Third-Party Vulnerability Assessments: Why They Are Still So Important

By: Aaron Kerr and Matt Williams

Aaron Kerr

Director of IT Risk Advisory

Third-Party Vulnerability Assessments: Why They Are Still So Important

Why get assessed?

Having a well-designed vulnerability management program is a foundational element to any security program, but too often this process is taken for granted.  Until the vulnerability management program is independently tested, it is difficult for Management to truly understand the current state of the environment.  Some companies believe that they are effectively patching vulnerable systems, only to ultimately be faced with a security compromise that could’ve been prevented through a well-designed and implemented program.

That’s where independent vulnerability assessments come in.  An independent vulnerability assessment involves a third party running an independent set of vulnerability scans to detect vulnerabilities and evaluate the current state of the environment.  The objective is to provide Management assurance that the organization is properly detecting, protecting, and responding to vulnerabilities in its computing environment. This can be performed on behalf of Internal Audit or directly with the IT or Security and Compliance department.

Clearview’s Approach

Clearview uses the Center for Internet Security (CIS) as a benchmark for assessing the design and operating effectiveness of the people, processes, and technology related to vulnerability management.  Our assessment is multi-faceted, including inquiry with IT personnel responsible for vulnerability management; observation of tools and technology used to identify vulnerabilities; inspection of past vulnerability scan results, network diagrams, server inventories, and other relevant documentation.  Additionally, we perform independent vulnerability scans of the organizations computing environment to ascertain the effectiveness of existing vulnerability management processes.

Many companies rely on their internal resources to provide periodic updates on the status of the vulnerability management program.  While this is important, engaging a third-party allows for Management to see a fresh perspective and ensure current processes align with rapidly evolving industry best practices. This service can also be used as a fully outsourced option for smaller companies that do not have a robust, internal security team.  Benefits include:

  • Save Time and Resources: It can take a significant amount of time and effort to build and maintain an effective vulnerability management program.  It is not always practical to hire a fully functioning security team, many third-parties offer scalable programs to fit your needs.
  • Benefit of Experience: Interpreting the results of vulnerability scan requires up to date knowledge of the current threat landscape. Proper vulnerability testing is not as simple as clicking a button.  The tester must have a thorough understanding of what tools to use, how to properly configure the tools, all the newest security threats, and what the vulnerabilities identified by the scan mean in terms of the response they require.
  • Higher Likelihood of Success: Third parties are more likely to identify previously undetected vulnerabilities.  A study by LogRhythm, a security intelligence firm, shows that 70% of breaches are discovered by a third party.
  • Fresh Perspective: An outsider’s view is not smothered by familiarity.  When an employee has been exposed to the same system for a long span of time, they begin to accept it as “the way things are” and might be more apt to overlook or ignore potential problems due to prior decisions made on what is now an outdated view of the threat landscape.

Vulnerability management continues to be a core pillar of a solid cybersecurity program, as confirmed by the Center for Internet Security (CIS), yet too often it is taken for granted as a simple “button push” for report generation and machine patch. The reality is, the ongoing diligence around this process is absolutely critical to securing your environment, and a third-party assessment of your program can either validate your environment is well controlled or identify the need to go back to the drawing board. Either way, Clearview is here to help.

Questions on this topic? Reach out to Aaron Kerr (akerr@cviewllc.com) or Matt Williams (mwilliams@cviewllc.com).

 

 

More From Aaron

More in IT Risk Advisory & Security

Related Case Study