The key to successful assessment planning begins with clear communication throughout the initial planning phases. To ensure technical and non-technical leaders are aligned on the purpose of the cyber assessment, use the 10 steps below to facilitate communication prior to beginning the assessment. (Note: many of these steps can be done simultaneously.)
1. Review company risk management strategy
In large, publicly owned documents, this guidance can be found online in board objectives or CEO guidance letters. For smaller companies, this may be a published policy available internally. If there is a communicated impact that senior leadership acknowledges is tied to IT, OT, or other cyber-related risks, this is your north star for purpose. If no such document exists, you’ll have to revert to your intuition or ask your line supervisor.
2. Complete a business impact analysis
If a business impact analysis has been performed, or a continuity of operations plan is in place, align the purpose of the assessment to supporting those key reports. If not, consider the value of conducting these exercises prior to executing an assessment. The top way to align your company on a shared purpose for the assessment is to ensure technical and non-technical stakeholders agree the assessment is need for finding gaps that limit your company’s capacity to deliver services.
3. Select the assessor
You’ll need a highly experienced person to lead the assessment effort and hold primary responsibility from start to end. Usually headed by an IT or OT manager, senior analyst, or equivalent, this key position requires the technical ability to answer most of the assessment questions. Despite their ability to complete most questions on their own, this person ultimately needs to be able to work hand-in-hand with other departments to complete the assessment.
4. Select assessment stakeholder(s)
There is usually more than one stakeholder, especially if the scope of the assessment includes multiple business units or departments. Going to your CISO, IT/OT Director or equivalent will help bring these stakeholders together, since this person is responsible for allocating budget to complete assessments and define the outcomes. Arguably the most important person in driving alignment, having executive sponsorship over your strategy will help ensure that the importance of these assessments is communicated across the organization.
5. Drive alignment across stakeholders
If you’ve done the work for steps 1 and 2, you should have a pretty clear idea of what your executive(s) expect from assessments and how they impact the business. However, different departments will need different information from each assessment, so it’s important to consider what their needs are. Aligning stakeholders on your cybersecurity strategy is critical to the perceived value of assessments. When a department doesn’t receive valuable or actionable information, it’s easier to dismiss results as simply getting into regulatory compliance.
6. Determine a budget
Many times in ICS environments, the budget for continuous assessments may be shared across IT, OT, and operational (facility) budgets, creating another opportunity to drive alignment across departments and secure your ideal budget for cybersecurity activities. At this step in the process, be sure to inform budget stakeholders of the scope that your budget covers. Does your budget only include the initial cost and the assessment results? Or have you pre-planned for remediations to avoid the need for additional budget allocation? Either way, it’s important clarify what your budget covers, especially if it’s being allocated from other departments.
7. Define assessment objectives
Before the assessment begins, all participants should be in agreement on what the next viable steps will be once results are presented. Use determination statements, with the standard language of “if the assessment determines X, we will do Y”. Doing this encourages an honest and straightforward assessment.
8. Determine the controls to be assessed
For the assessment to be completed effectively, all personnel must be aware of what parts, programs, or equipment they are responsible for and if they will or will not be part of the assessment. Accomplishing this key task prior to beginning the assessment will ensure that the assessment questions are completed quickly. Recommend, circulate, and agree on the scope of controls to be assessed.
9. Establish a guide or scope of work
Consider this activity “putting pen to paper” on all the assumptions, scope, and timeline that you share with all key stakeholders. It’s important at this step to gain acknowledgment by all departments so they recognize and share within their departments as a prioritized activity.
10. Establish a calendar
Establishing a calendar of events drives accountability for all personnel involved. The start of the assessment should be a relatively rapid event immediately prior to kickoff but aligns everyone on the key details of the guide or scope of work. Sharing results should also be on the calendar before the kickoff to ensure that the timeline is kept by all stakeholders.
Completing thorough, objective cyber assessments is vital to developing a risk management strategy that supports operational up-time, team safety, and corporate governance objectives. In our experience, cyber assessments are often completed as recurring calendar events with little to no alignment across the company. Because of this, assessments can succumb to under-prioritization as calendars fill with unplanned events and business changes. When teams are aligned across the company you can be confident that the investment made in these risk management activities is being maximized.
This means you’re not wasting time or losing productivity towards hitting company objectives. Additionally, the budget allocated for cybersecurity should be focused on areas that produce more value and are of top strategic importance. Depending on your company’s program, replacing manual processes with digital tools and automation may mean you can actually save money in your cyber program and be more effective at the same time.