Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Penetration Testing, Cyber Security

How to test your organisation's security effectively and take measures to protect yourselves.

How to test your organisation's security effectively and take measures to protect yourselves.
Written by

Craig Moores

Published on

3 Sep 2020

How to test your organisation's security effectively and take measures to protect yourselves.


The cyber threat landscape is changing rapidly, mainly due to the significant increase in attention from threat actors seeking to benefit from a breach or compromise for an organisation’s data. This has led to a change in an organisation’s appetite and tolerance for managing cyber risks and, more so, the need to understand their cyber risk exposure. From identifying their existing cybersecurity posture, organisations need to prioritise which risks are most important, particularly when considering the provision of effective remediation activities.


SC Magazine speaks to Craig Moores, Risk Advisory Practice Director at SureCloud to gain his expert insight. Here are his comments in full:

So, what can organisations do to combat this threat?

For security initiatives to be effective, organisations need to know the threats to their business operations and understand the risks. In a technology-led world, many organisations focus on the security of the technical environment and take a traditional approach to identify their vulnerabilities using scanning tools and penetration testing. To achieve a pragmatic balance of technical testing and holistic cybersecurity governance, initiatives should consider the whole organisation and encompass people and processes as well as technology.

Typically, for an organisation to test their security, it’s often considered best practice to start at the outside of the environment and work your way in – this way, organisations can deal with what is often considered most important, the external threat. But what about protecting what really matters, the data, and how to protect this from what is often ill-considered, the internal threat. Malicious or non-malicious, experience shows that insider threats are often more commonly responsible for organisational breaches.


With this in mind, how do organisations take measures to protect themselves?

Essentially, by starting with the basics.

Even before understanding the detail of their cyber risks, organisations are best positioned to protect themselves by carrying out the basics well. Often referred to as ‘cyber hygiene’, routine tasks such as patching vulnerabilities and keeping software up to date, training staff on the importance of information and data security and considering security within normal business processes all give organisations a fighting start.

However, these can often be the most difficult to execute due to the dependency’s organisations place on resilient operations. To ensure that threat mitigations are effective, organisations should implement pragmatic, manageable, security controls that are based on risk. There are a range of recognised control frameworks including the NIST Cybersecurity Framework and ISO 27001, but what is most important is that control implementations are embedded within business-as-usual activities to create a robust and efficient security culture.

One area that is consistently neglected relates to identifying and managing risks within the supply chain, particularly in understanding the dependencies organisations have on third parties and how the services they provide can impact on business operations. With more organisations adopting an outsourcing model, it is essential that this is governed by a robust third-party assurance programme to manage the related risks.

Alongside control implementation, organisations should decide on appropriate measurements and metrics to benchmark improvements and continue the management of an acceptable level of risk.



How do these activities form part of an ongoing security culture?

Make sure security controls work together – by using vulnerability scanning tools and manually-led penetration testing to identify and remediate weaknesses; organisations can identify trends that can be used to inform changes to business processes to prevent reoccurrence. These can also be used as opportunities to educate key stakeholders by conducting regular, targeted, security awareness, either through ongoing security training or, for more mature organisations, by considering simulated phishing attacks or red teaming activities.

From SureCloud’s recent surveys and broader experience, security culture mostly relates to identifying what is ‘normal’ within an environment and implementing controls to detect that which isn’t. It is vital to define incident management plans and playbooks for responding to incidents and events and ensure these are tested using walkthrough’s and simulated exercises to gain the assurance they are robust.

But most importantly, ensure that all stakeholders are considered throughout the security lifecycle – from operational teams to senior leaders, security culture needs to be considered for every area of the business.

SureCloud’s final thoughts and key takeaways:

  • Understand the threats posed to the organisation and identify the risks. To achieve a balanced approach, organisations should target security controls that include people, processes and technologies – including key third parties.
  • Adopt a blended approach to security management that improves the maturity of the whole organisation.
  • Don’t try to solve all of the problems at once! Begin with high priorities and/or quick wins and aim for a higher level of overall security effectiveness as opposed to pockets of strength.
  • Don’t re-invent the wheel – security initiatives are most effective when the organisation considers these to be a part of their business-as-usual activities.
  • The most effective controls are those that originate from and develop, organisations’ people.
  • Measure the effectiveness of controls and identify and implement improvements where required.
  • Plan for disasters so that incidents don’t become a disaster.

“Remember, everyone has a role in protecting your organisation from cyber threats, and you will need everyone to be part of a continual cycle of operating security controls, testing for weaknesses and implementing improvements.” – Craig Moores, SureCloud.