Watch as members of Omega’s SOC team explore some of the most common gaps identified during the risk assessment process and offer actionable steps for fortifying security postures. Discussion topics include:
Kaleigh Alessandro (KA): Good morning and welcome, everyone. It is nice to have you here for our latest webinar discussion, which is centered on IT risk assessments. In today’s conversation, we are going to reveal the 10 most common gaps we see discovered during the assessment process and, as part of that, also share some recommendations on how you can optimize your security posture moving forward.
So, I’m certain everyone on this call has seen my face before, or at least received many, many emails from me in the past, but I’ll introduce myself anyways. I’m Kaleigh Alessandro. I’m the Director of Marketing at Omega Systems, and I’m joined today by two of my Omega colleagues, both members of our Security Operations Center, or SOC team, Maryne Robin and Kyle Phillips.
So, I’ll ask you both to say hi here, tell the audience a little bit about yourself and your background. Maryne, do you want to start?
Maryne Robin (MR): Good morning, all. Thank you for having me today. So basically, I ran my own IT consulting company for about 20 years, specializing in healthcare. And about 10 years ago, I would say, my clients were asking for cybersecurity. I didn’t have any tools. I didn’t have any SOC team. I didn’t have anything.
So, I decided to concentrate on that. I joined The TNS Group, now Omega Systems, and for the past five years I’ve been working in their cybersecurity and compliance division. I’m playing with cool tools; I really like it. My passion is to help businesses keep their hard-earned money – you know, their money – together, by strengthening their cyber resilience and starting with the common gaps that we’re going to see today with you.
KA: Good start. Awesome. We’re happy to have you here today, Maryne. Kyle, want to tell us a little bit about your background?
Kyle Phillips (KP): Yeah, certainly. Hello. Good morning, everybody. My name is Kyle Phillips. I’m a security and compliance consultant here at Omega Systems. I’ve been with the organization now for about a year and a half. Overall, I’ve been working in IT for 6+ years now. Before joining Omega Systems, I was previously working as a risk analyst within the critical infrastructure space. And then before that, I was working in higher education as a security network engineer.
KA: Awesome, well, we are excited to have you both here. Lots to cover in a short period of time. So, I’ll do kind of a quick refresher for everyone, particularly those who may be new to Omega webinars. In this case, we expect the session to run anywhere from 30 to 45 minutes. And our hope is that there will be a few minutes at the end to answer any questions that our audience members might have.
That said, as an attendee, please feel free to send your questions in at any time. There’s a questions box – a little button on your GoToWebinar dashboard. So, feel free to pop those in and we’ll try to get to as many as we are able, time permitting.
As always, we are recording today’s session in its entirety. So, if you need to drop off or you wanna revisit any of today’s content, you’ll have access to that recording beginning tomorrow. Typically, it’s about 24 hours post-event. So right around this time tomorrow. And that will go directly to your inbox. So keep an eye out in your email tomorrow morning for that.
So, without further ado, let’s get into the top 10 security gaps discovered during risk assessments. We’re gonna start with gap #1, lack of IT security governance. Kyle, this might arguably be the most important gap covered today because it’s really the foundation of an organization’s security plan. Tell us a little bit about what we typically see here from a policy, process and leadership perspective.
KP: Yeah, certainly. So usually when Maryne and I do our internal mock assessments of organizations that are either coming on as a, you know, compliance contract with us or if they just are looking to do some sort of assessment, we tend to find that when we’re going through these control questions that some organizations might not have any actual IT policy established at all. Or some of them might have something established, but sometimes we find that that policy might not have been updated in years.
So not having enough clear policies kind of established is usually one of the gaps that we kind of see right out of the gate. Some of the important policies that are usually needed in today’s landscape is going to be obviously like an incident response plan, disaster recovery, an overall information security policy, a risk management policy, except the list can go on for the amount of policy that you need. But that is definitely one of the gaps that we kind of see early on.
