Working with clients to find vulnerabilities within their cybersecurity frameworks is an essential part of a security manager’s job. Here’s how the Security Audit Manager does it.
When he was in college at Rider University in New Jersey, Brian Hornung wanted to become an accountant. But after four months of training, he changed direction. “I decided that’s not something I see myself doing for the next forty years,” he said. He directed his interest in numbers towards obtaining a degree in Information Technology.
In his first job, web development for a US Navy defense contractor, Hornung worked on inland applications, handling things like ship modifications. Help the company move from spreadsheets to web applications.
But he was living with regret. During college, when he was working in a restaurant and a client asked him if he was interested in managing IT, Hornung felt unprepared. “But I didn’t have the confidence,” he said. “I told myself too much trash and declined the offer.” Hornung vowed to himself that he would never say no to an opportunity like this again. About six years later, in 2002, when a man came into his office at Navy Yard in Philadelphia and said his wife’s company was having problems with its IT support, immediately my mind went, “This is it. This is an opportunity for you that you can’t turn down.”
We see: How to Build a Successful Career in Cyber Security (Free PDF) (TechRepublic)
“I always knew I wanted to be my own boss and run my own company,” Hornung said. The woman turned out to be his first customer, and he was tasked with things like making sure computers were running, swapping parts, and buying and installing new computers.
In 2007 he moved on to become a managed service provider, “where we just discontinued the troubleshooting business and any kind of residential business, and really focused on the business, managing our IT with the goal of increasing efficiency, demonstrating how they can use technology to increase profits, to make it a competitive advantage,” he said. Hornung. This led to new opportunities with larger companies, “more industry-driven compliance scrutiny,” he said.
Now, Hornung is CEO of Xact IT Solutions and has 15 years of security audits and other IT services under his belt. His current position includes overseeing audits for his clients, things like SOC2, industry audits and the Cyber Security Maturity Model Certification (CMMC).
In the pharmaceutical industry, Hornung said, there is incentive to deal with regulations — other than the Food and Drug Administration — to avoid “dealing with the PR nightmare of a breach for their company.”
As a result, they’ve been good at self-regulating, but “you don’t see that much in other sectors where there isn’t someone telling them what to do about cybersecurity,” he said. So, Hornung began helping big companies like Pfizer, Merck and Bristol-Myers Squibb conduct audits. He said the companies that were performing the audits may not have reviewed or verified the data that was sent to them. “It was a pretty square audit from 2007 until about 2012, 2013, when ransomware really started coming in and becoming a problem for businesses,” Hornung said.
But soon companies had to come up with a comprehensive cybersecurity plan and framework. “How do you write that down? How do you measure that?”
“We adopted this cybersecurity framework very early on in our business, and we are constantly reviewing our actions against that,” Hornung said. “And then we’re spreading that into our clients’ business as well.”
Hornung said they started out as a “model IT company that evolved into MSP, with opportunities to do more things focused on security.” In 2012 the company transitioned to a leading security company, MSP, and is now a cybersecurity company. “I don’t know how long it will take for our business to actually do a traditional help desk, IT kind of work,” he said.
Some companies are reluctant to do business with a company like Hornung, if they had a previous relationship with the IT provider. But Hornung said the company is able to work with existing information technology as part of a broader effort. In other words, it can be a collaboration rather than an alternative.
“From a technical perspective, the job of the security auditor or auditor is to find the needle in the haystack and then determine whether the needle is actionable or not. Depending on what you are monitoring, and what you are trying to determine, he has a problem, if it is a computer,” Hornung said. On a run, a device, or a piece of hardware, that thing is going to generate hundreds and hundreds of records every minute, if not thousands, depending on the size of the company.”
There is so much to go through. Initially, only Fortune 500 companies could afford it. Now, automation makes the job easier, so even small businesses can afford it.
When the problem is identified, the auditor is responsible for the paper trail, to identify the problem and see what action was taken. “In our work, the communication between us and the client in the event of an internal company IT means that we (the auditor) want to see the communication between the internal IT staff and whoever the security officer or manager is,” he explained. . “The auditor needs to be sure that there is an action that has been taken and then needs to be able to know what action has been taken.”
We see: Top 3 Reasons for Cyber Security Professionals Changing Their Jobs (TechRepublic)
“We look at policies and procedures, and we say, ‘Well, does the action that these people took around this event match with what the company put into its process and procedures? “If it does, they meet the qualifications for audit control. If it does not, the auditor will write a report about the deficiency in it.”
As the manager, Hornung can work with the client “to give them this roadmap so they can allocate the right budget within the right time frame to deal with what we’ve discovered,” he said. “I would say roughly 40% of the time is spent talking to clients and working with them on these roadmaps and making sure that they allocate the right funds to stay in line with their cybersecurity framework.” He spends his other time working with the technicians who run the audits and work out how best to present the information to the client.
Hornung can’t audit the CMMC – “there’s no one certified to do that right now” – but he can help with the assessments around him.
The most rewarding part of his job is when customers take reviews seriously. Even more frustrating is when they do the opposite and “choose to do nothing”.
“You can’t make people see things,” Hornung said. “They have to see that for themselves.”
“The men in the trenches are the unsung heroes,” Hornung said. “These are the people who find vulnerabilities and bring them to management. If they can’t do that and they don’t use the tools properly and they don’t learn how to find different vulnerabilities, it’s kind of all for nothing — because you’re giving the customer a false sense of security.”