Working with clients to find vulnerabilities within their cybersecurity frameworks is the key part of a security manager’s job. Here’s how a security audit manager does it.
When he was a student at Rider University in New Jersey, Bryan Hornung wanted to become an accountant. But after a four-month internship, he changed direction. “I’ve decided that’s not the thing I see myself doing for the next 40 years,” he said. He applied his interest in numbers to a computer science degree.
In his first job, as a web developer for a US Navy defense contractor, Hornung worked on internal applications, tackling topics such as ship modifications. He helped the company move from spreadsheets to web applications.
But he lived with regret. In college, while working in a restaurant and a customer asked him if he was interested in IT, Hornung felt he was unprepared. “But I just didn’t trust myself,” he said. “I said a lot of bullshit to myself and declined the offer.” Hornung vowed never to say no to such an opportunity again. About six years later, in 2002, when a guy walked into his Navy Yard office in Philadelphia and said his wife’s business was having issues with their IT support, immediately my brain thought: “This is it. This is an opportunity for you that you cannot refuse.”
SEE: How to Build a Successful Cyber Security Career (Free PDF) (TechRepublic)
“I always knew I wanted to be my own boss and run my own business,” Hornung said. The woman turned out to be his first customer, and he was tasked with making sure the computers were running, exchanging parts, purchasing new computers, and installing them.
In 2007 he became a Managed Service Provider, “where we just stopped troubleshooting and all kind of residential work, really focused on business, running our IT with the goal of improving efficiency, showing them how they can use technology to increase profits, to make it a competitive advantage, “Hornung said. These have led to new opportunities with bigger companies,” more industry-focused compliance control, ” did he declare.
Today, Hornung is CEO of Xact IT Solutions and has 15 years of security auditing and other IT departments to his credit. Her current role is to oversee her clients’ audit processes, such as SOC2, industry audits, and Cyber Security Maturity Model (CMMC) certification.
In the pharmaceutical industry, Hornung said, there is an incentive to deal with regulations – beyond the FDA – to avoid “facing the public relations nightmare of a breach of their business.”
As a result, they’ve been good at self-regulation, but “you don’t see that as much in other industries that don’t have someone telling them what to do in cybersecurity,” a- he declared. Thus, Hornung started to help large companies like Pfizer, Merck and Bristol Myers Squibb, by performing audits. Companies that were performing audits, he said, may not have reviewed or verified the data that was sent back to them. “It was really a case-checking exercise from 2007 to around 2012, 2013, when ransomware really started to come in and be a problem for businesses,” Hornung said.
But soon, companies were forced to come up with a comprehensive cybersecurity plan and put a framework in place. “And, how do you audit that?” How do you assess that? “
“We embraced this cybersecurity framework in our business early on, and we’re constantly auditing our own business against it,” Hornung said. “And then we roll that out to our customers’ businesses as well. “
Hornung said they started out as a “typical IT company that has evolved into an MSP, with opportunities to do more security-oriented things.” The company grew in 2012 to a leading MSP in the security field, and is now in the process of becoming a cybersecurity company. “I don’t know how much longer our company is going to do this more traditional, IT-like IT support work,” he said.
Some companies are reluctant to hire a company like Hornung’s if they already have a relationship with an IT vendor. But Hornung said the company is able to work with today’s IT as part of a larger effort. In other words, it can be a collaboration rather than a replacement.
“From a technical standpoint, it’s the job of a safety assessor or auditor to find the needle in the haystack and then determine if the needle is something that is workable or no. Depending on what you are monitoring and what you are trying to determine has a problem, if it’s a computer or a running machine, some piece of hardware, that thing is going to generate hundreds and hundreds of newspapers every minute or even thousands, depending on the size of the company, ”Hornung said.
It’s a lot to cover. At first, only Fortune 500 companies could afford it. Automation now makes it easier, so even small businesses can afford it.
When a problem is located, the auditor is responsible for tracking the paper, identifying the problem and seeing what action has been taken. “In our business, communication between us and the client in a situation where a company has an internal IT system means that we (the auditor) want to see communication between internal IT people and whoever is in charge or in charge. security, ”he explained. . “The auditor should see that action has been taken and then should be able to see what action has been taken.”
SEE: Top 3 Reasons Cybersecurity Professionals Change Jobs (TechRepublic)
“We look at the policies and procedures, and we say, ‘Okay, is the action that these people took around this event consistent with what the company has put in their process and procedure? And if so, then they meet the qualifications for audit control. If not, an auditor will write a gap report for it. “
As a manager, Hornung could work with the client to “give them that roadmap so they can spend the right budget over the right time frame to deal with what we have discovered,” he said. “I would say almost 40% of the time is spent chatting with clients and working with them on these roadmaps and making sure they are setting aside the right funds to stay in tune with their cybersecurity framework. . His other time is spent working with the audit technicians and how best to present the information to the customer.
Hornung cannot audit CMMC – “no one is certified to do it now” – but can help with the assessments around it.
The most rewarding part of the job is when clients take reviews seriously. And the most frustrating thing is when they do it the other way around and “they choose to do nothing”.
“You can’t make people see things,” Hornung said. “They have to see it for themselves.”
“The guys in the trenches are the unsung heroes,” Hornung said. “These are the ones who find the vulnerabilities and bring them to the attention of management. If they can’t do it and they don’t use the tools properly and learn to find different vulnerabilities. , so it’s kind of all for nothing, because you give the customer a false sense of security. ”