Also, some other areas too that we see kind of a lack of is that even though an organization might have policy in place, we do see that that policy is not really enforced. So, we might have enforcement issues of the actual policies. It’s definitely key to have stakeholders or policyholders not only create the policy but to agree upon that policy, have that policy signed off and approved by the executives or the stakeholders, and then distribute that policy to the appropriate staff as needed.
So, for example, a risk management policy would really only probably need to be shared and approved by the people that are managing risk for the organization, whereas an acceptable use policy should be distributed day one and yearly to everybody with the new organization.
KA: That makes a lot of sense. Maryne, we’ve noted some recommendations and resolutions here that can help alleviate this gap. In your opinion, what’s the lowest hanging fruit here and where would you recommend companies with limited or no IT resources get started on this front?
MR: Yes, so no budget is difficult. But first of all, I would recommend that you research if you are under any regulatory compliance [frameworks] or if your cyber insurance requires some controls to be in place. Find out what you need to do first by identifying your most critical risks. So basically, it’s like now, you know, a lot of businesses are doing things on the cloud. So, you have to find out, you know, if Microsoft is not available, if Dropbox, things like that. You have to highlight all your critical risks if you want. Can I run my business without those risks? So, list them. It doesn’t cost anything, but you have to do some research. What are the data that are most vulnerable? What are the vendors we’re using? Sometimes we don’t even know. We have to go to accounting and, hey, who do we pay? You know, who are our vendors? We need to know that.
And in terms of policy, like Kyle was mentioning, it doesn’t have to be totally complex, right? It has to be practical, basically. And it has to be distributed so everybody knows about it. There is a freebie, right? If you go to SANS.org, you have three free templates there, you have incidence response free as well. However, you have to customize it. So, before you customize it, you have to know what are your critical assets, and then put it in place with that. Then the third thing that is free also is security awareness, cyber news. You need to know what’s going on with the software and hardware, which you defined earlier.
You know, you have to hear if you use Dropbox, if you use QuickBooks, if you use CDK, right? You need to know that they are in the news, and something is I tell you we have to protect it, right? So, listen to that. There is some Freebie available. YouTube is a great resource. I recommend @SimplyCyber from Gerald Auger, he has a daily podcast on what’s happening, what’s being attacked, and what to do about it. So, there are some freebies available, and it starts with that minimum investment.
KA: Great tips. One of the things you touched on is a perfect segue to our #2 gap, which is not tracking your known technology risks. Kyle, obviously the assessment process itself is going to help you identify those risks initially, but can you talk about what you mean by the need for tracking risks over time and the best way that companies can go about doing something like that?
KP: Yeah, certainly. So, kind of piggybacking off that last gap there, right? Like I mentioned, having a risk management policy is important. How is your organization going to standardize and manage risk? Every organization has risks, and you’re never going to fully mitigate them—there’s always going to be risk. But a good way to track it is through a risk register. Within this cybersecurity framework, they’re very focused on risk assessment and risk identification.
Having a risk register is crucial for managing your organization’s risks. Think of it as a centralized repository for all identified risks and related information. You want all your risks stored in a central location through the risk register. You want a standardized process specified within policy, including actionable items for risk identification and assessment. Within your risk register, you should capture things like the description of the risk, its potential impact, the likelihood, and who’s ultimately responsible for managing it.
In terms of the lifecycle, the risk register allows you to continuously track it. You could set up a cadence, whether that’s twice a year, annually, or quarterly. It all depends on your regulatory needs or what you decide as an organization, but having it stored in a risk register helps you manage the lifecycle of your risks.
KA: Great. Yeah, that’s really helpful. So, gap #3, your organization does not conduct tabletop exercises or otherwise test incident response plans. So, in this case, during the assessment process, you are finding out that companies who maybe don’t fall short on #1, they do in fact have an incident response plan in place, but they’re not testing it. Maryne, can you talk about why the testing process is so critical to enabling effective cyber incident response?
