Collaborating with clients to identify vulnerabilities in their cybersecurity frameworks
Security managers’ job is a key component. Here are some tips from a security auditor to get the job done.
Bryan Hornung was a Rider University student who wanted to become an accountant. After a four-month internship, Hornung changed his mind. He said, “I decided this is not what I see myself doing for 40 years.” He decided to pursue a degree IT because of his fascination with figures.
Hornung began his career as a web developer for a U.S. Navy defense contractor. He worked on internal applications that dealt with ship modifications. Hornung helped the company transition from spreadsheets to web-based applications.
He had lived with regret. Hornung didn’t feel prepared when he was working in a restaurant in college. Hornung said that he didn’t feel confident. “I told myself a lot about myself and turned down the offer.” Hornung promised himself that he would not turn down another opportunity like it. In 2002, six years later when a man came into Hornung’s office in Philadelphia at the Navy Yard and stated that his wife’s IT support was not working properly, my brain immediately thought “This is it.” This is an opportunity that you won’t want to miss.
SEE:How to build a career as a cybersecurity professional (free PDF) (TechRepublic)
Hornung said, “I knew from the beginning that I wanted to be my boss and run my company.” He had his first client in the woman, who he had to help with tasks such as ensuring computers were running, replacing broken parts, buying new computers, and even installing them.
Hornung stated that he became a managed services provider in 2007. “Where we stopped doing residential work or break-fix work. We really focused on business, managing our IT with a goal to drive efficiency, show them how technology can be used to increase profits, to make it more competitive advantage.” He said these opportunities led to bigger companies with “more industry-driven conformity checking.”
Hornung is now the CEO of Xact IT Solutions. He has 15 years experience in security auditing and other IT services. His current job involves overseeing audit processes for his clients. This includes things like SOC2, industry auditors, and more. Cybersecurity Maturity Model Certificate (CMMC).
In the pharmaceutical industry, Hornung said, there’s an incentive to deal with regulations—beyond the FDA—to avoid “dealing with the PR nightmare of a breach on their company.”
According to Hornung, while they have been successful at self-regulation, “it’s not as evident in other sectors that don’t have somebody telling their what they need to do regarding cybersecurity.” Hornung was initially tasked with auditing big companies like Merck, Pfizer, and Bristol Myers Squibb. Hornung said that audits were performed by companies that may not have reviewed or verified the data sent to them. Hornung stated that the audit was a “box-checking exercise” from 2007 to 2012, when ransomware became a problem for companies.
Soon, however, companies had to create a comprehensive cybersecurity plan. “And how do you audit that?” How can you benchmark that?
Hornung stated that “We adopted the cybersecurity framework very early in our business and we continuously audit our own business against it.” “Then we apply that to our clients’ businesses.”
Hornung stated that they began as an IT company and evolved into an MSP with more security-focused opportunities. In 2012, the company was transformed into a security-focused MSP and is now a cybersecurity business. He said, “I don’t know how long our business will continue to do that more traditional help desk type work.”
If they have had a relationship with Hornung’s IT provider in the past, some companies may be hesitant about engaging Hornung’s company. Hornung assured that the company can work with the IT department as part of a wider effort. It can also be a partnership, not a replacement.
“Technically, it is the job of a security auditor or assessor to locate the needle in a haystack. Once that has been done, the auditor will determine if the needle is actionable. Hornung stated that depending on what you are monitoring and the problem you’re trying find, it is possible for a computer or other machine to generate hundreds to hundreds of logs per minute. If the company is large, this could even be thousands.
It is a lot of work. At first, only Fortune 500 companies were able to afford it. Automated work makes it easier so that even small businesses can afford it.
An auditor is responsible to create a paper trail that identifies the problem and determine the corrective action. He said, “In our business the communication between us (the auditor), in a situation where an company has an internal IT means that we (the auditor] want to see the communication among the internal IT people as well as the security officer/manager.” The auditor must see that action was taken, and then be able see the results.
SEE: Top 3 reasons cybersecurity professionals are changing careers (TechRepublic)
“We’re looking at the policies, procedures, and we’re asking ourselves, “OK. Does the action taken by these individuals around this incident match what the company has put into their process, procedure, and process?” If it does, they will be qualified for audit control. An auditor will then write a report on the deficiencies.
Hornung, as the manager, could work with clients to “give them the roadmap so that they can allocate the right budget over a time frame to address what we discovered.” “I estimate that around 40% of my time is spent speaking with clients, collaborating with them on roadmaps, and making sure they are putting aside the correct funds to support their cybersecurity framework. His time is also spent with technicians, running audits and advising clients on the best way to present the information.
Hornung can’t audit CMMC—”nobody is certified to do that now”—but can help with assessments around it.
His work is most rewarding when clients take his assessments seriously. The worst part is when clients do the opposite and “opt not to do any thing.”
Hornung stated that “you can’t force people to see things.” They have to see it themselves.
Hornung stated that the “unsung heroes” are the men in the trenches. They are those who find the weaknesses and bring them to management’s attention. If they can’t do that and they don’t use the tools correctly and they don’t learn how to find different vulnerabilities, then it’s kind of all for naught—because you’re giving the client a false sense of security.”