Article Surfing Archive

Here at Redspin, Inc. we get asked all sorts of questions, most of which can be answered with, *Down the hall, take a left, second door on the right.* After that, here are the eight most important questions we think you should be asking your independent security auditor.

1. Are you an independent security auditor?

This is the most important question you can ask your security auditor. Are they a pure, independent auditor, or are they a company with something else to sell who also happens to do audits? You don*t want a company that sells solutions to do your security audit, because the odds that they find a problem that their solution fixes just went way up.

2. Do you do real analysis, and provide useful reports?

Beware the security auditor that gives you a 100-page report. Quantity in no way signifies quality in a security audit. What you want from a security auditor is a thorough report that focuses on issues that are relevant to you. Any security audit can find 100 trivial problems. You want an audit that tells you which 5 issues are important.

3. Do you have a quality team?

Consulting firm guys straight out of college are useful for some things, but understanding complicated computer networks and the vulnerabilities associated with them is best left to dedicated security engineers.

4. Hey, aren*t you the guys who sell us our IT?

Don*t hire the same guys who set up your system to audit your system. As much fun as it would be for them to grade their own work, you probably won*t get the most honest results from them. Be especially wary if they say that a *separate branch* of their company does the security audit, and yet another *separate branch* of their company offers solutions. This is what we like to call a *perfect storm of subjectivity.*

5. Do regulators like you?

Mostly this matters if the answer is *no.* Otherwise, it's a nice thing if the company doing your security audit is recognized by regulators as one that does excellent work, because they*re much more likely to give you the quick okay.

6. How much do you cost, and why is that more/less than other firms?

You can pay a little, and have a guy run an automated tool that looks at everything indiscriminately and checks off some boxes. You can pay a huge amount, and get a few guys in suits from a consulting firm where this isn*t really their focus * again, they*re just there to complete a checklist. What you want is an independent security auditor who takes your business seriously, understands it completely, and can help you prioritize security risk and vulnerabilities in the context of your business.

7. Why do I need a security audit?

The easy answer is because a regulator is making you. The harder question to answer is *Why do I need a good security audit?* The answer to that depends on what industry you*re in. It's obvious that industries like banking, casinos and e-commerce are especially attractive to mischief, and would want to make sure that their networks are completely secure. If you*re running an on-line palm reading business, maybe it's not as big a concern.

8. Have you ever done a security audit before?

Experience counts. Make sure that your security auditor has done a number of audits, and check with some of the companies they*ve done audits for to make sure that they do good work.