Turning Security Assessment Guidance into Action

October 8, 2021

Security Assessments are a logical first step for organizations looking to improve their cybersecurity practice. Many clients who sign up for these assessments know they have security shortcomings and fully expect to receive a long list of vulnerabilities and recommendations in the final report. However, the vigor with which customers address the vulnerabilities identified in their Security Assessments varies widely. Some clients immediately start implementing the report’s suggested changes in sequence and on an aggressive schedule. For others, however, the list of recommendations can seem daunting and time-consuming, and the report is sometimes set aside in favour of day-to-day tasks. Procrastination in the face of complex or large scale tasks is understandable, particularly when routine tasks compete for a security team’s available time.

However, there are potentially dire consequences for organizations that do not address their cybersecurity vulnerabilities. Unfortunately, we have seen some of those worst-case scenarios firsthand, with clients contacting us in a panic after suffering a data breach that exploited a vulnerability identified in a previous Security Assessment.  

For our part, iON tries to help our customers promptly act on our Security Assessment recommendations in a few different ways. During orientation sessions with clients, we establish that the assessment represents a starting point, not a finish line. We also put the cost of addressing security shortcomings in perspective by pointing out the costs of recovering from a major data breach. According to a recent survey, the average cost of a data breach in Canada in 2021 was $6.75 million per incident1. While this is a staggering sum, it is unsurprising when one adds up the costs of incident response services like containment, forensic and dark web analysis, malware eradication, and service restoration, as well as the losses in revenue from operational shutdowns. Needless to say, when compared to a major breach, the costs of preventative measures are miniscule.  

We have also refined our final report format to further help clients take action sooner. Virtually all cybersecurity consultants provide reports that include a list of vulnerabilities ranked according to a combination of business impact, difficulty of remediation, and/or likelihood. However, our final reports also include suggested steps for remediating each vulnerability, using existing resources wherever possible. This component of our reports requires additional time and effort, but our customers have consistently provided positive feedback for the detailed, actionable remediation guidance we provide. We also offer a road map that focuses on the top three most highly ranked findings that, once addressed, will yield the most significant and immediate improvements to the client’s security practice. 

To achieve a smoother transition, iON also recommends administrators and managers pre-emptively inform staff that changes are forthcoming  and explain that the changes are necessary to improve the organization’s network and data security. In our experience, clear communication with end users about the desired outcomes consistently results in a greater sense of buy-in from employees. 

iON can help with the remediation process through follow-up services like Technology Selection consultations to find the tools best suited to address gaps in the existing security technologies. After major remediations are complete, we can conduct Penetration Testing to evaluate their effectiveness. Setting a date for follow-up services helps to reinforce the timetable for initial remediations and prevent them from being postponed. 

If you’d like to learn more about iON’s Security Assessment service, please reach out to us at