How to Establish a Cybersecurity Baseline

Tags:

3 Methods for Creating a Cybersecurity Baseline for Vendors
Written by Rachel Holmes

The need for a cybersecurity baseline

A cybersecurity baseline is an invaluable set of information security standards for your organization. It helps you understand your security posture, identify security gaps, and meet cybersecurity regulations.

The most widely adopted cybersecurity baselines are those recommended by the NIST Cybersecurity Framework, the SANS Top 20 Critical Security Controls, and Shared Assessments (designed for third-party risk management). We covered the specifics of these frameworks in a previous blog.

While these baselines are a great starting point for defining security goals and improving security performance, cyber risk is relative and the risk you’re willing to accept may be different than those defined by these frameworks.

Let’s look at how you can establish a cybersecurity baseline that works for your unique risks, industry, and business.

1. Understand your current cybersecurity posture

The first step in establishing a cybersecurity baseline is understanding your current cybersecurity posture. But, as your digital infrastructure grows, understanding security risk, performance, and exposure gets exponentially more challenging. Security assessments have their place, but they’re time-consuming and only provide a point-in-time view into cyber risks. As a result, there’s a lot of uncertainty about where investments and resources must be allocated.

You need simple, quantifiable metrics that establish your organization’s baseline security performance—continuously and automatically. Bitsight Security Performance Management empowers you to:

  • Visualize your growing attack surface—on-premises, in the cloud, and across remote locations.
  • Dig deep into what’s working and what isn’t.
  • Monitor your security ratings.
  • Quickly and easily assess your risk exposure.
  • Model scenarios to predict your future state cybersecurity performance. 

With this baseline, you can justify resources, prioritize remediation, and track changes and improvements over time.

2. Compare your security performance against your peers

An effective way to understand your organization’s cybersecurity maturity (and improve it) is to compare it to that of similar organizations in your industry.

Benchmarking your security posture against your peers can provide a realistic cybersecurity baseline to aim towards. However, traditional cybersecurity tools don’t provide this level of analysis or insight. But with Bitsight Peer Analytics, you can easily and intuitively assess how your cybersecurity program is performing compared to your peers.

With Peer Analytics, you can:

  • Compare cybersecurity analytics against organizations of a similar size, industry, employee count, and resources. 
  • Better understand what standards of care are appropriate within your industry.
  • Identify what security targets you should strive to achieve, and where current security practices and controls fall short.
  • Create improvement plans and prioritize risk-reduction strategies.
  • Advocate for increased security resources. 
  • Report on progress and results more clearly and effectively.

For a real-world case study, discover how Cornerstone Building Brands uses Bitsight to benchmark security performance against peer organizations and improve its security posture.

3. Connect security performance to business and financial risks

Another important cybersecurity baseline is connecting how security performance is directly connected to financial performance and overall business risk.

For example, with Bitsight Financial Quantification, you can quickly and easily simulate your organization’s financial exposure across hundreds of thousands of cyber events, including ransomware, regulatory compliance issues, supply chain attacks, and more.

With this baseline, executives and the board can make informed decisions about which risks they are willing to accept, mitigate, or transfer—and where to focus security budget and resources. You can also demonstrate how that exposure changes as you invest in new security controls and resources.

4. Baseline your vendors’ security performance

Cyber incidents that originate from a vendor or third-party eclipse those caused by direct attacks. Today, 62 percent of network intrusions originate from a third-party, often from someone in your software supply chain.

To reduce that risk, you need to hold vendors accountable to a cybersecurity baseline. But what is an appropriate baseline, and how can you hold them to it without exhausting your resources?

Let’s look at three methods for establishing a cybersecurity baseline for your vendors and assessing them against it.

1. Industry-standard cybersecurity baselines

The most widely adopted cybersecurity baselines are those recommended by the NIST Framework for Improving Critical Infrastructure Cybersecurity, the SANS Top 20 Critical Security Controls, and Shared Assessments (explicitly designed for third-party risk management).

Adherence to these standards is measured using cybersecurity assessments – both prior to onboarding new vendors and throughout the life of the relationship. These assessments can be conducted by internal security and risk professionals. However, because of their complexity, they are often outsourced to professional cybersecurity risk assessment firms.

While these cybersecurity baselines are a helpful starting point, they are extensive and there are literally thousands of questions you could ask a vendor during the assessment process. To help focus your discovery efforts, check out our guide: 40 Questions You Should Have in Your Vendor Security Assessment.

2. Vendor-specific cybersecurity baselines

Although helpful in discovering hidden risk in third-party relationships, traditional security assessments are often conducted with a one-size-fits-all approach where each vendor is assessed in the same way. This puts an unnecessary burden on your organization and can slow the onboarding process. You don’t want to spend time and resources doing full-blown assessments of non-critical vendors to determine if they meet your cybersecurity standards. After all, a food-service provider poses less risk to your business than an accounting firm that has access to your most sensitive data. Therefore, the standards of care they are held to should be different.

A better way to establish a workable cybersecurity baseline against which you can effectively measure security performance is to tier vendors or group them according to their criticality to your business and the inherent risk you’re willing to accept.

Bitsight for Third-Party Risk Management (TPRM) can aid this process by recommending data-based tiers. Once you’ve tiered your vendors, you can then set acceptable risk thresholds for each. For example, the higher the level of access a vendor has to your company’s data, the tighter their cybersecurity baseline must be, and the higher their Bitsight Security Rating. You can also incorporate language in your contract to ensure that your third parties meet these thresholds. Think of it as a cybersecurity SLA.

3. Quantifiable cybersecurity baselines

Another limitation of traditional third-party cybersecurity assessments is that they capture only a point-in-time view of a vendor’s performance. In between annual assessments, vulnerabilities in a third-party’s IT infrastructure can emerge and put your organization at risk.

Instead, plan to continuously monitor your vendors in near real-time from the moment they’re onboarded. For example, Bitsight for TPRM uses the Bitsight Security Ratings platform to provide you with a data-driven, quantifiable baseline – a cybersecurity benchmark – of third-party cybersecurity performance which you can monitor for the life of the relationship.

Similar to credit ratings, Bitsight Security Ratings range from 250 to 900, with a higher rating equating to a better overall security posture. 

With this baseline metric, you can quickly and automatically determine whether a vendor has deviated from pre-agreed risk thresholds (ratings can also help inform what those thresholds should be), identify specific areas that need improvement, and track progress over time.

For example, you can receive alerts when a critical third party’s security rating experiences a drop of any kind. However, for less critical vendors, or those that have a track record of maintaining a solid cybersecurity baseline, it might make more sense to create alerts for significant performance drops or drops within the specific risk vectors of greatest concern to your organization. From there, you can work with the vendor to develop a remediation plan or – depending on the criticality of the vendor or the severity of the issue – conduct an interim, in-depth assessment.

Continuous monitoring also puts security management back into the hands of your organization.  If you can independently verify your third-party security performance against a quantifiable cybersecurity baseline, you don’t need to rely on your vendors being timely, forward, and honest in their security reporting

Bitsight TPRM even provides lifecycle operational guidance based on your relationship with a vendor – whether they are a third-party, fourth-party, or competitor – and the stage of the relationship, so you can monitor and hold them to account in context. 

Successfully communicate performance against vendor cybersecurity baselines

Finally, as you consider the cybersecurity baseline that you hold your vendors to, don’t overlook the importance of communicating performance against that standard to your leadership team. The ability to discuss third-party cyber risk in a clear, non-technical way will help minimize confusion, attain cybersecurity resources, and drive consensus about third-party risk management across the organization.