Behind the scenes: A day in the life of a security auditing manager

Working with shoppers on discovering vulnerabilities inside their cybersecurity frameworks
is the important thing a part of a safety supervisor’s job. This is how one safety auditing supervisor will get it finished.


Bryan Hornung, middle, is a safety auditing supervisor and CEO of Xact IT Options. He helps shoppers make their methods safe and in compliance with authorities rules. 

Picture: Xact IT Options

When he was in school at Rider College in New Jersey, Bryan Hornung wished to turn into an accountant. However after a four-month internship, he modified path. “I made a decision that this isn’t the factor I see myself doing for the subsequent 40 years,” he stated. He utilized his curiosity in figures towards a level in IT.

At his first job, doing net growth for a protection contractor for the U.S. Navy, Hornung labored on inner purposes, addressing issues like ship alterations. He helped the corporate transfer from spreadsheets to net purposes. 

However he had been dwelling with a remorse. Throughout school, when he labored in a restaurant and a buyer requested if he was all for operating IT, Hornung felt he wasn’t ready. “However I simply did not have the arrogance,” he stated. “I informed myself a whole lot of head trash and turned the provide down.” Hornung vowed to himself to by no means say no to a possibility like that once more. About six years later, in 2002, when a man got here into his workplace on the Navy Yard in Philadelphia and stated that his spouse’s firm was having issues together with her IT help, instantly, my mind went, “That is it. This is a chance for you which you could’t flip down.”

SEE: Learn how to construct a profitable profession in cybersecurity (free PDF) (TechRepublic)

“I at all times knew I wished to be my very own boss and run my very own firm,” Hornung stated. The lady turned out to be his first consumer, and he was tasked with issues like ensuring computer systems ran, swapping out elements, shopping for new computer systems and putting in them.

In 2007, he transitioned to turning into a managed service supplier, “the place we simply stopped the break-fix work and any form of residential work, actually centered on companies, managing our IT with the aim of driving effectivity, displaying them how they will use expertise to extend revenue, to make it a aggressive benefit,” Hornung stated. These led to new alternatives with larger corporations, “extra industry-driven compliance checking,” he stated.

Now, Hornung is CEO at Xact IT Options and has 15 years of safety auditing and different IT providers beneath his belt. His present place entails overseeing the audit processes for his shoppers, issues like SOC2, {industry} audits and Cybersecurity Maturity Mannequin Certification (CMMC).

Within the pharmaceutical {industry}, Hornung stated, there’s an incentive to cope with rules—past the FDA—to keep away from “coping with the PR nightmare of a breach on their firm.”

Consequently, they have been good at self-regulating, however “you do not see it as a lot in different sectors that do not have any person telling them what they should do round cybersecurity,” he stated. So, Hornung began out serving to massive corporations like Pfizer, Merck and Bristol Myers Squibb, doing audits. The businesses that have been doing audits, he stated, might not have been reviewing or verifying the info that was despatched again to them. “It was very a lot a box-checking train from 2007 till about 2012, 2013, when ransomware actually began to return on the scene and turn into an issue for corporations,” Hornung stated.

However quickly, corporations have been compelled to provide you with a complete cybersecurity plan and have a framework in place. “And, how do you audit that? How do you benchmark that?”

“We very early on adopted this cybersecurity framework in our enterprise, and we consistently audit our personal enterprise in opposition to that,” Hornung stated. “After which we deploy that in our shoppers’ companies, as effectively.”

Hornung stated they began out as a “typical IT firm that advanced into an MSP, with alternatives to do extra security-focused sort issues.” The corporate transitioned in 2012 to a number one MSP in safety, and now’s turning into a cybersecurity firm. “I do not understand how for much longer our enterprise is definitely going to be doing that extra conventional assist desk, IT-type work,” he stated.

Some corporations are hesitant to have interaction an organization like Hornung’s, if they’ve a earlier relationship with an IT supplier. However Hornung stated that the corporate is ready to work with the present IT as a part of a broader effort. In different phrases, it may be a collaboration, fairly than a alternative. 

“From a technical perspective, it is a safety assessor’s or auditor’s job to seek out the needle within the haystack after which decide if the needle is one thing that’s actionable or not. Relying on what you are monitoring, and what you are making an attempt to find out has an issue, if it is a operating pc, or machine, a chunk of {hardware}, that factor goes to be producing lots of and lots of of logs each minute, if not hundreds, relying on the dimensions of the corporate,” Hornung stated. 

It is rather a lot to wade by way of. At first, solely Fortune 500 corporations might afford it. Now, automation is making the job simpler, so even small companies can afford it.

When an issue is situated, the auditor is liable for the paper path, for figuring out the issue and seeing what motion was taken. “In our enterprise, the communication between us and the consumer in a scenario the place an organization has an inner IT means we (the auditor) wish to see the communication between the inner IT folks and whoever the safety officer or supervisor is,” he defined. “The auditor must see that there was motion taken after which wants to have the ability to see what motion was taken.” 

SEE: Prime 3 causes cybersecurity professionals are altering jobs (TechRepublic)

“We’re trying on the insurance policies and procedures, and we’re saying, ‘OK, does the motion that these folks took round this occasion match what the corporate put into their course of and process?’ And if it does, then they meet the {qualifications} of the audit management. If it would not, then an auditor will write a report across the deficiency for that.”

Because the supervisor, Hornung might work with the consumer to “give them that roadmap to allow them to dedicate the fitting funds over the fitting time-frame to cope with what we found,” he stated. “I might say near 40% of the time is spent speaking with shoppers and dealing with them on these roadmaps and ensuring that they are setting apart the fitting funds to remain in alignment with their cybersecurity framework.” His different time is spent working with technicians operating the audits and dealing on finest current the knowledge to the consumer.

Hornung cannot audit CMMC—”no one is licensed to try this now”—however can assist with assessments round it.

Essentially the most rewarding a part of his work is when shoppers take the assessments severely. And probably the most irritating is after they do the other and “they select to not do something.”

“You may’t make folks see issues,” Hornung stated. “They have to see it for themselves.”

“The blokes within the trenches are the unsung heroes,” Hornung stated. “These are those who’re discovering the vulnerabilities and bringing them to consideration to administration. If they can not do this they usually do not use the instruments accurately they usually do not discover ways to discover totally different vulnerabilities, then it is form of all for naught—since you’re giving the consumer a false sense of safety.”

Learn extra articles on this sequence

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox