With all of the statistics, comprehensive data, and war stories shared from security officer to security officer, I often wonder what is behind the thought process of decision makers declining assistance in implementing a cyber security risk assessment – especially organizations that clearly need it for compliance reasons.
I speak with many technology decision makers of fairly large companies regarding implementing a free cyber security risk assessment for their infrastructure. If I had a dollar for the amount of individuals within these organizations who believed that the assessment done over 2 years ago makes them prepared for the black hat techniques that advance faster than the pace of white hat security initiatives, I could hang up my coat and retire. There is a false sense of security that is prevalent in companies both large and small that believe if they were not significantly compromised in the last 3 or 4 years, their risk and compliance practices are consistent or above average with best practices in their industry. According to Economist Intelligence Unit Survey, “Ascending the Maturity Curve, Effective Management of Enterprise Risk and Compliance”, at least 87% of respondents agreed with this notion.
However, it is recommended that a review of an organizations security program should be done a minimum of every 2 years. And it is not only to their advantage to outsource this task to a reputable security consulting company in order to provide an objective point of view, something that is difficult to accomplish in-house, but to also use a different consulting company to continue to gain a different perspective each time. Rotating security consulting companies provides the opportunity to catch risks that may have been missed previously.
Although the financial services field was found to be most likely to have this false sense of security, the health care industry is barely on the map. The health care industry is just now beginning to embark on discovering a consistent risk assessment standard. Standards are underdeveloped as to how assessments and vulnerability remediation should be completed. Although HIPAA developed a requirement, a lot is left for interpretation. Unfortunately, this results in spotty assessments, or horrifically, no assessments done at all.
That’s why I scratch my head at a decision maker who turns down a free risk assessment. They have the opportunity to find out – utilizing a fresh pair of eyes – what may be exposed in their organization…for free. Addressing the risks, of course, is another subject. So, the next time you receive that call from a reputable security consultant about evaluating your risk assessment program that was implemented more than a year ago, reconsider. Hackers are not waiting every 2 years to develop new ways to crack you network – they are advancing each day.