Try a no-risk free trial today!
Risk assessments (often referred to as security assessments) are a critical part of any compliance program. More often than not, these risk assessments are required to be performed by an external party.
Hiring a firm to perform a risk/security assessment can be a daunting task. With little to go on we often fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc. And often that results in poor performance or obvious cookie-cutter results. How then should we approach the task of ensuring we get value from our security assessment vendor?
After years of performing risk/security assessments and gap analyses for various companies with different vendors, I’ve noticed some themes and want to share six items to look for when selecting a vendor.
Fortunately, these are items that can be teased out in negotiation long before signing the contract.
This one seems like it should be obvious. Isn’t that what a security assessment vendor should be doing? In theory, yes. However, as you have probably experienced that is not the case most of the time.
Why?
Human nature.Believe it or not, auditors are human too, and with that comes comfort zones, preferences, dislikes, and biases. If you have an auditor who came up through the ranks as an accountant or another non-technical analytical personnel, you’ll have someone very comfortable with the processes of security but may not understand the nuances of people or the technology supporting the business.
The same can be said for a highly technical individual with no people skills or the adamant extrovert who crammed well enough on the technical side to pass the PCI QSA test by whiskers.
A good security assessment vendor will have the processes and procedures in place to ensure that; one, only well-balanced individuals are selected to be auditors, and two, even treatment is given to all aspects of security. Just because an auditor is more comfortable in one area than another doesn’t give them leeway to abandon other areas.
This one is a bit counter-intuitive. Spreadsheets and auditors are like mac and cheese, they just go together.
However, let me ask you one thing. Have you ever had an auditor that you felt truly understood what you did and how you did it? I haven’t. Most of the time they sit across a table with a laptop open entering their responses into a spreadsheet like an automaton.
Sure they’ll ask some questions to get a better understanding, but only enough to answer what the spreadsheet wants to know. Spreadsheets are great for identifying risks in technology or gaps in processes, but what about people?
Here at Cybriant, and any other good security assessment vendor, all the technicalities of the spreadsheets can be asked beforehand, or after. What we’re there to do is understand your risks and that includes what and how your people perform their daily duties. I have story after story of finding major risks to an organization through conversation that a spreadsheet approach would have never caught.
I was performing a security assessment for a college and knew of the locked, secured, shred bins as well as the policies dictating their use.
However, after conversing with a funding representative I had to ask,
“So do you use the shred bin upstairs?”
“Of course I do!” was the response.
Based on other answers I probed some more; “well, I put the credit card information in this cardboard box beside my desk when I’m done with them and once a week I dump the paper in the shred bin”.
Need I say more? When considering a vendor try to have a conversation with the auditor who will be assigned to your account. Do they ask good questions? Are they personable?
Related: Security Benefits of Identity and Access Management
I wonder if you caught something odd about the story above, other than the blaring PCI violation. As part of a security assessment, we were speaking to a funding representative, not a technical resource.
While technical resources are an absolute must when interviews are concerned, so are the rank and file. Processes, policies, guidelines, standards, security controls, and technology are all good and well, but users have an uncanny ability to destroy all our good work without even trying sometimes.
As such your assessor must speak with others in your organization. Often external assessors are brought in to verify what the technical staff or leadership already suspects. However, because of our insistence on interviewing non-technical personnel, we have found countless unknown security risks.
When assessing your potential vendor be sure to ask who all are considered for interview candidates. If it’s just technical staff and minimal leadership, back away slowly.
Very similar to the spreadsheet item, there is one item that seems to elude a vast majority of assessment firms, big-picture thinking.
After performing dozens of security assessments I have realized that most findings can be distilled into what we call Cybriant: Risk Themes. These are overarching risks that are not part of any framework but contribute to the overall security profile.
Examples of Cybriant: Risk Themes are a company culture that ignores security or lack of proper network design which exposes several risks. While our assessments do include specific risks we also include any Cybriant: Risk Themes to help guide the organization towards the most efficient method of addressing the outlined risks.
Ask to see a sanitized assessment, do they address risk themes?
A good security assessor understands technology to the point that they can provide a roadmap that addresses the most critical findings first and how to fix them. This is critical to a successful implementation of remediating security risks.
Tell me if this sounds familiar. A security assessment vendor performs a security assessment and you receive a PDF containing page after page of faults with your environment, and that’s it. No recommendations on how to remediate, no path towards completion, and no way of knowing which ones pose the highest risk to your organization.
When choosing a security assessment vendor they must consider what technology you have in place and the most efficient path towards remediating the identified risks.
However, they can only do that if . . . . .
In previous points, it may have seemed as if I were discounting technical knowledge. Let me squash that rumor now.
A disturbing trend in the security assessment world is the tacking on of technology auditing to other fields such as accounting.
I like my CPA and trust them with my taxes, but I wouldn’t want them to pass judgment on my BGP network. Just because you can sit in a CISSP boot camp and memorize enough to pass the test doesn’t mean you understand the nuances of a system or network design.
This trend is resulting in strict adherence to spreadsheets above any extenuating circumstances and discounting of any client explanation. That in turn results in frustrated and dissatisfied clients.
Above all, an assessor needs to understand technology well enough to understand how your organization uses said technology and any potential downfalls therein. When determining which security assessment vendor to select be sure to have your technical talent probe the assessor for technical knowledge.
Some of the brightest most capable employees and coworkers I have ever had the privilege to work with do not have college degrees or certifications; however, by what metric do we normally measure a potential employee? The reason we do this is that it is very difficult to assess whether a potential candidate has the “right stuff” so we fall back on the defacto standard.
The same can be said for how most security professionals choose a security assessment vendor.
Hopefully, I have given you the tools to look past the standard fodder of evaluating security vendors and equip you to ask intelligent questions and look for signs that you have found the diamond in the rough.
Shoot us a message to start a discussion about how our team can help you today.
Stay up-to-date on the latest news in the cyberverse.