MR: Yes, definitely. It’s like practicing in front of a mirror. Every good actor still does that. You have to practice. You have to try it out and make it right. It takes several times to get it right. So basically, the first time, you’re nervous, right? So, the second time, it calms the nerves. You’ve done it before. You also want your team to know about that. It’s not just for you, right? The whole team is practicing that test. And it helps looking at for mishaps. So, for example, if you say, you know, the first time around is like, oh, we have to contain that incident, right?
So when the network team goes, all right, I’m going to unplug everything. And then you realize that the forensic team is coming and say, ‘Hey, where are my logs? Where are my memory logs?’ And we’re like,’ oops, it’s gone. We didn’t save it.’ So those mishaps, the first time happened, the second time you change your steps, you know, you practice your steps one by one to avoid those mishaps. Not only that, it helps you also set the expectation. Because,’ oh, I have a backup, you know, Restore two hours. It’s done.’
Well, not really because now the scenario is that your servers and your hosts have been compromised. You need to wipe everything. Rebuild everything. Check the backup. Find out when the good backup was good without attacker being in there. So that takes a long time and then you finally restore and then you didn’t realize that the wave on your ISP is it’s so slow that it’ll take forever to actually materialize so the expectation from the two hours becomes two days and then you know for next time not to promise the C-level ‘oh in two hours it’s done’. So that is one practice will help you with that also you clarify the roles you don’t want fighting teams you know ‘oh no I’m doing this, I’m doing it’. So you’re ready for what if, you know, or when it will happen.
And then of course, as you go, as you progress, you have revision of your documents, so you can clean up the steps.
So that’s a big advantage of practicing is just to make it, you know, smoother and to calm down everything and, and be more available because, you know, when you’re nervous, you can’t think so. Definitely practice, practice, practice.
KA: Yeah, and to your point earlier, it needs to be practical, right? Otherwise, it’s just a piece of paper. So, until you try out those steps, you don’t know how practical that plan is.
MR: Correct.
KA: All right. Gap #4. See, failure to conduct an audit of system accounts. So, obviously, this means more than just maintaining a record of your current user accounts. Kyle, can you talk a little bit about what you’re referring to here with auditing system accounts and why it’s so important?
KP: Yeah, yeah, certainly. So, yeah, this usually comes up a lot during our mock assessments. Usually, well, yeah, it usually comes as, like, does your organization audit your accounts or level account access on your systems or for your organization, something along those lines. Many times we see small to medium-sized businesses are not doing this, either they’re not doing it at all or they’re not doing it on the required cadence to what the regulation or the framework is asking this type of function to be done. What makes it so important to do this, of course, and this might be self-evident, is to have that security assurance of your accounts. You want to be able to do your audit. And as you’re going through your audit, you might find that there might be unauthorized accounts that were created without you realizing it.
So, detecting those rogue accounts, you might find dormant accounts that have not been used within your network for years at this point. These are the types of things that we want to mitigate from a security operation standpoint, but then also at the same time from a compliance need like GDPR, HIPAA SOC, they’re going to require that these accounts and these systems are having account audits being conducted that are adhering to access control policies and then even data protection requirements.
KA: Makes a lot of sense. I think the, if I had to guess there, you know, the dormant accounts, I feel like, probably trip people up, right? You got people who were terminated or left and, you know, they had privileged access here, there and everywhere. And someone forgot to turn that access off, right? That probably happens a lot.
KP: Right, or you, you find accounts that no one even really knows exists and you’re like, oh, yeah, like, that must have been created, like, five, maybe even 10 years ago.
KA: Yeah, definitely security risks there. All right, let’s do gap #5. No operating system baselines have been established. Kyle, here’s another one you can explain for us. And the other non-technical folks like myself who are listening in today, what exactly are operating system baselines and what impact do they have on organizational security?
KP: Yeah, sure. For this gap, this is usually presented as do you have a configuration standard deployed for your organization? A lot of times we find most organizations don’t have any golden image or baseline template built out for their operating systems. There might be a process to change default passwords on a new networking equipment. But there might not be these best practice controls and configurations in place for operating systems.
So, the OS baselines or operating system baselines are really just going to be like some predefined configuration and best practice settings for an operating system that can better establish a new standard of security, right? Because, we’ll use Windows as an example. People like to bully Microsoft Windows. Usually outside out-of-the-box Microsoft Windows, whether it’s 10 or 11, is going to have a lot of additional settings that are turned on. They do this for usability and ease of access of all their services. However, we find when we do reviews and audits that a lot of services are not needed for day-to-day business operations. So, this is something that we tend to recommend to help mitigate, you know, the attack surface per se of the operating system by turning off those services.
Not every vulnerability or not every risk is going to be tied to a vulnerability might be tied to an unneeded service that can be exploited. So, we tend to find that a lot of organizations, when we’re doing initial assessments, don’t have this type of control in place. They may be looking to do it, but it’s something that would need to be planned and then actually implemented.
KA: Awesome. All right. We are moving right along here. Gap #6. Does not maintain an inventory of applications. Maryne, this one sounds pretty simple, maintaining a list of all the applications used across your company, but I know certainly we’ve seen a few high profile instances in the news where third-party application vulnerabilities have posed serious risks to enterprise IT. Do you want to talk a little bit about this and the potential for increased risk here?
MR: Definitely. So, I mean, first of all, it’s not easy to keep track of all the installed applications. Let’s put it this way: if you were to do it manually you would have to go to each computer. What’s installed? What is your version so better to have an automated tool for it that part number one? But even if you run a scan right and gives you a whole list of applications that you installed and that are installed on your network, you don’t know Tomorrow what the user is going to download and install unless you have a policy like I mentioned earlier and you have a technology behind it to block the download of whatever, right? Because it’s a constant battle to keep track of that. So that’s number one.
And then you may not have the visibility on the application that are running or the services that are running everywhere. If we take, for example, the Log4j shell application, right? You can’t see that if you look for it, technically, you won’t see it right away. But you have to know that somehow it may be running on your system. If you have a Java based application, it may be running on the system or your vendor may be running it. So how do you find out? So you have specific scan for it. So you need to know which one to run. So the list itself is not that easy to acquire an accurate list. And then after you have a list, then you have to find out, you have to research, you know, well, is this Chrome application vulnerable to something, right?
So again, you’re not going to research one at a time on the web, you would need like a scanning. The scan will tell you if it’s looking at the database of vulnerability, if this specific version of that specific application has a vulnerability that you need to patch, right? So you have tools for this. It’s not only the application. We it’s also looking at the firmware, you know, what’s running on your firewall on your switches? It’s it is it vulnerable to do something? And then let’s not forget the third party. So you have Zoom, you have Adobe, you have Chrome, Firefox, right? All those extra applications that you’re running. Well, Windows, when you run the Windows update, it doesn’t update, it doesn’t update those.
They, most of the time, have automated updates, but we find out this is not always applied. Actually, most of the time it’s not. You kind of need another scan of patching for these third-party software as well. So, all in all, it’s not an easy task to maintain an inventory of applications.
KA: You are correct. There’s definitely a lot to be mindful of there. All right, see gap #7. They’re not performing third party penetration test. Maryne, this is a common oversight. I think we see, because it’s often conflated with a vulnerability assessment, which is a completely separate process. Can you explain the difference and why there’s such value in in the external third-party pen test?
MR: Yes, so the vulnerability assessment is really like an automatic tool that runs on your network and find the vulnerability. That’s a word of it, right? So it’s a tool. It brings back a list of vulnerabilities, meaning, you know, things to patch with critical scores. You know, if you have a 10, means like ‘oh it’s critical, got to patch it right away’; if it’s under seven well you have you know you have to take care of it a little bit later. Let’s do all the 10 to 9, 8 and things like that so that’s a vulnerability assessment. A penetration test is a little bit more aggressive. It simulates if there were a real-world attack. So it’s like hiring an ethical hacker to try to break into your systems.
So it’s going to really try to break that that security around your system. But it’s not usually it’s not only that they also have social engineering, you know, engineers or actors sometimes trying to break into physically into your office, doing social engineering phone calls, pretending to be IT and walking into your server rooms, things like that. So it’s a lot more in depth and looking at the vulnerability and all the vulnerability being human and technical and administrative. So that’s the difference between those two.
Pen testing may be required for regulatory compliance, or your cyber insurance may require it, or if you work with a government, they may require it. So you have to look at what’s required. Of course, it’s a little bit more expensive than just the vulnerability assessment, but it’s, you know, sometimes mandatory. The key also is that your pen testing is not done by your IT person or by your managed services provider. It’s going to be done by your third party right independent of who put the security in place because basically you don’t want you know the billing person making the checks for the charge you want to divide the roles there so it has to be by an independent person.
They usually, the company that does pen testing, have experts in place to actually know what kind of attack that are really susceptible to your company or your industry. And they give you a comprehensive view of what vulnerability or holes that you have around your network or company. So it has a great value in pen testing, definitely.
KA: Yeah, they sort of like to hand-in-hand, one’s coming from the inside, one’s coming from the outside, and they’re giving you, you know, two really valid sets of data to help you shore up your systems.
All right, we’ve got next gap #8. You have insufficient security detection capabilities. Kyle, I think every webinar we’ve probably ever held since I’ve been here, we inevitably have to reference, you know, how sophisticated threats have become and the need for technology to evolve alongside that in order to effectively prevent threats from causing harm. Where do you see gaps currently on the detection front? You know, where we’re obviously, you know, advising companies to leverage more robust tools nowadays like EDR, MDR, et cetera.
KP: Yeah, so doing many assessments at this point now of organizations of small to medium-sized businesses, I really have seen kind of like the gambit of having little to no security controls or endpoint detection tools at all, to they’re using maybe something more like a traditional but unmanaged ant-ivirus. Layer that on top of not having the internal resources to actually respond to the alerts. So, I mean, like, usually the advantage of using, you know, an endpoint detection and response and like a managed detection and response tool set is, you know, the ability in endpoint coverage, right?
So, like, a lot of traditional security tools are going to kind of lack that comprehensive visibility into the endpoints that they’re supposed to be protecting. This, of course, does make it more difficult for, you know, SOC teams and, you know, with internal IT staff to actually detect the threat and where it was originating from. You know, having an EDR tool does provide you that greater sense of, you know, visibility into the endpoint, you know, because modern threats aren’t really just, you know, focused on one machine. Sometimes they, most of the time, they’re getting a foothold, the attacker’s getting a foothold onto a device, and then they’re pivoting to another device to ultimately compromise your Active Directory. I mean, that’s kind of their end goal to pretty much own your environment through account creation or getting to your tier one critical assets.
Other areas, too, that we kind of see gaps in detection areas of assessment is going to be the inadequate monitoring of your blind spots. So you’re going to want to make sure that you’re having all your firewalls, your EDR tools, your antivirus, all of your logs from your endpoints feeding into an integrated SIEM system. Having a SIEM at this point, I would say, is almost kind of like a basic cybersecurity hygiene. You should have that at this point. Of course, these SIEM tools, they take staff, they take resources. So that is kind of the advantage of having a managed service provider like Omega Systems. We would be able to definitely help with covering that gap when we’re going through these assessments. Other things, too, that kind of come to mind with gaps is delayed detection from traditional tool sets. A lot of these traditional tool sets, security tool sets, in particular, are using like signature-based detection, which at times can be slow with identifying any sort of new and emerging threats.
