Mind the Gap

Gary Hibberd

25th March 2020

Cybersecurity is often thought of as a complicated topic. 

 

In truth, it's complex, but it shouldn't be complicated. Good Cybersecurity is about the pro-active protection of your most valuable assets; People, Premises, PCs, and Providers (under 'People' you would include your clients and customers).

But where do you start? If you think the answer begins and ends with IT, you're wrong.  Cybersecurity is a business issue, not an IT problem.

You need to start with a health check, also known as a Gap Analysis.

 

What is a Gap Analysis?

 

To put it simply, a Gap Analysis reviews where you are today, and compares this to a desired vision of where you would like to be in the future.

That desired future could be to achieve a certain standard, such as ISO27001 (information security), or ISO22301 (business continuity), or GDPR (Data Protection). 

These standards (and regulation) outlines what is needed to achieve full certification. But if you don't know where you are now, how do you know how much work is involved in getting there?

 

Cybersecurity is a marathon, not a sprint

 

If you were training for a marathon, you could just set off running today, and 'give it a go'. But if you're serious about doing this right, then you'll most likely seek professional advice on how to train correctly for it. 

Any professional will then tell you then need to understand where you are right now; How much training have you done? What's your policy around diet and fitness?

This test seeks to understand your current position so that you can move forward more productively.

 

That's what a Gap Analysis does.

It gives you a clear picture of where you are, right now. Typical questions asked in a Cybersecurity Gap Analysis are;

 

  1. What Information Security and Data Protection Policies are in place?
  2. Is someone responsible for cybersecurity?
  3. Have you a review process for your suppliers? Are contracts up to date?
  4. When was the last Technical Assessment of your IT systems undertaken?
  5. What protection do you have in place to prevent Malware from getting in?

Of course, there are a lot more questions that can be asked in an assessment like this, and it's worth stating here that a Health Check or Gap Analysis is only as good as the consultant asking the questions. Because it's not just about asking questions; It's about asking the RIGHT questions.

Note question 5 above; On the surface, this looks like an IT related question, and certainly protecting IT systems from Malware is essential. But a reasonable response might also include; "We train our staff about Phishing emails".

This is why we say that a good Gap Analysis is broader than IT.

 

What are the benefits of a Gap Analysis?

Again, back to our 'gym' analogy, a good Health Check tells you where you are right now, and what areas you need to improve.

If a Gap Analysis only focuses on one area of your business, like IT, then you could be leaving yourself open to a cyberattack. But equally important, and more certain than this is the fact that you could be spending time, money and resources on things you don't need.

Your focus could be on the wrong thing. It's like spending money on expensive trainers for the gym when you should be focusing your diet!

 

What does GOOD look like?

 

A good Gap Analysis should give you a clear view of;

 

  • Current status of your Policies (these are the ground rules you set)
  • How good your processes are, in relation to;​​​​​​​
  • People
  • Premises
  • Processes
  • Systems
  • Providers

 

The analysis should be undertaken by a consultant who has experience in a broad range of cybersecurity standards, and regulatory frameworks (technical and regulatory compliance skills are a must). 

I have a saying in relation to our Gap Analysis; "We are assessing you from bathroom to boardroom". Meaning that we are looking at everything you do, how you do it, and why. 

 

How long do they take?

 

Unfortunately, the answer to this question is, it depends. It depends who is reading this, and what your goals are. I have personally completed a Gap Analysis on a company in one day, but others have taken five or six to complete. Why?

The first company wanted a broad understanding of their cybersecurity across the areas I mentioned above. While the others wanted a full Gap Analysis of ISO27001 and ISO22301 and SOC2. These are interrelated standards, but require a very deep-dive exploration of a business.

But for simple numbers; If you are a company employing less than 50 people, and you're looking for a Gap Analysis against ISO27001, then this would typically take just 2 days.

 

Why it's important 

Our digital landscape is becoming increasingly complex, and with it we're becoming increasingly confused on how to protect all the data we're collecting and processing.

This is why cybersecurity is of vital importance to each of us. It's a fact of life that there are people out there looking to separate us from our hard-earned money.

​​​​​​​Typically, they don't care who you are. They don't care if you're a small charity or a banking giant. They don't care if you're in the NHS or if you're a Government establishment. 

If you're a small business looking to protect your reputation, and you're confused by cybersecurity, then a Gap Analysis gives you confidence that you're doing things right or the information you need to focus your resources on what matters.

Equally, if you're a larger business that has been established for many years, a Gap Analysis is a great way to have a 'sense check' that you're focusing your resources in the right places.

 

Conclusion

I was speaking at a conference recently, and following the presentation, a CIO in the audience said "I am currently spending £3 million per annum on cybersecurity. How can I improve my security?" 

My answer was simple; "Stop spending £3 million on cybersecurity and spend some of that on a Gap Analysis. You may find that you're spending the money on the wrong things."

Remember; cybersecurity is a marathon, not a sprint. The Gap Analysis is the thing you do before you get to the 'Starting line'.

Accreditations