At TrustedSec, we get about 400-500 inquiries for security assessments every year. Some of the questions we still hear quite often are:
- Why does our company need to do a risk and security assessment?
- Why can’t we just do it ourselves?
- We already know we’re terrible—why do we need you to tell us that?
There are a lot of answers to these types of questions, so I’ll address a few of them below. Feel free to pick and choose which ones can help you the most if you need more ammo to gain awareness with executives or further budget considerations.
Hire the Professionals…and Their Team
First off, no one person knows all there is to know about security, compliance, operations, forensics, physical security, governance best practices, etc. So even the best companies, with hundreds of people in security, go through these very same assessments by a consulting firm on an annual basis.
It’s especially important for a company going through a security assessment for the first time to “measure twice and cut once.” As everyone knows, breaches are a big deal these days, and small companies are targeted more and more. Why take a chance with your company and maybe even your job? It’s just not worth it. Assessments help align budget decisions to those responsible for approving the budget and determining risk appetite for the organization. Frequently, these decisions are outside of the security department’s control or purview of responsibility.
Ensure Proper Investments and Spending
New technology is coming out every day. There are thousands of products, and it’s incredibly helpful to have a team that knows which purchases make the most sense and where things are headed. There’s a lot of potential for misspending and overspending. Nothing hurts worse than telling leadership that you just bought a tool and it’s not the right one, so you have to get something else.
Baseline Your Environment
Having an assessment baselines your current state. This is important to not only demonstrate all the work there is to do, but it can also be used to show progress going forward to the executives. Frequently, this is one of the best ways to go, not only because a third-party offers an unbiased opinion, but the truth often needs to come from someone other than you. It’s been said that when an outside source expresses a problem or issues a directive, it holds more weight and is taken more seriously among executives. Of course, that is not always the case, though we have seen many instances of it.
Defendable Due Diligence
You want to be in a defensible position. What happens when there is a breach? Often someone (read: YOU) gets fired. For CISOs, the average job expectancy is around 18 months, according to CSO Magazine. Everyone in the organization needs to be on the same page as to what you’re going to do (and not going to do) based on budget, and what risks need to be remediated, transferred, or accepted. Proper assessments involve executives and other stakeholders, increase their accountability, and can ask questions that, as an employee, you might not be able to ask.
Every regulatory body either recommends a security/risk assessment or requires it—especially the first time—for the reasons I’ve laid out and more. This includes the SEC regulations, GDPR, PCI, FFIEC, HIPAA, etc. Even some insurance policies will recommend an annual assessment.
One of the additional benefits of an assessment is that a third-party assessor maintains ethical independence and segregation of duties. You don’t want the student grading their own homework, and you don’t want the IT and security team assessing themselves. When companies try to assess themselves, it’s not uncommon for someone from another division to poke holes in the results for this very reason. Third-party assessments help resolve this issue.
One great way to go about gaining approval and budget is to ask your CFO why the department doesn’t perform financial audits themselves. The same thing for legal—why do companies have outside counsel when there are lawyers on staff? You can download proven, sample contracts online, so why would you need a lawyer? What you’ll find is that both of these departments implement third-party reviews. Security and compliance are some of the biggest business risks companies face and they need to be treated accordingly.
A strong program needs a repeatable process. It’s essential to have an assessment process in place that maps out critical policies and procedures so it can be repeated going forward. An assessor brings lessons from their experience and training to help you understand technically complex situations, gives improved insight into the cost/benefits of security investments, and ensures nothing slips through the cracks. When you have an assessment for a second time, getting a wide range of knowledge in a repeatable structure, it significantly improves the progress of the program.
Because of the awareness and insights they bring, assessments can potentially lower operational risk losses, reduce capital requirements, and improve productivity by focusing on the most impactful areas. The proper security controls built into business processes have even been shown to improve financial performance. With digital businesses, assessments can help speed time to market by growing in security from the beginning, rather than requiring organizations to go back and rework or stop projects due to security flaws or non-compliance.
Indeed, there are more reasons to have a security assessment. Again, use the ones that work best for you and your organization. Good luck and good internal selling!