Problem solve Get help with specific problems with your technologies, process and projects.

Test a security architecture design without an IT security consultancy

While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it without spending the money.

As a security manager, what are the best strategies or tips to take a step back and try to look at our organization's security posture from an outsider's perspective? I'm not interested in spending money on consultants or pen-testing, but I'd like to try to do a better job of looking at our strategy from a distance or impartially. Any advice?

This can be very tricky. One of the huge benefits of consultants is that they can look at an environment from a different perspective, or at least with a fresh set of eyes.

As consultants are not an option, though, there are a couple of things you can do. One is look at other deployments being publicly discussed and compare and contrast them with your own environment. This allows you to compare your enterprise with those of your peers and identify possible ways of improving things.

Alternately, go through a thought exercise in which you redesign the environment to your dream specifications, as if cost or business concerns didn't interfere. You can then again compare what you'd have in an ideal world with what you have today and see if any of the differences are ones you can implement.

A third option is to hand your architectures to members of your own team or a related team (someone from networking or servers or engineering, for example) and ask how they'd do things differently.

For more information:

This was last published in January 2010

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.