Modern Cybersecurity Assessments for a New Threat Era
Insufficient cybersecurity risk assessments at many organizations leave unidentified vulnerabilities open to being exploited, weakening security resilience in the face of changing cyber threats. Cybersecurity is an ever-evolving discipline that requires continuous adaptation to effectively protect organizations from rapidly changing threat landscapes. For many organizations, conversations around cybersecurity occur frequently at the executive leadership level in response to major cyber-attacks impacting similar organizations around the world. However, many cybersecurity professionals would attest that most organizations are not investing sufficient resources, time, or capital into properly protecting their organization from cyber risks. In practice, the way many organizations address their own cybersecurity stature and maturity only occurs on an annual basis when performing some variation of a risk assessment, including test work to confirm effectiveness or identify gaps in security controls. Cybersecurity assessments are the foundation of an effective cybersecurity program, and leading organizations regularly invest in and update their assessment procedures to consider emerging risks.
What a Cybersecurity Assessment is and Why They are Critical to the Overall Security of an Organization
A cybersecurity assessment is an evaluation conducted by an organization or a third-party that assesses the comprehensiveness and effectiveness of implemented security controls in a set of defined domain areas. The manner in which these assessments are conducted will differ significantly between organizations and are often structured based on the company’s industry, location, size, assets, and maturity. Sometimes these assessments are conducted due to regulatory or compliance requirements, while other times they are internal evaluations completed by the IT group to assess changes over the past year or external technical assessments to evaluate security measures against simulated attack scenarios. Regardless of the assessment methodology, cybersecurity assessments should be tailored to the individual organization and should focus on the areas of assessment most impactful for that specific entity.
An effective cybersecurity assessment should identify where organizational needs may differ from standard norms and must encompass the cybersecurity domains that are critical to the organization’s operation. These assessments serve a foundational role, enabling organizations to develop a robust security posture by identifying deficiencies in administrative, technical, and physical controls in the organization’s security environment. Without cybersecurity assessments, organizations lose:
-
Visibility into the current operating effectiveness of their cybersecurity controls;
-
Resilience to withstand cyber incidents; and
-
Insight into the cyber risks impacting their business and the overall security of their organization.
As attack methodologies change and threat landscapes shift, it is important for organizations to routinely consider emerging threats and recognize potential new risks likely to impact their organization in the future as part of their cybersecurity strategy.
Critical Cybersecurity Assessment Areas for 2026
AI Usage
With the advancement of large language models (LLMs) and the accessibility of artificial intelligence (AI) tools, the use of AI in business has become commonplace. However, many organizations currently lack awareness on how employees are using these technologies and their impact on the security of their organization.
In any security system, risk is commonly introduced by human error (whether intentional or unintentional). Therefore, regardless of any acceptable use policies or trainings, organizations should assume that their employees are attempting to use AI in a manner that is incompatible with the organization’s standards. As such, organizations should implement technical controls to mitigate the risk of unauthorized AI usage. Technical controls can include data exfiltration protection solutions that block transfers of company data to AI, data tagging on sensitive/confidential information to deter improper use, and limited allow lists to block the usage of unvetted AI solutions.
Additionally, when AI solutions are used for business operations and to support decision-marking, organizations need to have a strong understanding of how the technology functions and the limitation of these solutions. This can be supported by evaluations of how AI models process data and reach conclusions from a process transparency perspective, as well as how the models store/handle user-entered data that may impact the organization’s privacy compliance. Furthermore, organizations should assess AI solutions for bias and consider any AI generated output with a critical lens, recognizing the need to validate any output prior to utilization (e.g. human in the loop).
Operational Technology (OT) Security
While most organizations recognize the importance of securing their IT network, many organizations fail to sufficiently implement security controls for operational technology. OT is the systems and devices (both the hardware and software components) that support physical processes in operation. As OT serves as the foundation for much of the United States’ critical infrastructure, risks to OT can often have significant impacts on health and human safety, as well as operational continuity. Therefore, security controls differ for OT as the priority of these systems is typically focused on availability and reliability due to their function.
