What Assurance Does Your Company Have?

One of the mottos uttered by security professionals around the world is “Trust but verify”. It is an integral part of many IT and cybersecurity programs in the forms of validations, assessments, audits, tests, and so on. To optimize assurance, it should be unique and distinct from the actual works that gets done. If a person validates their own work, that creates a number of challenges. They may have misunderstandings or blind spots about how the work is supposed to be done or how a simple change may have large repercussions as unintended consequences later. Let’s take electrical work in a building. Typically, it requires inspections to ensure that everything is up to code, no corners were cut, everything is according to plan etc. The reality is that some people are extremely ethical. Other people are not as ethical. Having some kind of inspection process better assures that the quality overall is the same throughout all homes and offices.

In most companies, IT is performing very sensitive tasks – much like an electrician. The stakes, in case of IT, can be quite high. Companies have lost millions due to simple configuration errors from IT staff and the work of threat actors. In many cases, companies have gone out of business. This highlights one of the important differences between the work of an electrician and the work of IT workers; the work that electricians are not under the constant barrage of nation states and organized cyber-criminals testing every aspect of the systems. We have strict requirements around electrical work, but often not for IT work. Many standards exist. Each standard has its own nuance for how thorough the requirements are. Often times, the key items that lead to a breach are given an assessment at such a high level (or often not at all) by the compliance monitoring bodies, but breaches still occur. To be clearer, compliance gives only limited assurance – and only to the state of controls that may or may not correspond to a breach. There are many instances of companies being breached despite having the assurance of compliance.

Since this is the case, then compliance is simply one aspect, an imperfect aspect of assurance. This takes us back to trust but verify. Having a separate set of eyes validating the work – especially for critical controls should be an imperative for every organization. Inherent in this concept is the concept of separation of duties. The same people who do the work, should not also be validating the work – even if an “unbiased” system is doing the validation. The greater the separation, the less the bias, the truer the results – the stronger the assurance.

This philosophy is also echoed by a concept creates by the Institute of Internal Auditors – The Three Lines of Defense. From their perspective, they monitor controls to ensure appropriate oversight. They also require a level of independence from the work being assessed. They serve a necessary and important part of the corporate governance process. The challenge they have is with the minutia of the cybersecurity landscape. It is hard for them to comment on many of the internal controls because it is outside the scope of their experience (in many cases).

This gap, begs the question, “how do you get the appropriate level of assurance”? The question, as many questions in governance do, boils down to risk. If the control has minimal value, it is probably not worth the time investing heavily in that control. If a failed control can lead to millions of dollars of risk, it is worth investing in extra levels of assurance. This means extra levels of care and oversight are probably worth the time and investment.

A good example of this would be a cloud native database. Many cloud native databases can be set up to give the whole internet, literally anyone with an internet connection, direct access. In fact, in some cases, it is a necessary feature. In these cases, given the potential impact, it may be worth additional levels of assurance from a team other than the team implementing the appropriate controls. 

Determining the right level of controls for your organization, is an important part of the governance process and takes a thoughtful approach to considering what assurance is. If you need help determining the level of assurance for your organization, please feel free to reach out to us.
~Matthew Webster