3. Where Is Our Architecture Obsolete?
Security is constantly changing. Most schools are outdated when it comes to application and network architectures. New approaches such as microsegmentation are old ideas but recently have become the standard in data center design. Find areas where the security ground has shifted, then reconsider and redesign if appropriate.
4. What Can We Do Ourselves After the Assessment?
A big chunk of the value of most assessments comes from the experienced person who inter-prets the output of some automated tools. That interpretation is what you’re paying for, so make sure there’s a knowledge transfer from the assessor to your team to ensure that you un-derstand how to keep yourself safe between regular assessments, which you should continue to get.
5. Is This the Forest or the Trees?
Any assessment has to poke deep into the details — so, yes, that security vulnerability in your maintenance scheduling application is important. But much more valuable is knowing the big picture: Where are you doing a good job, and where do you need to improve your security posture and practices? Listen carefully to what the assessor has to say here.