Better cybersecurity audits would mean better network protection

New model must have improved, timely and actionable reports, summaries and benchmarks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As net­works become pro­gres­sive­ly com­plex and cyber attacks increase, cyber­se­cu­ri­ty has moved to the top of  boards’ con­cerns. They ask, “Are we secure?” Since it’s nev­er pos­si­ble to say “yes” to that, they then ask, “Well, how secure are we?”—another  dif­fi­cult ques­tion to answer. And they want third-par­ty val­i­da­tion that the infor­ma­tion giv­en is accurate.

The go-to solu­tion for val­i­da­tion has been a cyber­se­cu­ri­ty audit. Unfor­tu­nate­ly, most audits don’t give the answers need­ed. Reports are simul­ta­ne­ous­ly too long and too shal­low and lack context.

Very few audi­tors are IT experts. They work off a check­list of fair­ly sim­plis­tic ques­tions that can be answered with “Yes” or “No.” They ask: “Do you have fire­walls?” and “Do you back up your sys­tems reg­u­lar­ly?” This approach focus­es on indi­vid­ual, point solu­tions rather than under­stand­ing the net­work as a whole. More chal­leng­ing ques­tions would be: “Are your net­work devices prop­er­ly con­fig­ured? How do you know? Are you aware of all your net­work access points?”

Audit reports can be hun­dreds of pages, but nev­er seem to include the high-lev­el exec­u­tive sum­ma­ry the board needs. What’s more, the audi­tors’ detailed find­ings lack con­text and may cre­ate undue alarm. A long list of vul­ner­a­bil­i­ties looks real­ly bad unless board mem­bers under­stand which vul­ner­a­bil­i­ties actu­al­ly have an impact on high-val­ue assets.

Relat­ed: Study finds C-Suite over­con­fi­dent about net­work security

What’s need­ed is a holis­tic view of net­works with infor­ma­tion that can be act­ed upon. Net­works must be mon­i­tored con­stant­ly, not just once a year when audi­tors vis­it. More use­ful report­ing with a short sum­ma­ry that is easy to under­stand is nec­es­sary. Ide­al­ly, a bench­mark would pro­vide a view of progress over time, allow­ing com­par­i­son to oth­ers. Addi­tion­al­ly, “what if” sce­nar­ios are need­ed to under­stand the con­se­quences before mak­ing a change.

Net­works are sys­tems, not just a col­lec­tion of devices, and it’s nec­es­sary to under­stand how the pieces inter­act. Attack­ers don’t just exploit one vul­ner­a­bil­i­ty and stop there. They hop from place to place, appli­ca­tion to appli­ca­tion. A focus on point solu­tions is like miss­ing the for­est for the trees.

Con­stant state of flux

Audit teams vis­it every 12 to 18 months, but net­works are chang­ing dai­ly. Reports are out of date as soon as they are deliv­ered. A con­stant net­work view would iden­ti­fy issues as they arise. The best solu­tion would be to mod­el changes before imple­ment­ing them to deter­mine whether any changes would have unin­tend­ed, neg­a­tive consequences.

A list of vulnerabilities—even one pri­or­i­tized by severity—represents more work than can be done in any rea­son­able time. Con­densed reports are need­ed to iden­ti­fy what to fix imme­di­ate­ly and which vul­ner­a­bil­i­ties leave impor­tant assets exposed.

It’s also impor­tant to know which equip­ment isn’t set up to be con­sis­tent with indus­try best prac­tices so poten­tial vec­tors of attack can be cut off.

Track­ing progress

Even with con­densed reports, many exec­u­tives sim­ply want to know, “Are we doing well? How do we com­pare with our peers? How do we com­pare with oth­er types of orga­ni­za­tions? And, if we’re not good enough, what are you doing about it?” The best way to present this lev­el of sum­ma­ry would be by hav­ing a bench­mark or score. This would offer a way to man­age and illus­trate progress over time and give a sense of how those results compare.

Mov­ing for­ward, main­tain­ing net­work resilience will require new tools and process­es that pro­vide time­ly, rel­e­vant, action­able infor­ma­tion to val­i­date and improve net­work secu­ri­ty. This requires a con­tin­u­ous­ly updat­ed view of the entire net­work, since the con­nec­tions between devices are as impor­tant as indi­vid­ual device con­fig­u­ra­tions. With improved report­ing, sum­maries and bench­marks, exec­u­tives could eas­i­ly obtain the infor­ma­tion they want, while know­ing that actions are being tak­en to improve the networks.

More sto­ries relat­ed to net­work security:
SMBs can DCEPT attack­ers with free net­work mon­i­tor­ing tools
Holes in the armor: How secure is your cybersecurity?
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats