Jul 20 2021

5 Questions to Ask When Evaluating Cybersecurity Assessments

Here's a look at what a comprehensive, successful cybersecurity assessment should answer.

A comprehensive outside assessment can prove critical when developing your university’s cybersecurity strategy — if you know the right questions to ask and answers to seek. Here’s what every university IT team should learn from one.

1. Where Are Our Processes Not Working?

Good security is a marathon, not a sprint. The way to win the race is by implementing solid security controls with repeatable processes and consistently maintaining them. Make sure assessors aren’t focusing on finding a single server with an expired certificate. They should look for places where you’re making repeated errors.

2. Are We Managing Identity and Access Management Correctly?

Patching, audits, event management — it’s all important. However, a huge number of data breaches track back to poor IAM practices. Ask for a detailed examination of your IAM procedures, tools and management. An independent assessment here targets your No. 1 vulnerability: people.

DIVE DEEPER: Learn how to choose an Identity and Access Management solution.

3. Where Is Our Architecture Obsolete?

Most organizations have outdated application and network architectures. Approaches such as microsegmentation are old ideas but have recently become standard in data center design. Identify where the security ground has shifted, then reconsider and redesign as needed.

4. Is This the Forest or the Trees?

Any assessment must poke into the details — so, yes, that security vulnerability in your maintenance scheduling application is important. But much more valuable is knowing the big picture: Where are you doing a good job, and where do you need to improve? Listen carefully to what the assessor has to say.

RELATED: Here are 5 tips for a strong Defense-in-Depth strategy.

5. What Can We Do Ourselves After the Assessment?

A big chunk of an assesment’s value comes from the interpretation of the output of some automated tools. That interpretation is what you’re paying for, so make sure there’s a knowledge transfer from the assessor to your team to ensure that you know how to protect yourself between regular assessments.

amtitus/Getty Images