Security Audits: Two Unique Perspectives
Independent security audits, such as a penetration test or vulnerability assessment, serve a critical purpose in an information systems security program. I’ll offer you two distinct perspectives to consider, depending on your role in your organization.
My sincerest condolences. You are the person, unfortunately, who ends up dealing with the results and bears the brunt of the finger pointing. Why didn’t you do this? Why didn’t you know that? I’ve been there. I get it. The fact of the matter is, systems are very complicated today. Even if they don’t seem complicated to you, humor me – draw out a quick logical diagram for just one of your applications, which shows users to the data. Look away from it, then look back. I think you’ll find that most of the time things are definitely more complicated than you think (and truly give yourself credit for understanding).
Therein lies the problem – you get very tangled in understanding the 1’s and 0’s about how things are connected, keeping the systems up and running, but probably have very little time (and, frankly, remaining brain power) to do a thorough audit on how secure that one system is. And that’s just one system. Then, when there is a finding, you need to scramble to understand the implications, risk, and resolution. Not to mention the implied “what … you didn’t know that???” from management, the auditors breathing down your neck, and all the “offered opinions” on what you could have done better. Your business’s data is the crown jewel you bear the burden of protecting; ensuring the confidentiality, integrity, and availability of that data. So, let’s be clear: you are a person, you bear great responsibility, but you also need help. One of the best ways to wrap yourself around this and, CYA frankly, is to get some help from the outside to do regular security audits. Yes - it will expose missed patches, weak passwords, questionable architecture, etc. Consider that by NOT scanning and ethically hacking your own systems, it does not take those problems away. It’s like the leaking pipe behind the wall. You will find it one way or another, but it’s better to find and fix it on your own terms.
Directors / Executives
At the end of the day, you bear the responsibility for ensuring your systems are as secure as possible under your watch. Sometimes you may not be technical enough to understand the specifics, and that’s OK. You need reasonable assurance that your systems are secure and you can calculate and accept business risk associated with the applications and business requirements your business demands. Simply put, you are ultimately responsible for all things IT that happen under your watch.
Let’s be clear: as a CIO your personal livelihood is at stake. A major breach, especially if there is any indication of negligence, would certainly be a resume generating event with questions around what your next move could realistically be. Consider the non-technical aspects – do you have disgruntled employees? Are you training the employees you have, to maintain good data and security hygiene? Would you “sleep better” with an independent audit of your environment (“trust, but verify”)? My suggestion to you, is to cultivate an environment of openness and reasonable accountability. You want your system administrators to feel comfortable discussing their concerns with you, without feeling like they will be held to the fire or a mountain created over a minor concern, but you do want them to correct situations and propose improvements. Understand that your system administrators work incredibly hard, with incredibly complicated systems to keep your business running. Maintaining an openness and understanding also allows for the 3rd party dialog to happen more effectively – that is, having an independent set of eyes audit the environment and openly exchange information about the state of your systems, and then plan together on how you will mitigate or accept that risk.
If you have any questions on how a security audit is conducted, what benefits you will realize, or are ready to get started - please contact your account manager or give us a call. We're happy to talk with you about it.