Behind the scenes: A day in the life of a security auditing manager

2 years ago 629

Working with clients connected uncovering vulnerabilities wrong their cybersecurity frameworks is the cardinal portion of a information manager's job. Here's however 1 information auditing manager gets it done.

bryan-hornung-security-auditor.jpg

Bryan Hornung, center, is simply a information auditing manager and CEO of Xact IT Solutions. He helps clients marque their systems unafraid and successful compliance with authorities regulations. 

Image: Xact IT Solutions

When helium was successful assemblage astatine Rider University successful New Jersey, Bryan Hornung wanted to go an accountant. But aft a four-month internship, helium changed direction. "I decided that this is not the happening I spot myself doing for the adjacent 40 years," helium said. He applied his involvement successful figures toward a grade successful IT.

At his archetypal job, doing web improvement for a defence contractor for the U.S. Navy, Hornung worked connected interior applications, addressing things similar vessel alterations. He helped the institution determination from spreadsheets to web applications. 

But helium had been surviving with a regret. During college, erstwhile helium worked successful a edifice and a lawsuit asked if helium was funny successful moving IT, Hornung felt helium wasn't prepared. "But I conscionable didn't person the confidence," helium said. "I told myself a batch of caput trash and turned the connection down." Hornung vowed to himself to ne'er accidental nary to an accidental similar that again. About six years later, successful 2002, erstwhile a feline came into his bureau astatine the Navy Yard successful Philadelphia and said that his wife's institution was having problems with her IT support, immediately, my encephalon went, "This is it. This is an accidental for you that you can't crook down."

SEE: How to physique a palmy vocation successful cybersecurity (free PDF) (TechRepublic)

"I ever knew I wanted to beryllium my ain brag and tally my ain company," Hornung said. The pistillate turned retired to beryllium his archetypal client, and helium was tasked with things similar making definite computers ran, swapping retired parts, buying caller computers and installing them.

In 2007, helium transitioned to becoming a managed work provider, "where we conscionable stopped the break-fix enactment and immoderate benignant of residential work, truly focused connected businesses, managing our IT with the extremity of driving efficiency, showing them however they tin usage exertion to summation profit, to marque it a competitory advantage," Hornung said. Those led to caller opportunities with bigger companies, "more industry-driven compliance checking," helium said.

Now, Hornung is CEO astatine Xact IT Solutions and has 15 years of information auditing and different IT services nether his belt. His existent presumption involves overseeing the audit processes for his clients, things similar SOC2, manufacture audits and Cybersecurity Maturity Model Certification (CMMC).

In the pharmaceutical industry, Hornung said, there's an inducement to woody with regulations—beyond the FDA—to debar "dealing with the PR nightmare of a breach connected their company."

As a result, they've been bully astatine self-regulating, but "you don't spot it arsenic overmuch successful different sectors that don't person idiosyncratic telling them what they request to bash astir cybersecurity," helium said. So, Hornung started retired helping large companies similar Pfizer, Merck and Bristol Myers Squibb, doing audits. The companies that were doing audits, helium said, whitethorn not person been reviewing oregon verifying the information that was sent backmost to them. "It was precise overmuch a box-checking workout from 2007 until astir 2012, 2013, erstwhile ransomware truly started to travel connected the country and go a occupation for companies," Hornung said.

But soon, companies were forced to travel up with a broad cybersecurity program and person a model successful place. "And, however bash you audit that? How bash you benchmark that?"

"We precise aboriginal connected adopted this cybersecurity model successful our business, and we perpetually audit our ain concern against that," Hornung said. "And past we deploy that successful our clients' businesses, arsenic well."

Hornung said they started retired arsenic a "typical IT institution that evolved into an MSP, with opportunities to bash much security-focused benignant things." The institution transitioned successful 2012 to a starring MSP successful security, and present is becoming a cybersecurity company. "I don't cognize however overmuch longer our concern is really going to beryllium doing that much accepted assistance desk, IT-type work," helium said.

Some companies are hesitant to prosecute a institution similar Hornung's, if they person a erstwhile narration with an IT provider. But Hornung said that the institution is capable to enactment with the existent IT arsenic portion of a broader effort. In different words, it tin beryllium a collaboration, alternatively than a replacement. 

"From a method perspective, it's a information assessor's oregon auditor's occupation to find the needle successful the haystack and past find if the needle is thing that is actionable oregon not. Depending connected what you're monitoring, and what you're trying to find has a problem, if it's a moving computer, oregon machine, a portion of hardware, that happening is going to beryllium generating hundreds and hundreds of logs each minute, if not thousands, depending connected the size of the company," Hornung said. 

It's a batch to wade through. In the beginning, lone Fortune 500 companies could spend it. Now, automation is making the occupation easier, truthful adjacent tiny businesses tin spend it.

When a occupation is located, the auditor is liable for the insubstantial trail, for identifying the occupation and seeing what enactment was taken. "In our business, the connection betwixt america and the lawsuit successful a concern wherever a institution has an interior IT means we (the auditor) privation to spot the connection betwixt the interior IT radical and whoever the information serviceman oregon manager is," helium explained. "The auditor needs to spot that determination was enactment taken and past needs to beryllium capable to spot what enactment was taken." 

SEE: Top 3 reasons cybersecurity pros are changing jobs (TechRepublic)

"We're looking astatine the policies and procedures, and we're saying, 'OK, does the enactment that these radical took astir this lawsuit lucifer what the institution enactment into their process and procedure?' And if it does, past they conscionable the qualifications of the audit control. If it doesn't, past an auditor volition constitute a study astir the deficiency for that."

As the manager, Hornung could enactment with the lawsuit to "give them that roadmap truthful they tin dedicate the close fund implicit the close clip framework to woody with what we discovered," helium said. "I would accidental adjacent to 40% of the clip is spent talking with clients and moving with them connected these roadmaps and making definite that they're mounting speech the close funds to enactment successful alignment with their cybersecurity framework." His different clip is spent moving with technicians moving the audits and moving connected however to champion contiguous the accusation to the client.

Hornung can't audit CMMC—"nobody is certified to bash that now"—but tin assistance with assessments astir it.

The astir rewarding portion of his enactment is erstwhile clients instrumentality the assessments seriously. And the astir frustrating is erstwhile they bash the other and "they take not to bash anything."

"You can't marque radical spot things," Hornung said. "They've got to spot it for themselves."

"The guys successful the trenches are the unsung heroes," Hornung said. "Those are the ones who are uncovering the vulnerabilities and bringing them to attraction to management. If they can't bash that and they don't usage the tools correctly and they don't larn however to find antithetic vulnerabilities, past it's benignant of each for naught—because you're giving the lawsuit a mendacious consciousness of security."

Read much articles successful this series

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article