How do you test your cybersecurity policies to find gaps?

1. With due respect, I disagree with this approach. Audit certainly is useful however its not something organizations can afford to do throughout the year. 2. The first step would convert your cybersecurity policies into measurable metrics . It could be either key risk indicators (KRI) or key performance indicators (KRI) . Example - Lets say your policy states that says suspicious activities should be immediately reported or organizational data should not be shared with unauthorised parties, then a) # of security incident reported could be one metric measured on monthly basis b)# of DLP incidents could be another metric. Tracking these metrics on a monthly or regular frequncy, would be indirectly measuring your cybersecurity policies

Auditing is indeed a cornerstone to identify potential weaknesses and fortify security postures To add to the discussion, leveraging frameworks like ISO 27001, NIST, or CIS is invaluable. They provide a solid benchmark, helping businesses identify gaps and optimize their policies for better security outcomes.

I recommend conducting a Threat Model against the system before you take the step to audit policies. You might find in the Threat Model that there are gaps that need to be filled, which can then be audited later.

Security policies are a type of control. Policies can further create SOPs to implement security practices or other controls within the organization. Simulations, table top exercises, drills, penetration testing are various methods to assess the effectiveness of policies. While penetration test identify primarily the technology controls, other simulations such as ransomeware or cyberthreat scenario test can test effectiveness of your incident mgmt capabilities, communication and notification plans. The social engineering and phishing campaigns can test human awareness and education factor within your organization.

Simulating cyberattacks is a great way to validate that your controls are functioning effectively. I recommend working slowly up to this level to ensure that the teams can ensure that they are getting the needed logs and alerts from systems before conducting some of the mentioned simulations. This will ensure that the teams are prepared and systems have the need logging and alerting to validate that the controls are adequate as well.

Real-life simulations are crucial controls often missed, especially in the SMB space. These controls have the best ROI and build operational resilience. Think of running fire drills for children in school. Without them, a tragedy would be far worse. Same with a beach, the difference can vary from a slightly costly inconvenience to being in the news and shuttering doors. Incident Response planning effectuated via Table-top exercises prepare and organization, from CXO, to HR, legal, PR and IT. So running a realistic fire drill for the organization is crucial and one of common controls missing most often today.

Training your staff should be the first step in identifying cybersecurity gaps. Reason: Per the World Economic Forum's recent report, 90% of breaches happened due to human error. And if those errors were eliminated, organizations would not have faced breaches. Your employees are your first line of defense and attack. So, they need to be trained regularly with constant simulations. Cybersecurity awareness training should be mandatory for everyone, irrespective of the technical or non-technical background of your employees. Open culture fosters trust in the leadership and employees are more confident in questioning their leaders about an email received from them.

Humans are part of the processes and they operate technology, hence human education is always crucial. Security trainings should be contineous exercise and should be over different channels such as training platforms, in-person trainings, quiz, gamifications, advisories , phishing simulations and so on. Keep monitoring the outcome of these exercises and see how well trained your staff is. This would also measure effectiveness of your policies.

This step should be part of the needed training with the change management of onboarding and deploying new systems so that the teams get the required training to operate and manage the systems effectively.

Monitoring cybersecurity performance involves reviewing data collection and analysis to measure policy and control effectiveness. Tools like dashboards and alerts aid in tracking progress, identifying trends, and spotting issues. Regular evaluation of outcomes guides improvements, proactive problem-solving, and adaptation to evolving threats, ensuring policies remain effective and responsive.

This step is often overlooked or missed. It should be part of a continuous monitoring and feedback process once the system goes live.

Updating cybersecurity policies involves reviewing existing policies, gathering insights from incidents and audits, aligning policies with organizational goals, engaging stakeholders, using version control and policy management tools, incorporating industry standards, addressing emerging threats, ensuring clear language, conducting training, establishing regular review cycles, and ensuring compliance with legal requirements to maintain relevance, accuracy, and effectiveness in safeguarding the organization's digital assets.