NFPs looking to achieve best practice in their security operations will already be performing formal cybersecurity assessments, including penetration tests, regularly. But despite the expense, and valuable insights offered by these assessments, too often these reports end up gathering virtual dust.

Every specialist cybersecurity provider will have stories of presenting their findings to the customer, only to have that customer turn around and immediately ask them for a quote to fix the issues discovered. Followed by the customer getting annoyed when the cybersecurity provider explains that they are not in the business of fixing security vulnerabilities, just finding them! CIOs and IT Managers can end-up feeling like they are in a worse position than before their security assessment.

Anyone who has ever paid for a property inspection would know the feeling. The company who performs the inspection will provide a detailed list (with photos!) of all the faults and maintenance issues – bad plumbing, leaking roofs, mold, termites, etc… – but fixing those issues is just not their core business. Inspectors are not carpenters, plumbers, or mechanical engineers, it’s up to the owner to locate and hire tradies to fix the problems.

Confronted with a daunting list of new security vulnerabilities to address, whilst struggling with their existing portfolio of projects and day-to-day issues, and with IT teams already at capacity, CIOs can simply find themselves unable to respond effectively to the reports they have commissioned. With a bit of luck, there might be a couple of high-impact, low-remediation-effort issues that can be addressed, and the rest of the report will be shelved until “there is more capacity available”.

Top 5 reasons why NFPs ignore their Cybersecurity Assessments:

1. Misunderstanding the role Cybersecurity Providers– Most cybersecurity firms are still primarily finders not fixers and are not well placed to remediate all the vulnerabilities their assessments have discovered. The industry is changing, with more sophisticated security providers offering targeted projects and managed security services, but NFPs will still need to close many remaining gaps themselves.
2. Security Remediation is more than Technical Tweaks – The low-hanging fruit from any cybersecurity assessment will be the one-time technical updates that your own IT Team can push out to your environment – a simple patch, a version upgrade. But many remediations require wide-ranging infrastructure process changes, and those processes typically span across the organisation, requiring coordinated effort across HR, Finance, Procurement, and IT departments.
3. Internal IT Teams lack Capacity, not Capability– Most internal IT departments are already operating at capacity, particularly in the NFP sector. Even with those organisations lucky enough to employ highly technically capable resources, keeping the lights on and mandatory projects can mean that additional security remediation work can be a bridge to far.
4. Capability can be an Issue– Capacity is always a factor, but in truth some security remediation work can be technically complex and may require existing IT teams with the capability to take on new and unfamiliar services and solutions. Not every NFP has those resources available in-house.
5. Cost To Remediate– The need for improved security in the face of growing global cyberthreats is increasing the demands on IT budgets. Doing more with less can only go just so far. Responding to emerging security threats calls for new products, new skills and training, new processes, and new reporting. CIOs have been flagging to their boards that IT budgets will need to consume a larger percentage of revenue, but NFPs don’t always have the room to meet those growing demands.

How can Bluescale Help Your NFP?

If you’re sitting on a list of recommendations from your latest cybersecurity assessment that you are struggling to progress, Bluescale can assist you and your existing IT teams to review, prioritize and remediate your unaddressed cybersecurity vulnerabilities.

Bluescale’s targeted remediation projects and managed services are designed to relieve the pressure on your internal IT team and free them up to work on higher-priority projects and new business requirements. Some of the core Bluescale offerings that can make a difference include:

• Microsoft Patching for PCs and Servers
• ACSC Essential Eight Vulnerability Management for Endpoints
• Level 1 Service Desk Services
• PC Lifecycle Management – Procure, Build, Deployment, Recover, and Dispose
• Security Awareness Training Management
• Mobile Device Lifecycle Management
• Backup and Disaster Recovery as Service

Get in touch with Bluescale today and found out how we can help you to respond to your latest cybersecurity assessment.