What is the best way to do a security assessment to ensure the system or network is secure or properly setup? Would you outsource external consultants or setup internal team?
Sort By:
Oldest
CIO in Finance (non-banking)7 months ago
Before you do an assessment make sure you have defined the framework you want to follow. NIST etc. if your goal is to mature the security organization over time then, definitely get an external assessment. You will need to repeat this every other year to see if you have made progress in the areas you desire. If you just want to check networks then get an external provider and also do a penetration test to understand and work on any vulnerabilities found. Internal teams are good but a little biased as they perhaps built it. Hope that helps.Chief Supply Chain Officer7 months ago
The most direct answer to your question is that outsourcing this requirement will typically come at less expense than the total costs to recruit, train, and retain this capability in-house. However, the decision on which to do will ultimately have to consider a number of factors including how often, how big an enterprise, how unique are the solutions, the value of 3rd party vs internal audit results, and total encumbered rates of FTEs to name a few. VP of IT in Finance (non-banking)7 months ago
I think it depends on the maturity of your accountability across different groups. External consultants are normally more scalable, but I would make sure that the oversight and quality control of the process was managed internally. "Security Assessment" is a term that can mean different things depending on who you are speaking with. There are 3rd party assessments which can be completely different than an internal Security Assessment which can vary depending on if it's a home-grown application, COTS, or an API. Some Security Assessments are paperwork drills, and some have technical testing components. You can also talk about Risk Assessments as part of this process. An overall documented methodology is the first step, and it should be outcome driven. Adopt a methodology and clearly define what the expectations of the "Security Assessment" product is but focus on what outcomes you are trying to achieve. Do you want to reduce risk? Do you want to identify gaps? Probably both but focus on the outcomes you are trying to achieve and measure success against those outcomes. Adjust the process to achieve the outcomes. Chief Techical Officer in Software7 months ago
You’ll need the expertise in-house as it’s an ongoing process, 365/24/7, but start with an outside firm that can advise you on your goals and framework, then use them to get your own staff up to speed to maintain your security posture. Then use an external firm once a year to audit your systems - internal teams often can’t see the wood for the trees and you need the external perspective on a regular basis. A lot can be automated with tools depending on your infrastructure setup. CIO in Software7 months ago
External is going to give you the best perspective as the won't make any assumptions. It's amazing how often external testers find something which people internally have overlooked. Once you have a baseline of where you are - you can have an internal team to progress changes but I like the scrutiny of an independent review on periodic basis to keep your team readiness high.