What is a Gap Analysis?

Learning Objectives

Understand fundamental security concepts:

• Gap analysis

What is a Gap Analysis?

In an era of constantly evolving threats, understanding the state of an organisation's security controls is essential so that we always know where we stand against these threats. This understanding is where a Gap Analysis comes into play.

A Gap Analysis, also known as a Gap Assessment, is a methodical process aimed at evaluating the current state of an organisation's security controls against its desired control objectives. If during this evaluation a security control is found to not be meeting its control objectives then this would be an example of a "gap" and would be recognised as a security risk that needs to be remediated.

While the concept of assessing "where we are VS where we want to be" might sound straightforward, the actual execution of a Cybersecurity Gap Analysis can sometimes be very complex and time consuming.

What does a Gap Analysis consist of?

A Gap Analysis involves an extensive amount of research, data gathering, analysis, and coordination among numerous stakeholders. This is all done with the aim of painting a comprehensive picture of the organisation's current cybersecurity landscape to then compare it to our control objectives. This process can span many months depending on the size and complexity of the organisation.

Determining Control Objectives

The first step in conducting a Gap Analysis is determining the baseline control objectives against which the analysis will be conducted. The baseline control objectives are the minimum security goals we expect our controls to achieve for it to be considered up to standard. Organisations might set their own internal control objectives or adhere to formal standards to define their desired control objectives such as the ISO/IEC 27001 and NIST SP 800-171 R2.

Once your baseline control objectives are defined the lengthy process of evaluating every current security control in your organisation against that baseline begins.

Evaluation of People, Systems and Processes

An integral part of the analysis involves evaluating the people, systems and processes within the organisation. Many organisations will forget to evaluate their people and only focus on their systems and processes but this will only lead to security gaps being overlooked in the human factor of your organisation.

Evaluating your people includes documenting your employees' formal experience, current training levels, and their knowledge of security policies and procedures. Then you must examine how effectively they are applying their training and enforcing those security policies and procedures throughout their role on a day to day basis.

Evaluating systems and processes involves examining all your existing hardware, software and other IT systems and processes, then evaluating the current security controls that they implement.

Comparative Analysis

The heart of a Cybersecurity Gap Analysis lies in the comparison stage, where the existing systems and processes are evaluated against the desired standards or baselines. This involves identifying weaknesses in the systems and determining the most effective processes that can compensate for these weaknesses. A detailed analysis is conducted across broad security categories such as Application, Network, Endpoint and Cloud security. Which are then broken down into smaller segments for a more granular evaluation.

Analysis and Reporting

Following the comparative analysis, the final stage involves organising the findings into a final detailed report. This report provides a clear view of the current state of security within the organisation, outlines the baseline objectives, and charts a path from the current state to achieving these objectives. Recommendations in the report will often include timelines, budget estimations, and other measures required to bridge the identified gaps.

This final report is essential for organisations looking to enhance their cybersecurity posture effectively and efficiently.

Example of a Security Gap

A real example of finding a security gap could be as simple as looking at our password controls.

Let us first define our Control Objective to be:

This would just be a summary of the objective as you would need more detail of how to obtain that objective and what defines a "strong password". This is usually aligned with industry standards or best practices such as:

• Minimum 12 characters long
• Mix of upper and lower case letters
• Include at least one number and special character
• Changed at least every 90 days

Once we have our control objective clearly defined we would now look at our current password controls to identify any possible gap:

This would be an example of a gap in our security as we can see that our current controls do not meet the control objectives of ensuring strong passwords and therefore does not securely prevent unauthorised access which would be the risk associated with the gap. This is just one simple example but we would repeat this process with every control objective and every single control we currently have implemented in our organisation to complete a full gap analysis.

Why carry out a Gap Analysis?

Although the process can be complex and time consuming, the insights gained from a gap analysis is invaluable. It not only highlights the current state of an organisation's cybersecurity controls but also provides a strategic roadmap for achieving improved security. By carefully assessing and addressing theses gaps in their own cybersecurity landscape, organisations can better protect themselves against the ever changing landscape of cyber threats.