Just as secure software relies on extensive testing throughout the development process to dig out bugs, glitches and interoperability issues, secure networks require regular assessment to expose policy problems, misconfigurations and architecture flaws. While vigilant administration should uncover most of those issues, the complexity and fluidity of modern networks renders it all but impossible to catch every security problem in the normal course of business.
The good news is that businesses are much less resistant to auditing and assessment than they are to most other security measures. Assessments are outsourced easily—indeed, third parties are often necessary to develop a thorough and accurate picture of the situation—and companies have increasingly begun to view security as simply another type of audit. Security firms have stepped up to the plate, offering a wide range of different assessment services, as have the Big Five consultancies.
The bad news is that companies regularly ignore the results of their own assessments, rendering them all but useless. From a managers perspective, much of the allure of a third-party audit lies in its inobtrusiveness. By writing a check, a CTO can “do something about security” with little or no planning or disruption of normal business practices. Implementing the resulting recommendations is an entirely different matter, often requiring substantial changes in operating procedures, software configuration and/or network architecture. It is often much easier to defer implementation indefinitely and write off the costs as a security expenditure, when, in fact, any improvements to overall security may be negligible at best.
The worst examples of that phenomenon are typically associated with policy audits. The vast majority of network security weaknesses stem from nonexistent, poorly developed or unenforced security policies. As such, policy adjustments are likely to provide the most “bang for the buck” in terms of improved security, and thus are prime focal points for auditing.
Implementing the recommendations of vulnerability assessments often meets less resistance from both management and staff, in large part because the burden falls almost exclusively upon the IT staff. Managers are often unwilling to provide the necessary resources to overworked systems administrators. As a result, the work is often done in a makeshift fashion. Changes that may limit or disrupt network functionality are often deferred.
The single most important thing to realize when considering a security audit or assessment is that it is only the beginning of the process, and it will do no good without determined follow-through. Resources available for security are simply too scarce to be spent on theoretical exercises that wont show appreciable results.