By Shawn Waldman – CEO – Secure Cyber Defense, Miamisburg, OH
I've been in technology for over 25 years, and one of the first things I did in 2009 when Cybersecurity was becoming a thing was to have an external firm evaluate my program. Considering that I didn't have a program back then, the results were very enlightening. I hired a firm that could look at me through a completely different set of eyes. They didn't know my company or me and came at the task differently.
Let's look at some of the many reasons you would want to have this done.
Insurance
First and foremost, we're seeing that many insurance carriers are explicitly asking you to have a 3rd party assessment to renew or obtain coverage. Unfortunately, this leaves the door open for interpretation of how the evaluation is carried out. We recommend using many mainstream compliance frameworks like the CIS Top 18 Controls, NIST 800-171, or the National Cybersecurity Framework. Depending on the maturity of your organization, you might also want to investigate the ISO 27000 set of standards.
Risk Management
When I'm talking to potential clients, one of the first things I usually talk about is that no business owner will decide about a significant move in just about anything without having good intelligence and information to support the action. Quite frankly, many company executives and managers are completely unaware of the Cybersecurity risk that might be present. A considerable benefit of the assessment process is that a seasoned and experienced assessor can pivot from the interview and look more profound for risk. What's the most common way risk makes its way into an organization? Change.
Getting a Fresh Look
Sometimes, it's just nice to get a second set of eyes on things to see if anything is missed or a different way of doing things. A natural reaction is to resist the need for an assessment because it can be seen as a threat or a sign of distrust. Quite the contrary, actually, in the over ten years I've been doing 3rd party assessments, I can only count on one hand the number of times that someone took it that way. Most companies and IT staff welcome a second set of eyes, especially with Cybersecurity, since most IT staff don't want to take on that expertise.
Compliance Requirements
Maybe your organization is required to maintain a certification or requirement for you to perform a contract or business with a customer. In this example, CMMC/DFARS/NIST is a perfect model. Since before the requirements were ratified, Secure Cyber Defense has performed pre-assessment work in this area as the customer's advocate. Although the CMMC rules are in flux (recently reduced from 5 levels down to 3), it's important to monitor new contracts for CMMC notification levels. Until then, make sure you work with a trusted provider who can start working with you through the Plan of Action and Milestones (POAM) and help prepare the System Security Plans (SSP). We recommend all defense contractors continue to work on the DFARS/NIST compliance pieces as regardless of what CMMC does, those components will be required for the foreseeable future.
Vendors/Customers Request It
Next on the list, you would want a 3rd Party Cyber assessment because vendors and customers may require it. It's not out of the question, and many of you have already been requested to have an external evaluation to keep those relationships. These requests generally surround the increased push for organizations to keep their 3rd party vendors in check (i.e., CIS Control 15 covering service provider management). It's always good to keep a current external assessment on file; we recommend every year or every other year.
Light Threat Hunting
Something that we've been doing since the beginning has been doing what we call "light threat hunting." In the course of our assessment, we provide some threat hunts of known and documented threats (like log4j indicators) and communication with countries currently listed on the Office of Foreign Access Control (OFAC) list. Often, this can be a good indicator of a potential threat or evidence of one in history. As you are searching for 3rd party assessment vendors, I would ask about.
Blow the Dust Off Your Policies
The policy is still one of the not-so-glamorous parts of managing an IT Department and a Cybersecurity program. Things like an Incident Response Plan, Disaster Recovery, and Business Continuity were all things that were not on the priority list year ago. That being said, we've come across many organizations that have policies but haven't been updated for many years. Assessors can look at the guidelines that you do have and provide some feedback on any changes that might need to be made to make them current.
C-Suite and Boards Take Note
Executives in the C-Suite and Boards need to note that not having an external look at your organization can often put you in a blind spot. Like I've said previously, it's not a trust issue, and it's the fact that you can get tunnel vision looking at the same things for many years. Like I've said earlier, this happened to me when I was managing IT. Only when I hired an external firm to look at my organization did I learn that there were processes and information I didn't have about new hardware/software solutions available.
Perform Regular Re-Assessments
As indicated in this article, we recommend getting regular assessments and rotating through providers at least every other year, much like you would with penetration testing. The idea behind this is that you will get a completely different perspective and process each time you switch vendors.
In Summary
This article has spent a lot of time discussing why you would need to hire a firm to perform a 3rd party Cybersecurity assessment, and I've outlined many of the reasons we do them and some of the components that make up our service. Please spend some time interviewing the firm as one of the most valuable assets of an assessor is their background and experience and their ability to inject their years of expertise into your company.
About Secure Cyber Defense
Secure Cyber Defense offers 24/7/365 threat monitoring services, Fortinet hardware, secure email, cybersecurity and compliance consulting, incident response services, and cybersecurity training for businesses and government agencies to protect company data from cyber threats. Offering both installed and "cybersecurity as a service" offerings, we scale custom solutions for any size organization. Secure Cyber Defense is a Premier Fortinet Partner.