Due to the longer lifespan of OT assets, the previously air-gapped nature of these environments, and the knowledge gap of industrial processes by IT groups, there has been a significant delay in the implementation of mature cybersecurity programs for OT systems in comparison to IT systems. Furthermore, federal regulations and security audit frameworks still often lack sufficient inclusion of critical OT security assessment areas. However, over the past decade, there has been some growth in the guidance and regulatory requirements published by governing bodies in response to the increase in targeted attacks by nation-state threat actors.
Additional risk considerations also exist around how IT and OT environments are segregated or integrated based on the needs of the organization and the compliance requirements for the industry of operation. Organizations should assess their current IT and OT environments to identify any OT specific risks that could impact the security of their operations.
Change in Threat Landscapes
Threat actors continue to develop and utilize new attack methodologies to exploit vulnerabilities in changing target environments. During recent years, there has been a shift in the most prevalent type of cyber incidents due to changes in attack motivations and the expansion of attack surfaces.
With the growing monetary motivation for cyberattacks, the use of ransomware has grown significantly, causing significant operational and financial consequences for impacted organizations. This escalation should serve as a reminder of the importance of security controls for backups and restoration capabilities including redundancy, isolation, and access restrictions. Furthermore, organizations should have well-defined and practiced disaster recovery and business continuity plans that include contingency strategies for ransomware.
Additionally, given the uncertain geopolitical landscape, nation-sponsored attacks are on the rise. This has led to an increase in targeted attacks against critical infrastructure across a range of sectors including, but not limited to, energy, communications, defense, manufacturing, healthcare, and finance. While nation-state actors typically focus on specific targets based on their political motivations, it is important for organizations in all industries to understand how unstable geopolitics could have downstream consequences on their own business and security.
Attack methodologies have also seen a similar shift as new threat actors have entered the space. As previously mentioned, AI is transforming the way that many organizations are operating on a day-to-day basis. This is also true for threat actors; the accessibility of AI solutions has led to a significant increase in ‘low-skill hackers’. These attackers often lack basic understanding of hacking or network architecture fundamentals but are using AI to generate SQL scripts or basic DDOS programs to exploit targets. While most organizations with an average cybersecurity posture can defend themselves against these simplistic attacks, it is important to recognize the possible influx of cyber incidents organizations may face, how this could impact alerting from detection systems, and the role that generative AI will play in the future of cyber-attacks.
Network Visibility
As organizations’ IT environments continue to grow and become more complex, having network visibility across the entire ecosystem becomes an essential security priority. Without full visibility across their environment, an organization cannot protect assets that are not being monitored, which creates network blind spots and increases the organization’s vulnerability and risk.
With the integration of cloud platforms and solutions into business’ operating environments, it is important for IT groups to have complete understanding of the system architecture across layers. This is further necessitated by complexities of organizations’ environments with integrated security tools and systems. Additionally, the internet of things (IOT) model has led to more internet connected devices across organizations’ networks, further expanding the attack surface. As with OT assets, it is important for organizations to understand how IOT devices are integrated into their IT environment and how these endpoints are secured to support the overall security of the organization.
Furthermore, with remote work, the risk of shadow IT (unauthorized software, hardware or devices introduced to the network by end users) on corporate networks has grown as system endpoints spread geographically with less physical oversight being maintained. Organizations should ensure they understand their true network size, have sufficient visibility across their IT environment, and utilize cyber monitoring tools to mitigate risk to an acceptable level.
What Organizations Should Do to Improve Their Cybersecurity Program Maturity Throughout the Year
-
Organizations should recognize that cybersecurity is not a “check-the-box” exercise that can be completed for the year with a cybersecurity assessment. Organizations should consider how cybersecurity and addressing cyber risks fits into their larger business goals and audit planning throughout the year.
-
IT leadership should assess the coverage of their cybersecurity assessments and determine if there are gaps in the current evaluation of cybersecurity risk are, as applicable for their business.
-
Executive leadership should assess their organization’s current cybersecurity maturity and evaluate the financial, reputational, and regulatory impacts of a cyber incident. Through this lens, organizations should evaluate their need for additional investment into cybersecurity program development, cybersecurity resources, and security technology to protect their organization at a level commensurate with their current risk appetite.
Author
Halle Wasser
Senior Associate, Business Advisory Solutions