As the technological landscape continues to change, the security of company data and systems has become a key challenge for IT and cyber security managers. In view of the rise in threats and advances in digitalisation, companies need to be proactive in implementing security measures and carry out regular vulnerability scans, audits and assessments in order to actively review and optimise their own cyber security strategy. Performing a gap analysis can be a crucial and highly effective tool in this context. In this article, we will show you why this is the case and what this means for your corporate security in 2024.
Advances in digitalisation afford companies a plethora of attractive opportunities and open up vast economic potential. At the same time, new risks arise that companies need to confront quickly, consistently and efficiently.
ICT security managementIn addition to the NIST Cyber Security Framework (NIST CSF v1.1), companies in Switzerland should be aware of a raft of other specific guidelines and legislation to enable them to develop a comprehensive and effective security strategy. For example, the ICT minimum standard of the BWL (Federal Office for National Economic Supply) serves as a recommendation for improving ICT resilience. While it is primarily aimed at operators of critical infrastructures, the ICT minimum standard can be applied to any company or organisation.
The importance of a gap analysis for your corporate security
2024 is in full swing and it is already becoming apparent that the cyber threat situation is getting worse, with ever-rising incidences of cyber attacks and «hacktivism». Now is the right time to take a close look at your company’s security practices, and a gap analysis can offer clear added value as you do so. If you are wondering whether and why you should also be considering this for your company, then read on!
Five good reasons in favour of a NIST CSF gap analysis
- Protecting the company reputation
Cyber security incidents not only have the potential to cause significant financial damage and losses, but can also severely damage a company’s reputation. A gap analysis – preferably based on NIST CSF – is essential for successfully reinforcing the trust of your customers, partners and other stakeholders in your company’s security practices.
- Comprehensive assessment of the security situation
A gap analysis enables an in-depth analysis of your company’s current security infrastructure to be performed. By mapping existing security practices to the proven NIST CSF standards, it identifies vulnerabilities and risks and enables your organisation to respond proactively to potential threats.
- ICT minimum standard of the Federal Office for National Economic Supply (FONES)
In Switzerland, the FCA has introduced the ICT Minimum Standard for Positioning to provide a clear framework for the security practices of industry-specific organisations. Performing an analysis against the ICT minimum standard allows a company to successfully compare the security measures it has in place with this standard. By doing so, the precise state of play in relation to the ICT minimum standard can be determined, creating the basis for targeted optimisation measures.
- Fulfilling compliance and regulatory requirements
The requirements for data protection and information security will continue to rise in 2024. A gap analysis helps to ensure adherence to compliance standards. A pleasant (side) effect is that this not only avoids legal consequences, but also strengthens customer confidence.
- Continuous adaptation to new threats
The threat landscape is constantly evolving. A gap analysis helps companies to adapt continuously to new threats. By integrating and incorporating findings from the analysis into the security strategy, companies can ensure that their lines of defence are always up to date.
Railway cyber security (CySec-Rail Directive) from the Federal Office of Transport (FOT)
The railways are no exception to the increasing importance of cyber security. The Swiss Federal Office of Transport has drawn up a directive to assist companies which stipulates, among other things, that companies are required to carry out regular cyber security audits. The CySec-Rail Directive, as it is known, sets out the requirements for protection against cyber threats in Switzerland. By performing regular reviews of information security or audits, companies can implement the guidelines of the CySec-Rail Directive effectively. Regular audits provide information on the areas where information security needs to be improved, and this also requires suppliers and service providers to be taken into account. Identifying deviations, vulnerabilities and risks can help companies ensure that their cyber security strategy meets national standards and thus provides robust and effective protection against digital threats.
Conclusion – and an urgent recommendation
Carrying out a gap analysis in the current year is not just an efficient and sensible measure to ensure compliance with standards. In fact, it is much more: it is a strategic mechanism to protect the future of your company. You can achieve a solid foundation for your company’s cyber security strategy by identifying security gaps and risks, adapting to new cyber threats and meeting compliance requirements. Investments in security are not only worthwhile financially, they also contribute to the long-term stability and reputation of the company.
- FINMA 23/1 compliance
- Swift Customer Security Controls Framework (CSCF) version 2024 – compliance
- Data protection: revised Swiss Data Protection Act
- European NIS2 Directive and Cyber Resilience Act (CRA)
- ISO/IEC 27001:2022
- M365 cloud security
- Incidence response readiness
- Cyber security on the railways (CySec-Rail Directive)
What is the state of cyber security in your company?
A gap analysis will show you where things currently stand and provide full transparency. You will benefit from an overview of your current cyber security situation, a risk assessment, a strengths/weaknesses profile and specific recommendations for action and measures to take. The right time for a targeted minimization of risks in your cyber security is now!