Assessments, the cornerstone of IT security

With the digital transformation, companies are seeing their data flows intensifying. “Data is the foundation on which companies create value and improve interactions with users, whether they are internal employees or customers and partners,” explains Thomas Le Clerc, B2B Product Manager Cybersecurity at Orange.

However, the strong growth in internal and external data flows in companies has not escaped the notice of cybercriminals. Data offers criminals additional opportunities, leading to an increase in cyberattacks. Faced with these new digital-related realities, companies have to set up new business infrastructures and work out adapted and constantly developing cybersecurity strategies.

The importance of assessments

“The IT security strategy is based on three pillars: governance, management and operations,” says Le Clerc. “Each of these three pillars must be able to adapt in line with the company’s strategic planning, the impact on IT, the threat landscape and the technological evolution.”

Assessments – whether one-off or recurrent – play a crucial role, in that they help an organisation to better master its risks in an evolving environment. “Such assessments enable companies to keep their cybersecurity strategy up to date,” notes Le Clerc. “In addition, they offer decision-makers – who are not always experts – an independent overview of their exposure to cyber risks, allowing them to develop a strategy based on these risks. Companies also do them for reasons external to their organisation, since such assessments or security audits are increasingly among the conditions that must be fulfilled in order to work with other commercial partners.”

What types of assessment?

Orange essentially offers three types of assessment, each with a specific purpose:

• Security maturity assessment: analysis of your governance and evaluation of your level of maturity compared to sector best practice. You then receive recommendations for improving your security.
• Penetration testing: identification and exploitation of vulnerabilities in your protection and detection systems to improve your operational excellence and resilience.
• Infrastructure assessment: mapping of all the assets in the environment and recommendations for optimising their performance and security.

Beyond these three approaches, Orange also proposes other types of evaluation, notably a risk impact assessment to evaluate the potential impact of an identified risk on business continuity, as well as vulnerability scanning to help the organisation structure patching operations.

Check-up

“Today, Belgian companies are demonstrating more and more maturity in regard of IT security,” says Thomas Le Clerc. “They are clearly aware of the importance of such assessments in identifying their risks as well as in being able to evaluate their impact and prioritise them.”