An IT Cadre effort to mitigate cybersecurity risks
August 13, 2018 by Rick Brown, Director of Strategic Cyber
Shadow Information Technology (IT) systems can pose a significant security risk to an organization. They are not protected by the same control measures (e.g., software patches, vulnerability scans, firewall protections, data security controls) as other documented IT services in the environment. This begs the question: If you don’t know what systems and data you have, how do you protect them?
IT Cadre recently performed Visualization Engineering® for an organization that needed to gain better accountability of their Current State and establish a shared vision of where the organization would like to be in 5 years. The Current State analysis identified specific systems, data, processes, and people that were instrumental to both the IT and operational environments.
One of the CIO’s principal areas of concern was IT systems and services that were operating in the environment outside of his control (i.e., shadow IT). In order to address this concern, an IT Services Assessment was performed to outline the complete set of IT Services (previously documented and shadow IT) along 3 different areas, including:
- Investment Awareness – Are the organization leaders aware of the system’s investment?
- Enterprise Architecture Conformity – Does the system conform to IT standards?
- Cybersecurity – What are the cybersecurity risks that each system posed to the organization? At the customer’s request, we assessed cybersecurity risk according to the National Institute and Standards (NIST) Cybersecurity Framework (CSF).
After conducting this Assessment, IT Cadre applied the findings to the Future State to define the best path moving forward.
When determining what systems to eliminate or enhance, there are many factors an organization needs to determine, such as:
- What the system is used for and how many mission areas it supports
- Duplication of system capabilities
- Compliance with Security Regulations and Frameworks
- Existence of Personally Identifiable Information (PII) – Can personal/sensitive information be found within these systems?
Due to IT Cadre’s Visualizations and IT Services Assessment, the organization was able to determine the vulnerabilities of each system and develop a Future State that ensures they are on the right path to effectively achieving their goals and mission, managing IT costs more efficiently, and mitigating the risk posed by cyber threats.