28 November 2023

Understanding the Importance of Gap Assessments as a Governance, Risk, and Compliance Apprentice

Gap Assessments - Applicable to systems, and personal growth!

Jose Velazquez
Jose Velazquez Associate GRC Specialist LinkedIn

When I first joined the Aquia Accelerator apprenticeship program, I didn’t really know what to expect. I’m not just saying that just to say it either. Before I had the opportunity to join Aquia, I had started down the career path of being an accountant. That background doesn’t prepare you for the complexities of things like gap assessments, but I took it upon myself to understand their importance to an organization like Aquia.

A security gap assessment is a process where an organization is evaluated in such a way that allows for areas of improvement to be identified. The ultimate goal is to be able to find potential threats or vulnerabilities to an organization. Once those are identified, the mission is to see what security measures need to be put in place in order to stop those threats. Learning this process allowed me to get an idea of what comes into play within this profession. I quickly was able to see the rights from the wrongs within the governance, risk, and compliance (GRC) realm and from that, be able to fix the issues presented in the gap assessments. Gap assessments will be forever necessary because the cyber threat landscape is always evolving.

Steps in a Gap Assessment

  1. Choose a standard security framework

    Choosing a framework is important in order to be able to have a baseline with the best practices that can measure and work with an organization’s own security program.

  2. Evaluate people and processes

    This step involves examining both the team and processes. From there, information regarding IT systems, networks, applications, controls, and the workforce is evaluated. This makes it easier to execute for what is needed.

  3. Gather data

    This step is to be able to understand how effective the organization’s existing security system is operating at the time. That is then compared to the best practice standards such as (ISO 27002 and NIST 800-53).

  4. Conduct an analysis

    Finally, the last step is to analyze the security program and choose the right cybersecurity platform for said organization. It is to find the strengths already in place along with finding the weaknesses that need to be attended to.

The Accelerator program was exactly as it sounds — an accelerated program that tested my abilities to learn and adapt in order to prepare me for my career in cybersecurity. I was able to bridge many cracks in my learning and growth working through gap assessments, understanding what each control was used for, and making them second nature to understand. Aquia provided me with the experience and information needed in order to further understand why gap assessments are needed in the first place, and the confidence I needed to trust in myself and my abilities to learn the material presented. So, for that support as I grow in my cybersecurity career, I am forever grateful.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.


Culture People Accelerator