Working with clients on finding vulnerabilities within their cybersecurity frameworks is the key part of a security manager’s job. Here’s how one security auditing manager gets it done.
When he was in college at Rider University in New Jersey, Bryan Hornung wanted to become an accountant. But after a four-month internship, he changed direction. “I decided that this is not the thing I see myself doing for the next 40 years,” he said. He applied his interest in figures toward a degree in IT.
At his first job, doing web development for a defense contractor for the U.S. Navy, Hornung worked on internal applications, addressing things like ship alterations. He helped the company move from spreadsheets to web applications.
But he had been living with a regret. During college, when he worked in a restaurant and a customer asked if he was interested in running IT, Hornung felt he wasn’t prepared. “But I just didn’t have the confidence,” he said. “I told myself a lot of head trash and turned the offer down.” Hornung vowed to himself to never say no to an opportunity like that again. About six years later, in 2002, when a guy came into his office at the Navy Yard in Philadelphia and said that his wife’s company was having problems with her IT support, immediately, my brain went, “This is it. This is an opportunity for you that you can’t turn down.”
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
“I always knew I wanted to be my own boss and run my own company,” Hornung said. The woman turned out to be his first client, and he was tasked with things like making sure computers ran, swapping out parts, buying new computers and installing them.
In 2007, he transitioned to becoming a managed service provider, “where we just stopped the break-fix work and any kind of residential work, really focused on businesses, managing our IT with the goal of driving efficiency, showing them how they can use technology to increase profit, to make it a competitive advantage,” Hornung said. Those led to new opportunities with bigger companies, “more industry-driven compliance checking,” he said.
Now, Hornung is CEO at Xact IT Solutions and has 15 years of security auditing and other IT services under his belt. His current position involves overseeing the audit processes for his clients, things like SOC2, industry audits and Cybersecurity Maturity Model Certification (CMMC).
In the pharmaceutical industry, Hornung said, there’s an incentive to deal with regulations—beyond the FDA—to avoid “dealing with the PR nightmare of a breach on their company.”
As a result, they’ve been good at self-regulating, but “you don’t see it as much in other sectors that don’t have somebody telling them what they need to do around cybersecurity,” he said. So, Hornung started out helping big companies like Pfizer, Merck and Bristol Myers Squibb, doing audits. The companies that were doing audits, he said, may not have been reviewing or verifying the data that was sent back to them. “It was very much a box-checking exercise from 2007 until about 2012, 2013, when ransomware really started to come on the scene and become a problem for companies,” Hornung said.
But soon, companies were forced to come up with a comprehensive cybersecurity plan and have a framework in place. “And, how do you audit that? How do you benchmark that?”
“We very early on adopted this cybersecurity framework in our business, and we constantly audit our own business against that,” Hornung said. “And then we deploy that in our clients’ businesses, as well.”
Hornung said they started out as a “typical IT company that evolved into an MSP, with opportunities to do more security-focused type things.” The company transitioned in 2012 to a leading MSP in security, and now is becoming a cybersecurity company. “I don’t know how much longer our business is actually going to be doing that more traditional help desk, IT-type work,” he said.
Some companies are hesitant to engage a company like Hornung’s, if they have a previous relationship with an IT provider. But Hornung said that the company is able to work with the current IT as part of a broader effort. In other words, it can be a collaboration, rather than a replacement.
“From a technical perspective, it’s a security assessor’s or auditor’s job to find the needle in the haystack and then determine if the needle is something that is actionable or not. Depending on what you’re monitoring, and what you’re trying to determine has a problem, if it’s a running computer, or machine, a piece of hardware, that thing is going to be generating hundreds and hundreds of logs every minute, if not thousands, depending on the size of the company,” Hornung said.
It’s a lot to wade through. In the beginning, only Fortune 500 companies could afford it. Now, automation is making the job easier, so even small businesses can afford it.
When a problem is located, the auditor is responsible for the paper trail, for identifying the problem and seeing what action was taken. “In our business, the communication between us and the client in a situation where a company has an internal IT means we (the auditor) want to see the communication between the internal IT people and whoever the security officer or manager is,” he explained. “The auditor needs to see that there was action taken and then needs to be able to see what action was taken.”
SEE: Top 3 reasons cybersecurity pros are changing jobs (TechRepublic)
“We’re looking at the policies and procedures, and we’re saying, ‘OK, does the action that these people took around this event match what the company put into their process and procedure?’ And if it does, then they meet the qualifications of the audit control. If it doesn’t, then an auditor will write a report around the deficiency for that.”
As the manager, Hornung could work with the client to “give them that roadmap so they can dedicate the right budget over the right time frame to deal with what we discovered,” he said. “I would say close to 40% of the time is spent talking with clients and working with them on these roadmaps and making sure that they’re setting aside the right funds to stay in alignment with their cybersecurity framework.” His other time is spent working with technicians running the audits and working on how to best present the information to the client.
Hornung can’t audit CMMC—”nobody is certified to do that now”—but can help with assessments around it.
The most rewarding part of his work is when clients take the assessments seriously. And the most frustrating is when they do the opposite and “they choose not to do anything.”
“You can’t make people see things,” Hornung said. “They’ve got to see it for themselves.”
“The guys in the trenches are the unsung heroes,” Hornung said. “Those are the ones who are finding the vulnerabilities and bringing them to attention to management. If they can’t do that and they don’t use the tools correctly and they don’t learn how to find different vulnerabilities, then it’s kind of all for naught—because you’re giving the client a false sense of security.”