Bringing Your IT Security Assessments Full Circle - dummies

Bringing Your IT Security Assessments Full Circle

By Kevin Beaver

In the world of hacking, you cannot secure what you don’t acknowledge. This goes for the simplest of vulnerabilities on the network such as a weak Windows domain password policy to more complicated areas involving application security and mobile devices. If you’ve taken all of the proper steps to find security weaknesses in your network environment, you’re on track to get things resolved and minimize your information risks.

Here’s the thing: you have to keep up your momentum. One of the most common mistakes people make in their information security program is to assume that they have “succeeded” because they have uncovered big security flaws in their environment. They believe that because the weaknesses have been acknowledged, that’s all it takes to ensure everything stays in check. They let their guard down. They let other projects take priority.

Worst of all, they believe that something bad won’t happen to them. After all, they’re just a boring old manufacturing company or small mom-and-pop startup that’s not on the radar of those with ill intent.

It’s this stage in an information security program where vulnerabilities start getting exploited, business risks start increasing, and things ultimately start falling apart. To make the most of your security testing efforts, you absolutely have to ensure that you follow through on your security assessment efforts. This involves:

  • Creating a formal report of your prioritized findings and sharing it with the right people internal and external to your organization

  • Doing what it takes to resolve the issues that are uncovered, which is often through policy, technical controls to ensure enforcement, and an adjustment of business processes

  • Tweaking your information security management processes so that you can get better information more quickly

  • Keeping the interest of management in your security initiatives (hopefully you already have their buy-in!)

Information security testing is a snapshot in time of where your network environment stands right now. However, it should not be a one-time event. The only true way to be successful in information security is to repeat your security testing on a periodic and consistent basis. New vulnerabilities will be uncovered, your tools will improve, and most important, you’ll get better at doing this work.

As you go through this journey, you’ll see that information security testing doesn’t have to be that difficult or expensive, but can instead have tremendous payoffs in the long run.