Better cybersecurity audits would mean better network protection
New model must have improved, timely and actionable reports, summaries and benchmarks
By Paul Beaudry, Special to ThirdCertainty
As networks become progressively complex and cyber attacks increase, cybersecurity has moved to the top of boards’ concerns. They ask, “Are we secure?” Since it’s never possible to say “yes” to that, they then ask, “Well, how secure are we?”—another difficult question to answer. And they want third-party validation that the information given is accurate.
The go-to solution for validation has been a cybersecurity audit. Unfortunately, most audits don’t give the answers needed. Reports are simultaneously too long and too shallow and lack context.
Very few auditors are IT experts. They work off a checklist of fairly simplistic questions that can be answered with “Yes” or “No.” They ask: “Do you have firewalls?” and “Do you back up your systems regularly?” This approach focuses on individual, point solutions rather than understanding the network as a whole. More challenging questions would be: “Are your network devices properly configured? How do you know? Are you aware of all your network access points?”
Audit reports can be hundreds of pages, but never seem to include the high-level executive summary the board needs. What’s more, the auditors’ detailed findings lack context and may create undue alarm. A long list of vulnerabilities looks really bad unless board members understand which vulnerabilities actually have an impact on high-value assets.
What’s needed is a holistic view of networks with information that can be acted upon. Networks must be monitored constantly, not just once a year when auditors visit. More useful reporting with a short summary that is easy to understand is necessary. Ideally, a benchmark would provide a view of progress over time, allowing comparison to others. Additionally, “what if” scenarios are needed to understand the consequences before making a change.
Networks are systems, not just a collection of devices, and it’s necessary to understand how the pieces interact. Attackers don’t just exploit one vulnerability and stop there. They hop from place to place, application to application. A focus on point solutions is like missing the forest for the trees.
Constant state of flux
Audit teams visit every 12 to 18 months, but networks are changing daily. Reports are out of date as soon as they are delivered. A constant network view would identify issues as they arise. The best solution would be to model changes before implementing them to determine whether any changes would have unintended, negative consequences.
A list of vulnerabilities—even one prioritized by severity—represents more work than can be done in any reasonable time. Condensed reports are needed to identify what to fix immediately and which vulnerabilities leave important assets exposed.
It’s also important to know which equipment isn’t set up to be consistent with industry best practices so potential vectors of attack can be cut off.
Even with condensed reports, many executives simply want to know, “Are we doing well? How do we compare with our peers? How do we compare with other types of organizations? And, if we’re not good enough, what are you doing about it?” The best way to present this level of summary would be by having a benchmark or score. This would offer a way to manage and illustrate progress over time and give a sense of how those results compare.
Moving forward, maintaining network resilience will require new tools and processes that provide timely, relevant, actionable information to validate and improve network security. This requires a continuously updated view of the entire network, since the connections between devices are as important as individual device configurations. With improved reporting, summaries and benchmarks, executives could easily obtain the information they want, while knowing that actions are being taken to improve the networks.
More stories related to network security:
SMBs can DCEPT attackers with free network monitoring tools
Holes in the armor: How secure is your cybersecurity?
Managed security services help SMBs take aim at security threats