Reasons to Reconsider: The Challenge and Risk of Performing Your Own Cybersecurity Assessment
By Frederick Johnson, Vice President - Cybersecurity & Digital Forensics, Marcum Technology
With all the recent headlines about ransomware attacks and the undiscriminating nature of who they target, companies are continually scrambling to understand what they need to do to avoid becoming the next victim. Many companies perform the basics and take it upon themselves to do regular security scans of their web servers and internal network environments, looking for exploitable weaknesses. Others add on some cyber training to educate their staffs, and write and maintain well-articulated security policies that help shape the security of their organizations. The most mature organizations introduce risk assessments. They conduct them annually and use the results to proactively and aggressively improve the security of their environments, all while reducing the likelihood and impact of a security incident.
So, what is a risk assessment and why do I need one? According to the ISACA (Information Systems Audit and Control Association), risk assessments are an “established approach to identifying and managing systemic risk for an organization.”1 Risk assessments include identifying and analyzing several key security elements and security issues, including the impact and likelihood that these issues could occur, along with the cost and effort to remediate them. Once the risk assessment results are compiled, the weaknesses are prioritized by severity and management can begin taking action.
If done properly and objectively, organizations can use these instruments to tackle an array of different problems. One common usage of a risk assessment is to understand and measure the organization’s compliance with specific standards and obligations; a good example of this is the payment card industry’s data security standard (PCI DSS) requirements for protecting credit card information.
With an assumption that a risk assessment is necessary, the question should now turn to who should do them. Typically, organizational leadership believes it is adequate for information technology (IT) or IT audit employees to perform and manage risk assessments for their organizations. If properly trained, certainly these individuals are technically qualified to provide these services. After all, who knows the systems better than an internal team, right? Well…we believe you may want to reconsider.
Reasons to Reconsider
Over the years, the efficacy of internal teams performing risk assessments has been studied, and notable problems with their approach tend to emerge. One of the biggest problems with having internal teams perform risk assessments is that they unintentionally lose some objectivity and tend to ignore what they are used to. Let us explore this for a minute.
Much like when someone is selling their car, staff tends to ignore and downplay nagging problems that they have learned to live with. Air conditioning does not turn on quickly. Car pulls to the left when braking. Engine makes strange noises when not using premium gasoline. The owner gets used to these issues and becomes blind to them or their impact. We see the same thing occur in reviewing IT systems. We have not patched an application running on an out-of-date operating system because we’ve been planning to upgrade it for the last 18 months. We do not see the need to perform a penetration test of a legacy application that is end-of-life and about to be replaced. We did not check password strength for a financial application because only a few people use it.
When these undiscriminating problems are found, they have the potential of calling attention to a well-liked leader or team or embarrassing someone; therefore the impact or disclosure of these discoveries often tends to be downplayed. It is human nature and it occurs in every organization. All these rationalizations tend to blind internal teams and their organization’s leadership from recognizing the problems for what they are: real, unmanaged risks to the organization that will continue to fester over time. These real problems will be left unaddressed and can bubble up to manifest as real security incidents. These incidents would then have the potential of becoming reportable security breaches and, in the worst case scenario, catapult you onto the front lines, a place you are trying to avoid, marking you as a cybersecurity victim, facing client judgement and, in some cases, fighting for the survival of your business.
An Alternative Approach
When a third party risk assessor is engaged, one of the very first things they do is perform a comprehensive system and application inventory to understand exactly what the organization is carrying. They make no assumptions, no exceptions, and they look everywhere they can, both inside the organization and out. They interview and speak to all critical personnel in the organization, not just IT people, to find out where everything is; it is often very surprising for the IT teams to learn that other departments, such as marketing, either have shadow IT or are directly engaging third parties for their own IT needs with little or no security awareness at all. A third party vendor performing the risk assessment avoids these issues, has no social agenda and has no alliances to staff that need to be honored. They can provide an objective and clear voice in the risk conversation with the executive leadership team, something that is exceedingly difficult for internal IT teams. All of this cumulatively leads to a more successful assessment and dramatically reduces risk.
When choosing a third party risk assessor, be sure to select an organization with a strong reputation for integrity and trust. While it is convenient and appropriate to choose the same vendor to perform remediation services around issues discovered, if there is any apprehension here, it is easy enough to engage a separate firm to manage and drive remediation activities based on the risk assessment that is performed.
Unfortunately, there are no signs of cyber or ransomware attacks subsiding anytime soon. The methodology required to identify the specific organizational weaknesses that cyber criminals prey on are well established and can be conducted quickly and efficiently by certified professional services organizations. To ensure the optimal protection, and to avoid becoming the next victim, your best course forward is to engage a trusted third-party risk assessor to find the issues and bring your organization some much needed peace of mind.
For more information about Marcum Technology’s IT Risk Assessment Services, contact [email protected].
- ISACA Performing a Security Risk Assessment. Viewed May 17, 2021. https://www.isaca.org/resources/isaca-journal/past-issues/2010/performing-a-security-risk-assessment