KA: Great points. Absolutely. All right. Let’s keep on rolling here. Gap #9, no consistent cybersecurity awareness training. Kyle, I gather we see this a lot. I think if I had to guess, training inherently feels like maybe the easiest item for people to drop from the security list despite the fact that, you know, we always say employees remain your company’s potentially biggest weakness. So beyond just training videos or even in-person education, maybe you could tell us about some of the best practices on the cyber awareness front that you’d like to see more companies adopt in the future?
KP: So, yeah, I mean, like the basics, right? Like have that cybersecurity awareness training at least happens annually, right? So, like common threats, like threats that are being seen. Do the automated quarterly or monthly phishing. Any sort of onboarding should require that type of training. That’s like the basic stuff that most of us know at this point. And if you’re not doing it, then I would at least start doing the basics, for sure. It’s definitely going to be a cyber liability insurance requirement.
So if you’re looking to do that, they’re and ask for those types of things. But some areas that I’ve seen when doing these assessments is a lot of organizations, they’ll do the basics, but they’re kind of lacking in terms of the role-based specific training. And what I mean by that is tailoring your cybersecurity training to specific roles within your organization. So, for example, the IT staff should be receiving more technical training, maybe around administrative access, and the importance of having that little access, and what you should be doing. The executive team, excluded from cybersecurity awareness training, just note there, they should be focused more around training that’s going to be around maybe risk management, and then any sort of compliance issues.
Of course, I would tailor this all together with maybe implementing some sort of positive incentives for people within your organization that are actually reporting the phishing emails on a consistent basis. They’re following the security protocols. You know, in cyber awareness training, like a lot of users and people within organizations, they kind of just view it as a checkbox or, you know, they despise it quite honestly. But if you create a culture, you know, like a security conscious culture first, and you could do that through incentives, that’s definitely going to kind of change things and help mitigate, you know, the human, you know, getting attacked by some sort of cyber threat.
KA: Yep, that’s a great idea. All right, we have made it to gap #10, which is lack of any or at least consistent third-party diligence and ongoing vendor management. Maryne, you talked about this earlier. There’s so much focus on third-party vendors and service providers. And that doesn’t just mean your MSP, right? That’s your accountant, your bank, your maintenance company, your payroll provider. Businesses have to consider the security of every vendor they engage with. Can you talk about why this gap is so critical and how you’re seeing it influence more broadly, in particular by regulators and other parties?
MR: Definitely, I mean, today, everything is almost outsourced to a cloud provider or different vendors. So, your vendor is now becoming your business supply chain and is part of your business. You cannot live without them. Well, you can run the business a little bit without them, but you know in the long run you may have a hard time. Look at the Change Healthcare incident that paralyzed a good part of the pharmacy and prescription business, the Ascension Healthcare attack, the CDK attack that [impacted] automotive companies.
So, we have to deal with it internally, but we also have to think about what’s actually being outsourced. One way to do this is through vendor risk management. It’s basically a way to monitor the vendor’s performance. There are tools out there that will let you know if a vendor has some kind of deficiency somewhere or if they were attacked. They help prevent issues with the critical systems we’ve identified, like CDK, QuickBooks, and Microsoft. So, now our ears are going to perk up if the monitoring system tells us that Dropbox has some vulnerability, right? So, I have to do something about it. It would also help to diversify with suppliers. Having many suppliers is ideal, but it’s sometimes not possible.
Another way would be, before you actually hire a vendor, to send them a questionnaire. Ask them for their SOC report or their risk assessment report. How risky are they to do business with, considering they are now part of your business? You may want to review the contract you have with them, including the SLAs. Have they done any acquisitions since last year when they signed up with us, or when we signed up with them, rather? And what are the regulatory requirements?
Am I still allowed to buy hardware or software from this vendor? There’s a lot of regulation affecting some vendors because of their origin, right? So, it’s mainly about being ready for the “what if.” What if this vendor was good at some point but not so good today? What if I didn’t monitor them and didn’t know, and now I can’t work because of it? So what if this happens? It would be preferable to monitor those vendors, basically.
