Article: What is the true value of a security assessment?
These days, a Chief Information Officer has more problems to deal with than he or she has the budget or the time to address. The explosion in the number of end-user devices to support has easily doubled the support demand placed on IT operations functions. The move to hybrid public/private cloud environments has significantly complicated network engineering and monitoring functions. Advanced security monitoring solutions have easily tripled the workload of many security teams. Every week brings the community a new challenge to address, and it’s easy to see it all as overwhelming, especially when the CEO wants the IT arm to deliver infinite operational capacity to the P&L centers, 24x7, world-wide, for less money. With that kind of pressure, why would any CIO spend precious time, effort, and money on a third-party security assessment?
There are two primary reasons. First, companies arrange external security assessments to satisfy their compliance and governance requirements. Industry best-practices have proven that an analysis performed by a neutral third party is essential to identifying vulnerabilities that might otherwise be masked or downplayed during an internal audit. These independent parties help assure stockholders and market analysts that the company can be trusted.
Second, and more importantly to the CIO, an external security audit helps to identify existing and potential vulnerabilities that the company’s own IT workers may have missed or misunderstood. You can’t remediate a vulnerability or reduce a risk that you don’t know about. A separate set of trained eyes can find problems that your people don’t or can’t recognize due to cultural blind spots. A strong assessment also comes with prioritized recommendations for attacking the identified vulnerabilities so that the CIO can immediately launch action plans to secure his or her operating environment.
Some companies argue that a third-party assessment isn’t necessary; “If we’ve hired fully-qualified IT staff, then we already know all of our points of vulnerability. We don’t need some outsider to tell us what we know.” There is some merit to that point. The better that the in-house staff members are at cyber security, the more problems they’ll be aware of. That said, understand that there’s no such thing as an organization that possesses absolute situational awareness. New vulnerabilities appear every single day due to factors far beyond our control. Users constantly make innocent decisions that expose previously-secure systems to existing threats. The landscape shifts under everyone’s feet. Complacency is as much a threat to operational reliability as professional hackers are.
Other companies argue that an assessment isn’t necessary, so long as they have up-to-the minute threat and vulnerability intelligence. They’ll solve their own problems in their own time. There’s some merit to that point, too. Many companies do have the staff and budget to adequately mind their own business – once they’re aware of a threat. That said, it’s impossible to configure everything exactly right every time. Even the greatest minds in the field make mistakes, and simple mistakes are all that’s required to give an adversary a way inside your network.
If you look objectively at the arguments against conducting external security assessments, it’s clear that they both involve pride. Professional pride is nothing to be ashamed of. We’re all proud of our great people and excellent technology solutions. Pride, however, is a definite liability when it comes to cyber security; responsible risk management means dealing with the unpleasant truth. The mantra for cyber security professionals everywhere is “You can’t fix a problem that you don’t know exists.”
That’s why external security assessments require full-spectrum penetration tests. Checklists and audits are useful. Configuration checks are useful. User education is useful. All parts of an assessment contribute to a better security posture. Only a live penetration test, though, can remove all doubt from the equation. If the Red Team manages to break in to your production network anywhere, then you absolutely have a problem.
That’s why responsible CIOs, CISOs, and CEOs enthusiastically embrace external security assessments: the results of a successful penetration test can’t be argued with, can’t be denied, and must be fixed. Yes, some people’s pride will be bruised in the process (especially if a breach was managed thanks to a preventable error). The company might lose some faith in the IT department as a result of the auditor’s report. That’s an acceptably small price to pay, however, for an actionable plan to mitigate the existing problems. Doing right by one’s shareholders, partners, and customers means fixing problems – not denying them.
Think about the executives who recently had to sheepishly admit that they could have addressed a vulnerability that a bad guy used to breach their network and steal their critical data if only they’d know about it in time. They’d give anything to be able to go back in time and take a more pragmatic approach to securing their systems and networks…but they can’t. In every major corporate and government breach, a critical vulnerability lurked somewhere in the production network – one that could have and should have been neutralized. A bad guy found and exploited that vulnerability before the good guys could address it. If only they’d known…
That’s the true value of a comprehensive security assessment: awareness of actual, exploitable vulnerabilities on your live environment. It’s the knowledge of exactly what you need to fix right now. Contact Fulcrum Technology Solutions today to arrange your company’s external security assessment.
The Fulcrum Difference
At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!