A thorough outside assessment is a critical step in any cybersecurity strategy. Here’s what every business should learn from one.
1. Where Are Our Processes Not Working?
Good security is a marathon, not a sprint. The way to win the race is by implementing solid security controls with repeatable processes and consistently maintaining them. Make sure the assessor isn’t focusing on finding that single server with an expired certificate. He or she should look for places where you’re making repeated errors.
2. Are We Managing Identity and Access Management Correctly?
Patching, audits, event management — it’s all important. But a huge number of data breaches track back to poor IAM practices. Ask for a detailed look at your IAM procedures, tools and management. An independent assessment here targets your No. 1 vulnerability: people.
3. Where Is Our Architecture Obsolete?
Security is constantly changing. Most businesses are outdated when it comes to application and network architectures. New approaches such as microsegmentation are old ideas but recently have become the standard in data center design. Find areas where the security ground has shifted, then reconsider and redesign if appropriate.
4. Is This the Forest or the Trees?
Any assessment has to poke deep into the details — so, yes, that security vulnerability in your maintenance scheduling application is important. But much more valuable is knowing the big picture: Where are you doing a good job and where do you need to improve your security posture and practices? Listen carefully to what the assessor has to say here.
5. What Can We Do Ourselves After the Assessment?
A big chunk of the value of most assessments comes from the experienced person who interprets the output of some automated tools. That interpretation is what you’re paying for, so make sure there’s a knowledge transfer from the assessor to your team to ensure that you understand how to keep yourself safe between regular assessments, which you should continue to get.