What Am I Looking At? Making Sense of Your Cyber Testing Reports
It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.
This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.
Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.
Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.