When you run your business day in and day out, it can be difficult to see small imperfections in your operation. One of the critical areas that can go unchecked at times is the maintenance of your company’s security posture. The evaluation of your company’s security posture could be conducted internally, but if performed by a third-party vendor, the risks and vulnerabilities that may exist can be identified from a more objective point of view and potentially addressed faster and more appropriately.
Why Perform Third Party Security Evaluation
If you have designed your systems and networks, it can be challenging to be truly objective when reviewing your designs and implementations for gaps and weaknesses. Cyber security may also be an additional duty for folks at your company rather than a core competency staffed with cyber security experts. Companies that perform third-party security evaluations are typically manned with cyber security experts who have research departments identifying new cyber security weaknesses who perform security testing on many different organizations given them perspective and insight on best practices. To get a full view of weaknesses and effectiveness of controls requires nuanced insight from seeing previously what works and does not work. This is what they do all day, every day. They will also have no subconscious bias as to the pros and cons of previous decisions made by the company.
Security evaluations should evaluate the people, processes, technology, data, and vendors that build out a company’s security posture. They should ensure your corporate systems are safe from outside intrusion and your guest-facing technology is properly secured. Each of these areas requires an investment of time and focus to thoroughly understanding when challenged can it stand up to the latest hacking techniques.
Internal security testing and validations should continue based on a comprehensive security policy and program. However, these also benefit from a third party security evaluation to validate the internal controls are working and are regularly updated to meet the needs of the business and the security level of the systems.
References should be verified for any third party security testing company to ensure they have the necessary skill set, depth, and breadth to properly vet a security program. Given the pace of technology change in today’s age with cloud computer, mobile computing, middleware integrations, and more, not to mention the lightning speed of malware development and hacking techniques, testing companies must show that they are keeping pace with today’s technology and today’s challenges.
How Often Should You Test and What Should be Tested
Initial testing of a network or system should be performed prior to release into production. This results in a strong baseline to work against. Then frequent testing should occur either annually or during any type of major change, whichever is more frequent. This ensures changes do not negatively impact the environment and also ensures regular testing for new types of hacking techniques and zero-day vulnerabilities.
As mentioned above, testing should cover the full security program including people, process, technology, data, and vendors. People in security roles (physical or digital) must be competent performing security duties. This is as broad as background checks and physical access limitation to database security and effective logging. There are so many potential attack vectors available to nefarious actors who want to negatively impact a company. Processes must be executed consistently and in line with policy so changes do not introduce new security gaps or vulnerabilities. Technology and data must be secured at the level of the sensitivity of the data. Lastly, vendors who play a role in a company’s technology portfolio must be held to the same standards of the rest of the company security program.
After testing is completed, gaps must be either remediated, accepted (if the fix action is larger than the potential impact), or offloaded through insurance or other means. Critical gaps must be corrected before a system is allowed to be released into production, and if already in production, must be corrected with urgency. Follow-on testing should then validate the vulnerabilities were sufficiently remediated.
When your company has performed a third party security test and has corrected (and validated) the remediations identified, the overall security posture of the company will be greatly advanced. Creating a safe environment for your customers to enjoy is always the top priority – physically or virtually. The third-party security evaluations are done as a way of keeping the company accountable, correcting mistakes or new challenges, and having proof that you are being a good steward of cyber security.
Jason Meister, Senior Manager, Information Technology & Security