Security

5 Questions a Cybersecurity Assessment Must Answer

A thorough penetration test is a critical step in any security strategy. Here’s what every agency should learn from one.

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

A thorough outside assessment is a critical step in any cybersecurity strategy. Here’s what every agency should learn from one.

1. Where Are Security Processes Not Working?

Good security is a marathon, not a sprint. The way to win the race is by implementing solid security controls with repeatable processes and consistently maintaining them. Make sure the assessor isn’t focusing on finding that single server with an expired certificate. He or she should look for places where there are repeated errors.

2. Are Identity and Access Management Managed Correctly?

Patching, audits, event management — it’s all important. However, a huge number of data breaches track back to poor IAM practices. Ask for a detailed look at IAM procedures, tools and management. An independent assessment here targets the No. 1 vulnerability: people.

3. Where Is the Agency’s Architecture Obsolete?

Security is constantly changing. The application and network architectures of many agencies are outdated. New approaches such as microsegmentation are old ideas but recently have become the standard in data center design. Find areas where the security ground has shifted, then reconsider and redesign if appropriate.

4. Is This the Forest or the Trees?

Any assessment must probe into the details — so, yes, that security vulnerability in a maintenance scheduling application is important. Much more valuable, however, is knowing the big picture: Where are employees doing a good job, and where must an agency improve its security posture and practices? Listen carefully to what the assessor has to say here.

5. What Can an Agency Do After the Assessment?

A big chunk of the value of assessments comes from the experienced person who interprets the output of some automated tools. That interpretation is what an agency is buying, so make sure there’s a knowledge transfer from the assessor to the governance team to ensure that everyone understands how to keep the enterprise safe between regular assessments, which the agency should continue to receive.

bubaone/Getty Images