Why a Gap Analysis is Crucial for Corporate Security

Author
Markus Limacher
Published
01. February 2024

As the technological landscape continues to change, the security of company data and systems has become a key challenge for IT and cyber security managers. In view of the rise in threats and advances in digitalisation, companies need to be proactive in implementing security measures and carry out regular vulnerability scans, audits and assessments in order to actively review and optimise their own cyber security strategy. Performing a gap analysis can be a crucial and highly effective tool in this context. In this article, we will show you why this is the case and what this means for your corporate security in 2024.

Advances in digitalisation afford companies a plethora of attractive opportunities and open up vast economic potential. At the same time, new risks arise that companies need to confront quickly, consistently and efficiently.

ICT security management

In addition to the NIST Cyber Security Framework (NIST CSF v1.1), companies in Switzerland should be aware of a raft of other specific guidelines and legislation to enable them to develop a comprehensive and effective security strategy. For example, the ICT minimum standard of the BWL (Federal Office for National Economic Supply) serves as a recommendation for improving ICT resilience. While it is primarily aimed at operators of critical infrastructures, the ICT minimum standard can be applied to any company or organisation.

The importance of a gap analysis for your corporate security

2024 is in full swing and it is already becoming apparent that the cyber threat situation is getting worse, with ever-rising incidences of cyber attacks and «hacktivism». Now is the right time to take a close look at your company’s security practices, and a gap analysis can offer clear added value as you do so. If you are wondering whether and why you should also be considering this for your company, then read on!

Five good reasons in favour of a NIST CSF gap analysis

  1. Protecting the company reputation
    Cyber security incidents not only have the potential to cause significant financial damage and losses, but can also severely damage a company’s reputation. A gap analysis – preferably based on NIST CSF – is essential for successfully reinforcing the trust of your customers, partners and other stakeholders in your company’s security practices.
  2. Comprehensive assessment of the security situation
    A gap analysis enables an in-depth analysis of your company’s current security infrastructure to be performed. By mapping existing security practices to the proven NIST CSF standards, it identifies vulnerabilities and risks and enables your organisation to respond proactively to potential threats.
  3. ICT minimum standard of the Federal Office for National Economic Supply (FONES)
    In Switzerland, the FCA has introduced the ICT Minimum Standard for Positioning to provide a clear framework for the security practices of industry-specific organisations. Performing an analysis against the ICT minimum standard allows a company to successfully compare the security measures it has in place with this standard. By doing so, the precise state of play in relation to the ICT minimum standard can be determined, creating the basis for targeted optimisation measures.
  4. Fulfilling compliance and regulatory requirements
    The requirements for data protection and information security will continue to rise in 2024. A gap analysis helps to ensure adherence to compliance standards. A pleasant (side) effect is that this not only avoids legal consequences, but also strengthens customer confidence.
  5. Continuous adaptation to new threats
    The threat landscape is constantly evolving. A gap analysis helps companies to adapt continuously to new threats. By integrating and incorporating findings from the analysis into the security strategy, companies can ensure that their lines of defence are always up to date.

Swiss guidelines for cyber security

The requirements for data protection and information security will continue to increase in 2024. Important legislative amendments affecting the critical infrastructures of electricity and gas supply and public transport are underway, including the binding implementation of minimum values.

Railway cyber security (CySec-Rail Directive) from the Federal Office of Transport (FOT)

The railways are no exception to the increasing importance of cyber security. The new regulations based on Art. 5c of the amended Swiss Ordinance on the Construction and Operation of Railways (EBV) will come into effect on July 2024. The amended EBV obliges railway companies to set up an information security management system (ISMS). That being so, the Swiss Federal Office of Transport has drawn up the directive known as the CySec-Rail Directive, defining seven minimum requirements for an ISMS and 29 measures that must be implemented. Periodic information security audits are required to verify compliance with the regulations.

By performing regular reviews of information security or audits, companies can implement the guidelines of the CySec-Rail Directive effectively. Regular audits provide information on the areas where information security needs to be improved, and this also requires suppliers and service providers to be taken into account. Identifying deviations, vulnerabilities and risks can help companies ensure that their cyber security strategy meets national standards and thus provides robust and effective protection against digital threats. 

Cyber security in public transport

Supplier audit of the NOVA platform (audit of suppliers) for the users of the systems connected to NOVA and their users (NOVA users).

The Alliance SwissPass agreement (Ue500, section 4.2.4) requires the stipulations for cyber protection and data security to be complied with in the public transport sector. Security audits of the service providers are needed to verify compliance with these stipulations. Various measures of the ICT minimum standard (see V591 for details) need to be implemented. 

Electricity sector (StromVV)

The revised Swiss Electricity Supply Act (StromVV), which is expected to come into force in July 2024, is of particular importance for all electricity suppliers. The StromVV requires grid operators to implement different minimum requirements depending on the amount of electricity transported based on the protection level (A ≥ 450 GWh/year; B ≥ 112 GWh/year and < 450 GWh/year; C < 112 GWh/year). A transitional period of 24 months applies. Annual audits are to be carried out to verify the implementation status.

Gas supply (GAS 2.0)

The amendment of the Swiss Ordinance on Safety Regulations for Piping Systems (RLSV; SR 746.12) aims to make the ICT minimum standard, with its different requirements in terms of the protection level, binding and is expected to come into force on 1 July 2025.

As is the case in the electricity sector, the revised ICT Minimum Standard for Gas Supply 2.0 (Chapter 5.2) creates three protection levels (A, B and C) based on two main criteria: the pressure of the network or system (bar) in conjunction with the length of the pipeline (km) and the amount of energy transported (GWh/year). Each protection level corresponds to a specific maturity level. Operators of gas systems (pipeline systems) with a pressure of more than 5 bar and a pipeline length of more than 15 kilometres are automatically allocated to protection level A. For other gas network operators, the average value of transported energy over the last five years is taken into account (A > 2,600 GWh/year; B > 400 GWh and ≤ 2,600 GWh/year; C ≤400 GWh/year).

The minimum requirements differ from the StromVV only in that the StromVV prescribes higher minimum values for protection level A.

Conclusion – and an urgent recommendation

Carrying out a gap analysis in the current year is not just an efficient and sensible measure to ensure compliance with standards. In fact, it is much more: it is a strategic mechanism to protect the future of your company. You can achieve a solid foundation for your company’s cyber security strategy by identifying security gaps and risks, adapting to new cyber threats and meeting compliance requirements. Investments in security are not only worthwhile financially, they also contribute to the long-term stability and reputation of the company.

  • ICT minimum standard (electricity, gas, public transport)
  • FINMA 23/1 compliance
  • Swift Customer Security Controls Framework (CSCF) version 2024 – compliance
  • Data protection: revised Swiss Data Protection Act
  • European NIS2 Directive and Cyber Resilience Act (CRA)
  • ISO/IEC 27001:2022
  • Crypto-agility
  • M365 cloud security
  • Incidence response readiness
  • Cyber security on the railways (CySec-Rail Directive)

What is the state of cyber security in your company?

A gap analysis will show you where things currently stand and provide full transparency. You will benefit from an overview of your current cyber security situation, a risk assessment, a strengths/weaknesses profile and specific recommendations for action and measures to take. The right time for a targeted minimization of risks in your cyber security is now!

More about the gap analysis

Share article