As the amount and severity of security breaches in companies and organizations are increasing and the consequences, money wise and for the people involved in a breach, focus for many a director or board is changing to preemptive measures in infrastructures. In this article I will provide you with two perspectives for security assessment. One as seen from you as the customer for an assessment and another for you as the security consultant performing an assessment for a customer. I do this because as a customer providing you with the perspective that a consultant comes with, will give you increased insight into why certain questions are being asked. If you are the consultant I hope to provide you with some tips on why a customer might be asking for a security assessment and why the customer is asking for the assessment on a specific area of the infrastructure, hopefully only for a single area…
The fictitious customer I have in mind here is an energy company. I have chosen energy because energy companies, at least in Denmark, have some regulatory and compliance requirements attached to them. Most companies will have some form of compliance to deal with, if your company is not one of them, you are one of the lucky ones.
The board of directors have directed IT to have a security assessment done to the infrastructure for the company, to be used as the basis for some budgetary decision to be made. A standard reason a for an assessment. Now, the directive just asks for an assessment of the infrastructure. An infrastructure consists of many moving parts, like network, datacenter, databases, applications, telephony, CRM, ERP and on and on. Any self-respecting CIO, or CISO, will know that a full infrastructure security assessment will take a long time and cost a lot of money! Hopefully, they will go back to the board of directors and ask some questions about the reasoning, to be able to limit the assessment to just the areas that are of concern to the board. Telling them the cost of a full infrastructure assessment will usually be enough to make them reconsider a full assessment and focus on the area of concern.
Any security assessment should be based on a previous risk assessment done on the parts of the infrastructure that is core to the business. Without a risk assessment, any security assessment will provide you with much less value than if it is based of a risk assessment. Any security consultant worth his salt, will ask you about the identified risks to the infrastructure during the initial engagement. Any risk assessment should be based on the compliance and regulatory requirements for the company or organization. If the risk is to the maintenance of an ISO 27001 certification, then the assessment should be based on that risk and related to the objectives of ISO 27001. The complexity of any modern business makes the job of the security professional, weather a security technician or a CISO, challenging and will likely on continue to increase in the coming years. Before going outside of the business to get a third-party consultant to do a security assessment, you must decide on the goal of the assessment, as well as the area of the infrastructure the assessment should focus on. Aside from making sure that you will get the maximum benefit from the assessment, it will also make the communication with the third-party easier and focused on the needs of the business.
You will undoubtedly still get a lot of questions from the consultant. Take these questions as they are intended, as a means for the consultant to make sure that you and your company have thought through the purposes of the assessment, as well as a way for the consultant to scope the assignment before giving you a price for the engagement.
As a consultant being asked to do a security assessment for a customer can, depending on the customer, be a huge challenge. As mentioned above, many customers will be in doubt as to how a security assessment will help them secure the infrastructure, or what areas of the infrastructure an assessment should focus on. As a consultant it is our job to help the customer firm up their understanding of the issues they are facing. Hopefully, the customer has done a risk assessment or have at least some insight into the risks they are facing.
As security consultants, we are living our daily lives looking at security issues, whereas our customers are focusing on the daily tasks of keeping the infrastructure running. Security is not at the forefront of their minds, as opposed to us who are living security. We are the specialists in cyber security, they are the specialist in their business and if we are to provide them with advice and services that will fit their needs, we absolutely must understand their business. The challenges and risks facing a production company are different from the ones facing a software development company which are different from the ones faced by a financial institution. Regulations and compliance issues will also be different between business types. What is the cyber security maturity level of the customer? A financial institution is undoubtedly going to be higher on the maturity scale than a production company.
Who are we talking to in the company hierarchy is going to make a difference as well? If we are talking to the technicians, we can talk firewalls, ports, and malware, if we are talking to the businesspeople the language, we use must be different. The businesspeople do not understand the technical language, but they do understand risks, since they are dealing with this concept daily. Adjusting the language to the audience is a key skill for a consultant! So, a customer has asked us to do a security assessment, how do we approach the initial meeting? We ask why for starters, why are they asking for a security assessment? The answer here will set the scene for the rest of the meeting. Is the assessment part of a larger effort at the customer, then we will have to ask questions about this effort for us to align the assessment with that effort. Is it because they have had an incident, and want to get some insight into the vulnerabilities? Are there regulations governing their business, so the assessment must take these into account? All these questions will have an impact on the scope and content of the assessment!
Finally, there is the report to the customer, after the assessment is finished. The report is the product that the customer gets after the fact. There are questions we need to ask in this regard as well. Who is the report for? This brings me back to the language from earlier in this article. Who are we addressing in the report? Technicians or businesspeople? Depending on the answer here we might have to produce two reports. One for the technicians and one for the businesspeople, unless we can produce the report in two parts. Communication is key for us as consultants. If we cannot communicate the risks and threats we have found, then we will not be taken seriously by the customer, leaving the customer at risk and us out in the cold. Not a happy outcome for any of us.
So, what have I been trying to communicate here? The customers have their own priorities and we as cyber security consultant have our focus on security. Fortunately/unfortunately, cybersecurity is becoming a bigger and bigger issue for businesses around the world, making our services a requirement for most businesses. As a customer you will have to be in control of your infrastructure, to protect it as best you can. As consultants we absolutely must be able to understand the business environment of our customers. As a customer provide the consulting company with information on the subject of the meeting, that way the right person will be brought to the meeting. This is no guarantee of course, but if the consultant is asked a question, he/she cannot answer then they will hopefully say so and ask one of their colleagues with knowledge in that area. As consultant, ask questions of the customer! We will be brought in as consultants in many different business areas and asking questions of the customers will give the customers trust in us, because we show that we are interested in the challenges they are facing! If both parties ask questions of one another, then we can together scope the assessment to fit the needs of you, the customer. As a customer you can then be safe in the knowledge that you will get a report you can use going forward and the consultant will gain additional knowledge of the business area the customer navigates in. All the consultants I know, revel in gaining additional knowledge, so it will be a win/win for both of us, customer and consultant.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.