Hiring a Security Consultant? Think Outside the Assessment Box

Background

Given the security headlines of today, executives routinely ask me what they can do to shore up their defenses, and more often than not, how to commence new security programs. The logical starting point for many corporations seems to be commencing with some type of security assessment. Examples include security scans, penetration tests, social engineering attempts, and other digital poking and prodding around one’s operational infrastructure.

Jumping straight into an assessment is somewhat akin to making an appointment with your doctor, and promptly demanding an elbow X-Ray. Such diagnostic procedures are limited in scope, and examine the “as-is” state of one’s body. In other words, it’s a report on how your body looks today; not a prescription of where it should be tomorrow.

 

Assessments in the Real World

As noted, leaders seeking to establish new security programs often start with these highly technical security assessments, which typically go something like this:

  1. As a leader, you’re concerned about your organizational security posture, and decide to do something about it.
  2. You contact a security firm, who parachutes in some highly skilled “whitehat hackers” to “ethically” infiltrate your digital footprint.
  3. After significant investment in time and money, these hired guns eventually provide some type of “findings report.”
  4. This report at best confirms (and at worst exacerbates) your fears, demonstrating you do in fact have numerous vulnerabilities.
  5. As the consultants exit the building, you’re left with a gigantic laundry list of problems, with little remediation assistance to speak of.

Don’t get me wrong, assessments aren’t all bad. Enduring a third-party security review is a good way to confirm your security posture is functioning as intended, and is often a requirement in many compliance programs. Additionally, assessments can affirm the presence of issues, which is an excellent way to justify security funding to corporate board members, budget committees, and other holders of financial pursestrings.

Assessments aren’t bad, but they’re not where you want to start your security program.

 

It All Starts with Strategy

Which is better: a single security photo, or perpetual access to security cameras with (archived) live feeds? In other words, why invest time and money in an assessment that paints a picture frozen in time, when you can instead invest in long-lived security infrastructure that delivers continuous value?

Having a strategy around information security essentially means you can prioritize. It means you can focus your finite time and money on what matters most, while tabling the other lower-value-add activities for another day. Moreover, having a strategy means that each and every investment you make in security lends incremental benefit towards achieving improved security posture. Let’s revisit the “single photo vs security cameras” analogy as an example.

If your strategy is to protect corporate intellectual property and safeguard the reputation of your brand, then part of your security strategy should include proactive security monitoring. It may be that the same amount of time and money invested in a one-time security assessment could instead provide SIEM-as-a-service, or perhaps managed vulnerability scanning for an entire year. Driving towards a security strategy requires an understanding of your business at hand. It also requires a trusted partner to guide you with threat-modeling and general risk management techniques.

A security program is analogous to collection of puzzle pieces which compliment each other. Each and every investment you make should solidify and connect these pieces. The holistic picture overlaid across all puzzle pieces represents your strategy. Without this overall picture, we’re just moving random pieces across a featureless board.

Leave a Reply