It’s an age-old question what came first, the chicken or the egg? This paradigm illustrates the challenge organizations face when contemplating a risk assessment. Should they fix known issues before an assessment…or should they complete the assessment and follow the prescribed recommendations.
It’s an interesting question. One that can be overshadowed by the internal team’s resistance to having an external firm evaluate their work. The question is not when but why it makes sense to have a 3rd party validate risk. It comes down to priorities. Internal teams always do their best to strike a balance between delivering critical IT functions and securing the enterprise. From a priority standpoint, keeping things operational is always the number one goal…because that’s what pays the bills. This focus keeps organizations operational but leaves potential gaps in security.
Let’s look at some of the reasons gaps will develop. One of the most common ways gaps are created is during the urgent response to an outage. Since the focus is on getting things to function, security best practices and controls become a secondary goal. So, in the heat of the moment, bypassing a vital security function may be part of a rapid fix to restore operations. As teams move on to the next task at hand, it takes diligence and a well-defined process to ensure they go back and restore the security functions. Something that is often overlooked.
Another common pitfall is caused by rapid organizational growth that results in large-scale IT infrastructure expansion. Again, focusing on getting things to an operational state, the team often adopts a phased deployment approach that begins with launching a minimally viable state that delivers capability but may not include the necessary security. While the intent is to complete the remaining phases to increase functionality and security, reality may differ. With organizations struggling to find and retain critical IT resources, teams are stretched thin, and intention gives way to overload. As a result, teams get assigned to other tasks before deployments are completed, and all objectives (including security controls) are met.
None of these situations represent bad intent, as teams do their best with the available resources. In many cases, the gaps generated are forgotten as the focus shifts to the next prioritized task. And this is where the value of a 3rd party review comes into play. An external organization focused on identifying risk will look for process and security gaps. Whether it’s a holistic risk assessment, network vulnerability scan, or penetration test, the outcome will reveal risk areas and provide specific recommendations on how to address them.
For planning purposes, organizations should engage a 3rd party at least annually to review the environment and provide specific feedback. Remember, it’s not about identifying who created the security gap but the how and why that will help organizations avoid similar challenges in the future. Over time a cadence of ongoing reviews will refine the process and develop checkpoints to minimize gaps moving forward.