I’ve previously written about the fact that I was MicroSolved customer prior to joining the company as an employee in 2014. Despite the fact my team was running our own vulnerability assessments and penetration tests, I felt it was important that I occasionally hired a MSI to perform these services as well. As sharp as my team was, MSI always was able to provide us with actionable intelligence that we could use to improve our risk posture. Now that I have performed these assessments as a consultant, I have seen first-hand the importance of hiring a 3rd party to assess your network.
When you support a production network, you can inadvertently grow a set of blinders towards certain portions of the infrastructure. This could be something as simple as forgetting about a subnet or inadvertently ignoring a legacy system. When you bring in a 3rd party to assess your network, you’re going to deal with a team that has no preconceived notions about the systems and can truly look at the infrastructure holistically. As funny as it sounds, their lack of institutional knowledge can be an asset.
Both as a consultant and as an employee, I’ve seen Managers and Executives that are absolutely shocked by the results of a 3rd party assessment. Despite the fact that they were assured that mechanisms were in place to limit the risk and effectiveness of an attack, the 3rd party identified significant areas of concern. This doesn’t necessarily indicate that the employee was intentionally withholding information. It could be something as simple as them being unaware that a certain system or portion of the network exists.
As an IT Manager or Executive, you’re forced to place a high level of trust in your team. You can’t monitor and oversee everything. You have to take their word that networks are properly segmented and that systems are being patched. I’m not necessarily stating that you can’t trust your employees. However, I do think that it’s worthwhile to occasionally bring in someone to watch the watchers.