Expert Advice Only Helps If You Listen
Just as secure software relies on extensive testing throughout the development process to dig out bugs, glitches and interoperability issues, secure networks require regular assessment to expose policy problems, misconfigurations and architecture flaws.Just as secure software relies on extensive testing throughout the development process to dig out bugs, glitches and interoperability issues, secure networks require regular assessment to expose policy problems, misconfigurations and architecture flaws. While vigilant administration should uncover most of those issues, the complexity and fluidity of modern networks renders it all but impossible to catch every security problem in the normal course of business. The good news is that businesses are much less resistant to auditing and assessment than they are to most other security measures. Assessments are outsourced easilyindeed, third parties are often necessary to develop a thorough and accurate picture of the situationand companies have increasingly begun to view security as simply another type of audit. Security firms have stepped up to the plate, offering a wide range of different assessment services, as have the Big Five consultancies.
The bad news is that companies regularly ignore the results of their own assessments, rendering them all but useless. From a managers perspective, much of the allure of a third-party audit lies in its inobtrusiveness. By writing a check, a CTO can "do something about security" with little or no planning or disruption of normal business practices. Implementing the resulting recommendations is an entirely different matter, often requiring substantial changes in operating procedures, software configuration and/or network architecture. It is often much easier to defer implementation indefinitely and write off the costs as a security expenditure, when, in fact, any improvements to overall security may be negligible at best.