What is a RAnGER™? How does it work? Why do I need one?
We can’t appreciate where we are if we don’t understand where we came from. This is as true today as it was when Socrates said, “to know thyself is the beginning of wisdom.” An odd beginning for a cybersecurity risk assessment, but Socrates’ knowledge applies as well in the 21st century as it did in ancient Greece. For an organization to understand where it needs to be in the cybersecurity landscape, the organization must understand where it is now. We at Quantum Vigilance understand this and it is why all of our journeys begin with a RAnGER™. In line with the National Institute of Standards and Technology (NIST) and their Cybersecurity Framework, our RAnGER™ is a major step towards identifying and protecting cybersecurity assets [1]. Our RAnGER™ consists of 3 parts and acts as a guide towards a better cybersecurity future. A Risk Assessment, Gap Evaluation, and a Reporting of our findings.
Our RAnGER™ begins with a Risk Assessment. The risk assessment will include people, processes, and technology. We choose to look at the risk assessment through these lenses and in this order on purpose. According to Verizon’s 2021 Data Breach Investigations Report, 85% of all cybersecurity related breaches involve a human element [2]. Our risk assessment will begin with meeting stakeholders within your organization to determine what your needs are. After collaborating with your stakeholders, we will craft a cybersecurity survey that will go out to your organization. This survey will go out to the entire organization with the belief that cybersecurity is everyone’s job. An article in the Harvard Business Review emphasizes the need for cybersecurity culture to permeate be carried throughout an organization for success [3]. The survey will be non-intrusive and cover some basic cybersecurity hygiene, as well as some questions about tools and technology that members use throughout for normal operations. The survey acts as a barometer for understanding the people in the organization and their level of cybersecurity awareness.
Following the survey, we will begin an inventory of the hardware and software that your organization uses. We follow industry best practices and utilize NIST’s 800 series Special Publications as our guidelines for conducting our inventory [4]. The inventory will include network technology, servers, computers (both desktop and portable), mobile devices, and all the software that operates across them. Additionally, we will collect any documentation that your organization has about these assets; policies, procedures, and service agreements. Our inventory will also include the update and security procedures documentation surrounding these assets. We will look at how these systems are deployed, backup systems, redundancies, and the like. Upon completion of the inventory, we will begin an analysis of our findings.
Our analysis will address the survey and inventory results. We will identify potential threat sources and events because of uncovered vulnerabilities. Our identification process takes into account industry best practices as well as compliance requirements that you organization may require. Our analysis will determine the risk by assessing the impact on your organization and the likelihood of a threat being exploited. The impact of a threat considers monetary and reputational loss due to downtime, timeline to recovery, and costs to recover. Likelihood factors in exposure as well as ease of attacking a threat. Once we have determined the risk, we can move on to determining risk mitigation.
Our Gap Evaluation factors in your missions and goals, while appreciating resources that you have to dedicate towards resolving risk. Our RAnGER™ does not work in a vacuum. We understand that there are operational needs of your organization, and we will make sure our suggestions accurately reflect your best interests. Cybersecurity should be a business enabler, not a cost leader.
The culmination of all our steps is the Report. Our RAnGER™ will be presented in plain spoken language to ensure that every stakeholder in the organization can understand the results and come together to determine a path forward. An MIT Sloan Management Review research study revealed that companies that suffered the worst during a cyberattack were those that failed to build a robust cybersecurity strategy [5]. A robust strategy needs to address protecting business assets before and after an attack as well as increasing cybersecurity awareness throughout an organization. With our RAnGER™ in hand we can help you understand your cybersecurity identity and begin a journey towards a more secure future.
(1) National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity https://doi.org/10.6028/NIST.CSWP.04162018
(2) Verizon 2021 Data Breach Investigations Report https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2021-data-breach-investigations-report.pdf
(3) Harvard Business Review: 7 Pressing Cybersecurity Questions Boards Need to Ask https://hbr.org/2022/03/7-pressing-cybersecurity-questions-boards-need-to-ask
(4) National Institute of Standards and Technology Information Technology Laboratory Computer Security Resource Center https://csrc.nist.gov/publications/sp800
(5) MIT Sloan Management Review: Make Cybersecurity a Strategic Asset https://sloanreview.mit.edu/article/make-cybersecurity-a-strategic-asset/