Are Cyber Security self assessments useful?

In the world of cyber defences, our government often talks up self-assessment tools to be part of the community’s cyber security solution. I am often asked by boards and executives “Are they useful?”, and of course the answer is “well, it depends on what you are using it for”. Self-assessment tools are obviously flawed for any sort of governance objective, however clearly any thought given by your CIO or IT manager to understanding their circumstances and defences is better than none at all. Independent expert assessments, audits or health checks are always going to be the better choice as they don’t suffer from the key dangers of self-assessment processes. A false sense of security that is given by an inaccurate self-assessment is often more dangerous than no assessment at all. We have reviewed countless self-assessment reports, that not only paint a rosier picture than reality, but also hides a complete misunderstanding of the goals and objectives of required security controls.  

Often a more important question for executives responsible for cyber resilience and security governance is not about the importance of independence, but the difference between a "Review" and an "Audit".

So how does an Independent Cyber Security Review and an Independent Cyber Security Audit differ? This can generally be found in the intent and therefore the focus of the advice and recommendation that should be part of the deliverable. Audits will often target testing controls and confirming compliance, whereas Reviews will similarly consider controls & capabilities but will focus on the gap analysis of these capabilities to the business’ requirements, and the opportunity assessment for improvement. Cyber security is a constantly moving target, and to win the arms race you need “actionable advice” on where to focus improvement efforts not just a list of controls that are not effective.

As Beyond Technology is Australia’s leading Independent bespoke mid-tier technology advisory, we provide both independent Review and Audit services and will often combine a review and audit process to produce a hybrid outcome that benchmarks capabilities and confirms governance, while providing "actionable advice" on your improvement roadmap. If you know of an organisation that need assistance with independent cyber assessments or audit - then let them know that Beyond Technology can help.