In this episode of Breakfast Bytes, host Felicia King delves into the controversial world of IT assessments, often considered a deceptive sales tool rather than a vital business instrument. Drawing from years of experience, Felicia shares her insights into the improper paradigms surrounding assessments, highlighting how they frequently mislead businesses with daunting price tags and negligible results.

Felicia recounts numerous encounters with frustrated business leaders who have spent exorbitant amounts, such as $20,000, on assessments that they didn't understand how to utilize. She unveils the reality that many assessments merely serve as a distraction, leading to further confusion rather than providing clear solutions.

Throughout the episode, Felicia emphasizes the importance of targeted analysis: understanding the most critical problems and prioritizing them rather than attempting to 'boil the ocean' with expensive and comprehensive assessments. She shares her methodology of efficient, experience-driven evaluations and warns against "free assessments," which often turn out to be cleverly disguised marketing traps that create confusion instead of clarity while leaving vulnerabilities in your environment.

Tune in for an eye-opening narrative on why most IT assessments might not be worth your time or money, and discover smarter ways to identify and fix your IT issues with strategic precision.

https://qpcsecurity.com/choosing-the-right-consultant-to-run-assessments-on-your-environment/

 

Quick recap

Felicia King discussed the limitations and pitfalls of IT industry assessments, emphasizing the need for focused evaluations that identify and prioritize the top problems rather than attempting comprehensive solutions. She warned against external IT service providers using assessment tools as sales tactics and highlighted the importance of proper vetting and consultation with internal IT departments before implementing external tools. Felicia recommended exploring the CISO Community Defense Model for risk management and emphasized the critical need to focus on top IT strategy categories while avoiding misleading "free" assessments, advocating for comprehensive evaluations led by experienced security professionals.

Summary Effective IT Assessment Strategies

Felicia King discussed the pitfalls of IT industry assessments, explaining that most are ineffective and serve as sales tools rather than valuable insights. She emphasized that a proper assessment should identify the top 5-6 problems and their prioritization, rather than attempting to solve everything, which can be costly and unnecessary. Felicia recommended a focused approach, suggesting that a 2.5-hour assessment could reveal enough information to address significant issues without the need for an exhaustive analysis. She also advised against expensive assessments, noting that anything over $10,000 is likely unnecessary, and warned against free assessments, which she described as misleading.

External IT Assessment Tool Risks

Felicia warned against allowing external IT service providers to install assessment tools in company environments without proper vetting. She explained that such tools are often used as a sales tactic to create fear, uncertainty, and doubt between the incumbent IT service provider and the company seeking their services. Felicia emphasized that executive management should not make decisions about installing external tools without consulting the internal IT department and conducting a thorough assessment of potential risks and impacts. She shared a personal example of a large campus where a COO was tricked into allowing an external provider to install assessment tools, which led to a security breach and other issues.

Manipulated Endpoint Assessment Incident

Felicia described an incident where a company conducted an assessment using software on sensitive endpoints, but the results were manipulated by intentionally incorporating data from a separate organization to create misleading findings. She explained that the assessment team was incompetent and had engaged in malfeasance to cover up their inability to gather meaningful data from the hardened environment. Felicia emphasized that this was not an isolated incident, but rather a common practice in the industry, highlighting the importance of having qualified personnel conduct assessments and the need for a correct paradigm in assessment strategies.

CIS Defense Model for Business

Felicia recommended exploring the CIS Community Defense Model, an international standard for risk management and mitigation, which she covers in a webinar. She emphasized that executive leaders often view security investments as expenses, but highlighted the potential for returns through innovation and risk reduction. Felicia shared