM<<<<<

Why perform a periodic Security Assessment?

Organizations are increasingly bound by governmental regulations which dictate what security measures must be in place and how they are to be audited.  PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC and GSA among others all dictate how to secure different types of data and the systems that manage them.  These regulations also require regular security posture assessments.

Read more: Is a SIEM required for PCI Compliance? 

While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure.  A Security Assessment is the equivalent of an organization’s State of the Union.  It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company.  Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business.  To navigate to any destination you must first know where you are.

What should be assessed?

To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly.  Yes, it is important that the firewall blocks bad guys and workstations are kept secure, but what about phone systems or printers?  Will your users recognize and report a phishing email attempt?  What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building?  A thorough Security Assessment will go beyond the typical IT systems assessment.  Here is a list of security domains that should be considered during a Security Assessment:

  • Access control
  • Information Governance and Risk Management
  • Infrastructure Architecture and Design
  • Cryptography
  • Operations Security
  • Network and Telecommunications Security
  • Disaster Recovery and Business Continuity plans
  • Governmental Regulations
  • Incident Management Policies and Procedures
  • Physical Security
  • IT Security Training Programs
  • Network Boundaries

What about after the Security Assessment?

It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues.  This is exactly what Rob Joyce points out in his video.  A high percentage of companies will fail to close gaps discovered during security audits.  A vulnerability of any size is important no matter where it exists.  All an APT really needs is a toehold.  Once one is presented no matter how small, attackers will use it to gain access to your company’s data.

Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged.  As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported.  Joyce also says not to assume any crack in your defenses is too small or insignificant to be exploited.  These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.

Companies put a lot of effort into securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect.  Most companies have a provision in the employee handbooks that instruct employees not to discuss salary information with fellow employees.  We don’t often find this level of care and communication when it comes to IT security.  Accountants frequently audit the bank and company for fraudulent activities.  It’s time that companies added IT security to this list of very important, very well understood activities.  Yearly assessments should be the norm and the findings should be well communicated within the company.  IT security cannot be the sole responsibility of a few guys in the back of the building.  Every employee has to be involved because every employee is a target.

The journey to a secure organization begins with the first step.  Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead. Start here >>>>

by Byron DeLoach

Learn More

Types of Network Security Threats and How to Combat Them

Types of Network Security Threats and How to Combat Them

If you’re interested in the types of network security threats and how to combat them, you’re in the right spot. We’ll discuss a tried and true method to create a solid foundation for your network security. 

What’s keeping you up at night? Is it hackers, insider threats, malware, phishing? Maybe there are a few new types of network security threats that you haven’t heard of yet? You never know!

Even the most secure organization may have pitfalls that allow something to slip through the cracks. Consider Equifax and THE most talked about breach of 2017 that could have been prevented so easily with a proper patching policy.

The fact of the matter is that the bad guys are constantly trying to catch us. You can train your employees all you want, but there’s still a chance that an employee may not be able to identify an extremely sophisticated phishing email. Phishing email creators are getting REALLY GOOD! These guys take anything from celebrity news, worldwide sporting events like the Olympics or the World Cup, or something as personal as W-2 information around tax time to make sure you will click on their email. Even the CEO of KnowBe4 recently received a phishing attack that seemed to be from his personal accountant.

Types of Network Security Threats

There are typically four types of network security threats, and any particular threat may be a combination of the following:

Unstructured Threats

Unstructured threats often involve unfocused assaults on one or more network systems, often by individuals with limited or developing skills. The systems being attacked and infected are probably unknown to the perpetrator. These attacks are often the result of people with limited integrity and too much time on their hands. Malicious intent might or might not exist, but there is always indifference to the resulting damage caused to others.

Structured Threats

Structured threats are more focused by one or more individuals with higher-level skills actively working to compromise a system. The targeted system could have been detected through some random search process, or it might have been selected specifically. The attackers are typically knowledgeable about network designs, security, access procedures, and hacking tools, and they have the ability to create scripts or applications to further their objectives. Structured attacks are more likely to be motivated by greed, politics, international terrorism, and government-sponsored attacks.

Internal Threats

Internal threats originate from individuals who have or have had authorized access to the network. This could be a disgruntled employee, an opportunistic employee, or an unhappy past employee whose access is still active. In the case of a past network employee, even if their account is gone, they could be using a compromised account or one they set up before leaving for just this purpose. Many surveys and studies show that internal attacks can be significant in both the number and the size of any losses.

External Threats

External threats are threats from individuals outside the organization with no authorized access to the systems. In trying to categorize a specific threat, the result could possibly be a combination of two or more threats. The attack might be structured from an external source, but a serious crime might have one or more compromised employees on the inside actively furthering the endeavor.

There are many different examples of each type of network security threat. According to, the top 5 corporate network security threats include:

  1. Viruses
  2. Virus Back Doors
  3. Application-specific hacks
  4. Phishing
  5. Blended Attacks

Basically, you have to be prepared at all times, for anything. Trust no one, don’t click on any emails. In fact, if you want your data to be completely secure, just toss it in a volcano. Don’t forget that you are also building a successful business while protecting your network security. There MIGHT be a better way…

Calculate Your Network Security Threat Risk

types of network security threats

Is your company secure? How can you tell? It isn’t easy, but there is a way – you just need something to compare yourself to.

Back in 1901, the US Government gave us something called NIST, National Institute of Standards and Technology.

NIST focuses on recommending standards for various industries and other government agencies in a wide variety of areas. It is a non-regulatory agency of the United States Department of Commerce. From cybersecurity to mammograms and advanced manufacturing, innumerable technologies, services, and products rely upon NIST expertise, measurement, and standards.

More recently, NIST introduced the NIST Cybersecurity Framework. This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

types of network security threatsAccording to the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, The Cybersecurity Framework is designed to reduce risk by improving the management of cybersecurity risk to organizational objectives. Ideally, organizations using the Framework will be able to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. The better an organization is able to measure its risk, costs, and benefits of cybersecurity strategies and steps, the more rational, effective, and valuable its cybersecurity approach and investments will be.

This is awesome news! But, this is also a lot of information and a lot to understand. Never fear, we have security consulting experts that can easily walk you through the process (as well as PCI, HIPAA, or any other necessary framework). For the sake of this article, and to understand where to begin, let’s start at the beginning according to NIST:

To manage cybersecurity risks, a clear understanding of the organization’s business drivers and security considerations specific to its use of technology is required. Because each organization’s risks, priorities, and systems are unique, the tools and methods used to achieve the outcomes described by the Framework will vary.

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories – which are discrete outcomes – for each Function and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.

Start from the Beginning: IDENTIFY

Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.


  • Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
  • Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
  • Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
  • Risk Assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
  • Supply Chain Risk Management: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Know Where You Are

We can help you begin at the beginning. We have two services that could potentially help with most of the items on the list. Our Real-time vulnerability management service will help you identify all the assets on your network. Many companies may not know all the devices on their networks, this is very common! Our risk assessment service can help you assess where you are, identify any gaps, and even help you with ongoing compliance requirements.

Ready to get started? Let’s go! Schedule time with us today to discuss your specific needs.

Did you know a Vulnerability Scan could help Identify Assets?

NIST Cybersecurity Framework

NIST Cybersecurity Framework

Organizations of all sizes need a solid security framework based on standards and best practices – a foundation to help you manage your cybersecurity-related risk.  These standards should address interoperability, usability, and privacy based on the needs of your business.

To help address current and future computer and information security challenges, Cybriant highly recommends that our customers adopt the NIST Cybersecurity Framework. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies.


Get Your Free Security Analysis

An unintrusive way to get a professional assessment of the health of your security program.