What is the best way to do a security assessment to ensure the system or network is secure or properly setup? Would you outsource external consultants or setup internal team?

Security & GRCProcess Management
5.5k viewscircle icon16 Comments
Sort by:
Director of IT in Energy and Utilitiesa year ago

You need an independent assessment periodically.  Say annually.  Between those, do things that apply to your organization based on all the different factors that your organization finds important and applicable

Director of IT2 years ago

IT is extremely important to define the security posture for the enterprise which must includes all the applicable domains Perimeter, Identity & Access, Data, Network, Endpoint, Cloud, Application, Mobile, Industrial Security along with , DR and BCP. Looking at each domain will help to ensure the coverage of all the domain areas. Identify the Gaps in security policies, appropriate tools in place and Threat notification mechanism is in place. 
It is recommended to bring the external party to assess the security assessment of the enterprise, however define the scope with open eyes and mind,  be open to share all kind of data and information required. Keep the governance in your hand.
in summary, it has to be hybrid team of internal and external experts. Hope this helps.

CIO2 years ago

In my opinion, the most effective way to address security issues is aways use an internal team. However, those professionals are rare, asking high salaries and hard/expensive to retain.

So, hiring a consultant company, which has a reputable knowledge at this point, has a talented team and a commitment to continuously enhancing their skills in such complex area, could be an alternative that must be considered.

Board Member in Healthcare and Biotech2 years ago

A bit of both - internal and external

External to conduct the initial and post mediation assessment, and then at predefined milestones like an upgrade/major change, or period say annual.

Internal to own the remediation and manage business impact and expectations

Finally as the IT leader, communicate why, what and end game to not just the impacted stakeholders, but across the company to strengthen the perceptions of security.

Senior Vice President - Advanced Engineering & Data Analytics in Manufacturing2 years ago

The best and foolproof way of security assessment is through Penetration testing and that will surface the vulnerabilities across the enterprise. Further security monitoring and threat detection through log aggregation and analytics helps continuously identify the anomality and remediation can secure the enterprise. Further regular audits will help in ensure configurations and upgrades/ patches. This can be outsourced to external firms and can be better managed through specialists.    

Content you might like

Which process mapping software does your organization use to map out current processes and future workflows?

Read More Comments

How valuable to reducing change/fail % is it if a sys admin is able to predict the impact of a kernel or glibc change before applying the change to their Linux systems?

Highly valuable31%

Moderately valuable67%

Not valuable at all.1%

View Results

To simplify your IT, do you expect all the security controls (CASB, ZTNA, SEG and SWG) delivered by the same vendor?

Yes, I am looking at consolidating multiple vendor solutions79%

No, I am fine with managing multiple vendors20%

We have a servicing organization within IT segmented by applications and has 3 different director teams supporting overall pieces which is creating confusion, misalignment and becoming harder to support one business area.  Components considered within this org are: PEGA products (NCompass, G&A), Genesys Cloud,  Google, Member Portal and Member Mobile.   How should i look at proposing a new target state Org considering all these aspects/products? Any ideas?

How are companies doing Unified Vulnerability Management? The idea is bringing all inputs (AppSec, DevSecOps, VM scanning, asset discovery etc) into one platform.  Instead of creating a homegrown solution, are there vendors that do this well?