Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great.
Our experience shows: often too much, because security gaps lurk here as well. These often arise from inadequate programming, carelessness during development – or simply through ignorance.
But how do decision-makers tackle the challenge of planning and carrying out a sensible IT security investigation tailored to the respective organisation? Is a vulnerability scan and/or a penetration test the “right” procedure? What other topics – for example, (Azure) Active Directory configuration – are worth taking a closer look at?
Organisations should ask themselves the following questions together with their IT security service provider:
.
Particularly in the case of large system and application landscapes, it can make sense to segment and focus on particularly risk-relevant systems first.
Often there are customer or regulatory requirements that dictate a fixed timeline. Find out well in advance when the results are needed in the form of a detailed report.
The main concern here is whether an investigation has been carried out before – and if so, how long ago. Like ourselves, we should not wait too long between health checks.
Cloud services, IT service providers and even customers are keen to keep any operational disruption to an absolute minimum during an investigation. Therefore, prior authorisation or at least notice of an investigation is often required.
If you have any questions or are unsure – our experts will be happy to provide holistic advice on the right course of action. We help you to use the budgets for IT security investigations in the most targeted way possible and to gain the best possible insights in the process.
Thomas Neeff 
