Cybersecurity in layers has been the go-to security model for some time now. There’s no one solution that will properly secure your organization’s network and sensitive information. In today’s environment, it takes an orchestra of teams, tools, and active threat detection and prevention operations to properly secure your organization from an attacker. It has become very clear that traditional layers, such as anti-virus, firewalls and monitoring tools, are just not enough. Attack emulation is a critical security layer that not only focuses on known vulnerabilities but also shows what a real attacker could do to your organization. If you are serious about finding your organization’s security weaknesses and resolving them, you’re likely going to need help from a third-party.
Unless your organization has a team of analysts dedicated to your cybersecurity efforts, you likely lack the level of knowledge regarding your network needed to understand the potential threats that could expose your most sensitive data. On the other hand, even if your organization does have an internal team dedicated to cybersecurity, are you testing the effectiveness of its security efforts? We have found that in-house cybersecurity analysts often wear several hats in an organization, with security taking the backseat to the up-time and functionality of information technology (“IT”) within the organization. Additionally, in-house cybersecurity analysts often only have knowledge of their organization’s network unlike analysts within a security firm. Just as it is often difficult to proofread your own writing, in-house cybersecurity analysts may be blinded to indicators of compromise or threat actors on their organization’s network. Engaging with a third-party team of security professionals allows for a diverse set of knowledge and new insight to be applied when analyzing your organization’s security posture.
So, how do you find the right balance of internal and external cybersecurity support?
The goal should be to establish a relationship with a cybersecurity partner that will provide value to your organization and in-house IT staff, as well as help you improve your organization’s overall security posture.
Deciding which security route to take for your organization can be tricky. Common options include IT services providers, contracted and freelance security professionals, and engaging with a dedicated security firm.
Here’s a quick breakdown:
IT Services Providers
I spent a good portion of my professional career as a consumer of IT services. Over the past few years, I’ve noticed that many IT services providers bolt network penetration testing services to their product offerings. This trend has resulted in a flood of low cost penetration tests followed by a big price tag, usually with hardware sold by the provider, to remediate identified vulnerabilities. Chances are that if your organization has decided to engage in an effective and comprehensive advanced network penetration test, it’s not exactly cheap. The follow-up conversation based on the results of the penetration test should not immediately result in your organization needing to spend more money on hardware or remediation services. If there’s no discussion about how your organization’s internal IT staff and existing investments can be leveraged to properly secure your network environment, make that conversation happen with your IT services provider.
Our statistics show that 75% of identified vulnerabilities can be remediated internally by the organization and/or with support contracts in place on vulnerable systems. In most cases, remediating the other 25% of the identified vulnerabilities involve implementing new measures or replacing end-of-life systems. It is not impossible for a security vendor to provide a solid network penetration test that is not influenced by hardware sales post-test. However, be wary of a cybersecurity “silver bullet;” no one piece of hardware will properly secure your organization.
Contract and Freelance Security Professionals
It is common to see organizations looking to hire freelance and contracted security professionals to assist with cybersecurity initiatives. Often, there is a desire to hire the freelance or contracted security professional as a full-time employee of the organization after the contract or project is complete, creating a “try before you buy” scenario. Unless your organization has serious intentions of evaluating a contracted worker for a full-time position, this may not be the route for you.
Additionally, organizations often explore the option of hiring freelance or contracted security professionals because of lower associated costs. While cost may be a factor for your organization, be sure to ask this critical question: can this freelance or contracted security professional singlehandedly conduct a thorough penetration test in a timely manner? I find what is often lacking here is a team-based approach to penetration testing. A team-based approach to advanced penetration testing, which is often found within a cybersecurity firm, is not only going to yield a greater number of identified vulnerabilities in a timely manner but also produce a robust and actionable set of remediation recommendations for your internal IT staff. If hiring a freelance or contracted security professional is something you are strongly considering, ensure that there are reputable references available for the candidate.
Dedicated Security Firm
For most organizations, a dedicated security firm is the sweet spot, providing your organization with access to a diverse team of cybersecurity professionals dedicated to strengthening your organization’s security posture. This form of engagement allows you to extend your IT staff’s capabilities and knowledge, and gain direction by leveraging insight and expertise from dedicated cybersecurity professionals.
No matter which security firm you hire to meet the cybersecurity needs of your organization, be sure to ask questions regarding the level of service being provided. Asking questions helps ensure that you are receiving a team-based approach to your organization’s advanced penetration test, rather than an individual contractor working on a fixed timeline.
Engaging with a well-rounded and dedicated security firm should provide your organization with a set of resources that will help secure your infrastructure, as well as assist in planning for the future of your organization’s cybersecurity posture. At a minimum, services such as enhanced red team operations and advanced network penetration testing, digital forensics and incident response, reverse engineering and threat hunting should be part of the security firm’s offerings. The strongest of security firms will be engaged in these services consistently, offering an expertise in all areas of cybersecurity.
No matter what route your organization chooses to take, the most important factor is partnering with a security professional that is trustworthy and able to meet the security needs of your organization. Remember your cybersecurity posture must be evaluated and who you choose to help expose vulnerabilities in your infrastructure now knows your organization’s cybersecurity weaknesses.