I've worked with businesses with excellent cybersecurity postures. One place in particular was very impressive. They had their IT team consisting of a CIO at the top, sys admins, pc techs, help desk and project managers. Then, they had a separate cybersecurity department team rolling up under a different reporting structure with a CISO and security administrators.
They had SLAs where they had to patch critical vulnerabilities within 7 days, high vulnerabilities 30 days, medium 90, etc. They were constantly running vulnerability scans, creating tickets, regularly holding change management meetings and patching their stuff. It was impressive the amount of mitigation they ran through and how many vulnerabilities they fixed. It also produced monthly and quarterly reports they ran up to the board keeping them informed of the progress.
As part of their security cadence, they also had penetration tests and external audits. They were disappointed in the penetration tests as it mostly consisted of a guy coming into their environment and using the same credentials and tools they use to run the same vulnerability scans they run continuously in their org.
The external audit wasn't much better.
The auditor didn't ask deep, probing questions. It wasn't anything particularly thorough or comprehensive in nature. More, it felt like they came with a few preconceived ideas of what they were looking for to be able to identify a few findings, write them up and get paid. Both exercises were very much check the box exercises for the business and the vendors. It became fodder for board meetings and evidence for compliance but never felt very meaningful.
Meanwhile, something else was going on in the background. Even though they had DLP tools configured to block emails going outbound with PII, that tool had no ability to block inbound PII. This isn't typically viewed as a problem as the company isn't the one sending the PII in those instances. But the problem is, they had broken processes where PII was being asked and onboarded through email unencrypted.
This was brought to the attention of the CISO, but where it wasn't a defined vulnerability from a tool or a finding in an audit, it didn't have a criticality score or follow up. The practice went on for years, neglected because it didn't have the appropriate oversight and follow up to close it out.
SignumCyber's Risk Assessment platform does a couple of things to address these blind spots. First, it asks over 600 questions covering over 73 security domains and 6 different departments including HR. It drills down into what's happening in practice to identify the gap to begin with. Next, it takes these non-digital concerns, these vulnerabilities that could never be identified in a network scan, and digitizes them. It makes the invisible digitally visible and performs a thorough risk assessment scoring the impact from three different metrics and likelihood from three other metrics to produce an overall impact, likelihood and risk score which allows the vulnerability to be rated critical, high, medium or low. Now not only is it identified, but it can be tracked and properly prioritized where things that went years being ignored were now able to be closed within weeks and reported up the chain. Compliance became more about improving a security posture and protecting the data instead of a checkbox exercise. It gave meaning to those empty boxes getting checked.