KA: All right, that is our top 10. Really interesting to see some of the gaps that your team runs across consistently. And of course, how critical it is to plug those weaknesses in order to ensure effective security. Let me check our questions box here. I know we’ve passed the half hour mark, but we’ve still got quite a few folks on the line. So let me see if we’ve got any questions here. Looks like just a couple of comments.
I have a question, though, and I’m going to throw this back to Kyle. When you were talking about operating system baselines, one of the topics of discussion I’ve been noting in the news because Windows 10 end of life is coming up next year. Is that something those sort of end-of-life vulnerabilities that would get picked up during the assessment process that the companies would be able to note?
KP: Oh, yeah, definitely. Yeah. I mean, usually with like end of life software and operating systems, it’s not just one vulnerability. It’s usually, you know, once that stopped being supported, particularly if you don’t have any sort of like long term support through Microsoft for an operating system, which probably will be an option. But if you don’t have that, because that will come at a cost, then yeah, that’s going to open yourself up to a ton of vulnerabilities, not just one. So, analyzing software is definitely a huge item.
On vulnerability scans, they’ll put it as a critical finding automatically, not just because there’s an active exploit on it in that very moment, but moving forward, like someone might find something and exploit it, but it’s not going to be remediated because it’s no longer supported. So yeah, with that transition, like what we saw with Windows 7, organizations should try to learn from Windows 7 to Windows 10, and they should try to get out in front of it as fast as possible. Start planning now, start making sure that you have all the hardware requirements needed for Windows 11, and doing that inventory of your devices will be key for that transition.
KA: Maryne, a couple of questions here. Folks wanted you, if you could share again the, I think it was the SANS Institute is the site you recommended where they can get IT governance policies. Is that correct?
MR: Correct, it’s SANS.org. And you search for policies, they have a slew of them in there. And yeah, good templates, but again, just reinforcing, you have to customize them, you know.
KA: Otherwise, it’s just a check-the-box exercise.
MR: Exactly. Yes.
KA: Great. All right. I’ll give folks in case there’s any other questions come up. I’ll put Maryne and Kyle on the spot here just to wrap things up. We shared our top 10 most common gaps. If you had to pick one that folks, these were in no particular order. If you had to maybe one piece of advice or one gap that starting tomorrow folks should really focus on, what would be kind of that number one pick for both of you? Kyle, why don’t I start with you?
KP: Sure. I would definitely evaluate your current security tool stack and look at, okay, do I have the resources for this to actually detect? So, I think that was number seven, right? I’m sorry, it was number eight. I would look at your security detection capabilities and look at your current security tool stack, see if it has the ability or is up to date in terms of its capabilities as an endpoint detection and response tool. And see if you have the ability internally as your organization to actually detect and respond to an incident. Yeah, that would probably be my number one out of this list.
KA: Makes a lot of sense. All right, Maryne, if you had to pick one, where should folks start zeroing in?
MR: Yeah, I mean, we talked about security awareness training, so I’m not going to choose that as number one, but it could be. Otherwise, I think know what you have, you know, do a vulnerability scan. You’ll know what software is on your network, what hardware is on your network, but more importantly, what’s vulnerable. You start with this assessment, and it gives you a good idea of how your environment is actually – secure or not. So, I would start with that.
KA: Great. All right, well, that about sums things up. We’ve covered everything we wanted to cover today, and I wanna say a big thank you to everyone who joined us for this live session. As a reminder, this content is always recorded, so we will have a link to the recording as well as all of these slides that we’ll include in an email you should receive in your inbox right around 11 Eastern tomorrow.
Maryne, Kyle, thank you all for sharing your insights today and giving us a glimpse into your typical birth assessment findings. I think we’re leaving everyone with some good and really practical tips for boosting their security postures before their next risk assessment.
All right, and that, ladies and gentlemen, concludes our presentation today. Thank you, everyone, for joining, and we will see you again next time. Bye, everybody.
Start strengthening your cybersecurity posture by scheduling a routine IT risk assessment to identify the most pressing gaps in your environment.