Why You Should Welcome an Outside Security ReviewTim Weidman
More than once over the years, we have been retained to perform a security review and encountered reluctance on the part of technology staff or the manager of a particular department.
In one case when I started the interview with the CIO for a HIPAA analysis, it was an extremely short conversation, and we were informed that under no circumstances would anyone from outside of the company be privy to information regarding the networks or technology managed by his team. This was in spite of the fact that the management team and legal counsel requested the review and asked for cooperation. In that case we actually abandoned the engagement as without some cooperation from the internal tech team, it would be difficult or impossible to meet the requirements as stated.
Fast forward a couple of years and we often see these organizations hit by ransomware and other successful cyber-attacks causing massive damage and sometimes millions of dollars of loss. I am NOT assuming that if we had been allowed to perform the review to the fullest extent that the attacks would have been avoided. There is no “guarantee” against cybercrime. I AM saying that unwillingness to have a third party review your security is no longer an acceptable cyber-defense strategy and without it you are accepting a much higher level of risk.
We see the devastating impact of attacks on organizations big and small and the consequences are staggering, not to mention incredibly expensive. The investment of time, money, and hassle you need to put into an outside security review is nothing when compared to the cost in time, money, hassle, and not to mention the permanent loss of employee, customer, and vendor credibility that can happen if your defenses are breached.
Security reviews should be done on a regular basis for all organizations. If you are a HIPAA covered entity, a government contractor, need to be PCI compliant, or are any part of the financial and accounting industry, this is already required.
The SEC has also recently signaled that it is taking cybersecurity more seriously than it has in the past. It indicated the agency views lax cybersecurity as an existential threat to business and is willing to penalize companies who fall short.
So far, in most cases you are able to “self-certify” your own security, but here is why it is a better idea to bring in an outside consultant:
- Time: Unless you have resources sitting idle, performing an internal security review on a regular basis is going to put a strain on your internal staff. This leads to rushing through the process, skipping important steps, and taking shortcuts. If you are serious about security, there are no shortcuts, and an effective review requires the person-hours to do a thorough job. More likely it leads to the review being forever procrastinated and not actually happening.
- Specialization: Your internal technology staff may (or may not) study cybersecurity, but unless you have dedicated professionals as part of a cybersecurity team on staff, they are not going to be able to keep up with the changes in the security landscape. New threats emerge daily, and the defenses which worked even a few weeks ago may not be the right choice now. It is difficult enough to keep up if security is your main focus. If cybersecurity is only part of their much broader role of technology professional, IT Director, or CIO, you will most definitely fall behind.
- Perspective: Multiple viewpoints are important in all technology work, but with security in a constantly evolving state there are always diverse and often conflicting opinions on what is secure. This is healthy discussion and where the external review and you or your internal tech staff may differ is an excellent opportunity as a decision maker to learn more about the security controls you have in place and why they matter before making a decision on how to proceed.
There are other benefits and considerations which make this not only a good idea, but vital to your success and potentially to your very survival as an organization.
Our team conducts non-invasive, effective reviews of almost any type of environment. If you would like to discuss further, please give me a call or drop me an email, and I would be glad to discuss further.
Thanks and take care,