Why Self-Assessments are Risky

“What can it hurt for us to perform our own security self-assessment?”  is a question that many organizations ask themselves.  After all, they have competent IT staff, and the staff must know something about information security to keep things running.  So, why doesn’t it make sense to do your own self-assessment?

Familiarity

The first reason to seek an outsider to do a security assessment is they lack familiarity with your organization.  Just as you gloss over misspellings and mistakes in your own writing, you can gloss over assessment topics because you believe that you’re familiar with them.  Sometimes an outside assessment reveals the folks in that department are doing things differently than you expect.  An un-biased third party can help determine what is actually being done in your environment.

At Gemini, we were brought in to assess the ability of a Fortune 100 enterprise’s IT department to meet its own security policies. Many in the organization, especially senior management, were surprised when we found that there were significant gaps between what the IT department was requiring from others, and what they could perform themselves. The gaps were not intentional or due to neglect; they were simply because topics were overlooked out of belief that others were responsible for that topic.

Knowledge and Experience

The second reason to seek an outsider to do a security assessment is to leverage their information security knowledge.  Your IT folks are competent in what they do – which is maintaining and supporting your systems and infrastructure.  Helping your organization keep running. Information security is a vast and wide field, and even those of us in the industry cannot claim to know everything about all of it.  Expecting an IT staff member to do his job as well as that of a Chief Information Security Officer (CISO) is expecting too much of anyone.  Keeping up-to-date on current threats and attacks is more than a full-time job.  A professional security assessor is familiar with these threats and attacks and can provide insight into whether your environment is vulnerable to them or protected from them.

The Illusion of Confidence

The final issue with self-assessment is the Dunning-Kruger effect: competent people underestimate their abilities, and incompetent people overestimate their abilities.  Even if you are confident that you have competent employees, there is a bias in their judgement of themselves.

Over-cautious people will spend more money than necessary on security because they underestimate what they’ve put in place. On the flip-side, those more sure of themselves will believe they’ve done everything necessary without establishing the essential security posture needed to protect company assets. The truth is usually somewhere in between. Spending more does not necessarily make you more secure.  A third-party can help you find the middle ground, prioritizing your spending and effort enough to ease your fears and reduce your risks, but no more than is necessary for your business.

Worth the Investment

The largest reason that outside security assessment isn’t done is the cost – or the fear of the cost – being too much to bear.  The truth is, an outside security assessment doesn’t have to cost you an arm and a leg. We do security assessments for a low fixed price for 5-person startup organizations, Fortune 50 companies, and everything in between. Consider contacting us for a free consultation, and determine if an investment in your security is worth your peace of mind.