Improving Security Posture Through the 4-Step Gap Analysis Process

By Brad Fugitt, Chief Information Security Officer of Pax8

As we move into 2021, managed service providers (MSPs) will increase their focus on security as they work to keep their clients’ data safe, protecting them from potential threats and loss. The move to a work from anywhere environment increased the already rising risk of data breaches. For this reason, MSPs offering enhanced solutions and safeguards will provide the most value and peace of mind to business owners, strengthening the relationships with current clients, and creating opportunities for new ones. This need for increased security solutions presents enormous growth opportunities for MSPs.

Securing clients with the best technology also means securing them with the correct technology. Each company’s needs are specific to their unique situation. That is why the MSP must understand the client’s current security state. A great way to gain this deep understanding is by conducting a gap analysis. A gap analysis will provide insights into a client’s existing processes, how they use technology, and what security measures are in place. It will uncover areas of threat where enabling superior technology, implementing better software, and recommending process improvements will improve the security posture.

Following the four-step process outlined below will enable you to secure your clients with the right solutions, strengthen the relationships, and grow your business.

1. Determine the scope and desired state.

The first step in conducting a gap analysis is defining the scope of the project. Working with the client, you should decide if the focus will be on the entire company or specific departments, the project’s desired length, and the expected costs. Understanding these aspects will determine the depth of the analysis. 

Improving security posture will be different for each company, so establishing targets is necessary. Some companies are more prone to data hacks, while others are the targets of persistent phishing attacks. Each threat requires specific solutions, and targeting those risks will help determine your course of action. The client may have specific targets for improvement, and you may identify additional areas through your analysis. 

Along with focusing on the defined targets, it is also essential to use an information security standard as a benchmark. Doing this will reveal how the company compares to its peers and industry requirements. It will also provide best practices to follow. A common standard used for gap analysis is ISO/EIC – 27002:2013.

Together, these insights will determine the client’s desired security state. That goal will guide the analysis, ensuring you focus on the right areas and ask the right questions. The process remains the same, but each desired outcome might require a higher focus on specific areas. Once you understand the client’s current condition and anticipated goals, the evaluation can begin.

2. Define the current state.

Evaluating the company’s current state requires many activities, including interviewing various team members in many departments. Talking with the C-Suite and legal departments helps identify the current perceptions and expectations of leadership and its legal requirements. With many companies now operating remotely, it is essential to understand how HR developed the work from home program and its policies. IT can provide insight into which security features, software, and processes are currently in place. And finally, interviewing employees uncovers daily processes, the number of portals accessed, and permissions. 

This phase also includes evaluating the client’s current technology. Studying the security software, tools, and applications will allow you to determine if they are safeguarding their information correctly. Examining their productivity technology is also a vital aspect of this evaluation. Areas to explore are on-premise technology, outdated software, and applications missing current updates. Evaluating how the company uses technology provides opportunities to enable them with enhanced and more appropriate options. Additionally, you will gain insight into the types of data the client is collecting and how it is used and stored.

Finally, this stage allows you to review the client’s current processes. Efficient processes are essential to a company’s security. Outdated processes containing several human touchpoints increase the possibilities for data loss. The more processes a company has, the greater its risk. Outdated processes offer a huge opportunity for MSPs to strengthen a client’s security posture and increase efficiency.   

3. Identify gaps.

Once the company’s technology, tools, and process evaluations are complete, you can identify the security gaps. You should compare its current state against the industry benchmark to determine if they are missing any compliance requirements. 

Security technology can contain several gaps. Outdated software missing the most recent updates is not equipped to protect against current threats. New versions have enhancements, patches, and fixes, enabling them to safeguard the company against recent trends in cyberattacks. Using standard settings on the company’s technology means the minimum capabilities are enabled and may not be sufficient for the industry or work nature. And if a client purchased and installed their software, it may be inadequate, leaving the company open to threats. Misused productivity tools and applications also present opportunities for improvement, as they can create dangers and inefficiencies. 

An often-overlooked area that contains security gaps is the company’s processes. When they include multiple steps and human touchpoints, it increases the company’s risk. Each human touchpoint increases the chance of data loss because humans are naturally prone to error. Technology and automation can mitigate this risk. Client processes are something MSPs should pay close attention to in the gap analysis. They present an excellent opportunity to improve clients’ security while also increasing efficiency and revenue.

4. Develop a security roadmap.

With a clear understanding of the client’s current technology state and gaps, you can now develop a security enhancement roadmap to attain their desired state. Needed improvements, costs, and capital will determine if the plan’s implementation will be immediate or a phased project spanning months or years. Prioritizing items in the roadmap is crucial. Changes to meet industry requirements must happen quickly. Failure to do so could result in fines or disruption of business. Easy to implement and cost-effective enhancements should occur earlier, with labor-intense and costly items spread throughout the project scope.

A client using on-premise technology will dramatically improve their technology posture by transitioning to the cloud. It will safeguard them from natural disasters like floods or fires, and the data storage warehouses are far more secure than the company’s hard drive. Cloud technology is also updated regularly by fixing bugs and pushing security enhancements. These automated updates reduce the amount of time MSPs spend on manual processes, enabling them to focus on revenue-driving activities.

Clients using the cloud need to utilize security offerings that are the right solution for their needs. The nature of the business, its goals, and data usage might require adjusting solutions to close security gaps. Ensuring the right capabilities are enabled is also essential. With the focus on remote work, all companies should be utilizing multi-factor authentication (MFA), virtual private networks (VPNs), and email encryption. MFA will ensure only authorized users access portals, and VPN will keep employees’ information safe on public Wi-Fi (the Cybersecurity Tech Accord recently published in-depth guidance on utilizing VPNs and MFA to improve cyber hygiene). Encrypting emails ensures that only intended recipients receive them. Additionally, applying the right permissions will control access to portals and tools.

Solving for security risks associated with outdated processes should be a key focus of the roadmap. Lengthy and unnecessary processes create risk through breakdowns in communication and data losses. Processes containing several human touchpoints increase the risk. Employing software and tools that automate your client’s processes and removes those touchpoints immediately enhances their security posture. Additionally, automating processes will streamline your clients’ business, increasing productivity and costs savings. This money can be reinvested into the business or used to support the rest of the security enhancement roadmap.

The focus on security will grow as more companies continue working remotely. This new landscape presents additional security threats but creates opportunities for MSPs to provide enhancements and value to their clients. Completing a gap analysis will provide MSPs a deep understanding of their clients’ current security state, desired goals, and reveal gaps that need solutions. By developing and executing a security enhancement roadmap, the MSP will provide exceptional solutions, increasing clients’ technology posture, and safeguarding their data. Implementing the new technology will also enable the client to become more streamlined, efficient, and productive.