Vulnerability scanning – in house or third party?

June 10, 2019 | Erin Edwards

vulnerability scanning - is it better to do in house or by consultant

You can’t fix the flaws you don’t know about – and the clearer your sense of your organization’s overall security posture, the better equipped you are to improve it. Vulnerability assessments are a core requirement for IT security, and conducting them on a regular basis can help you stay one step ahead of the bad guys.

Ultimately, a vulnerability assessment helps you shift from a reactive cybersecurity approach to a proactive one, with an increased awareness of the cyber risks your organization faces and an ability to prioritize the flaws that need the most attention. With a diagnosis of your digital health, vulnerability scanning can provide a digital footprint and a precise picture of the threat landscape by applying a grade to each vulnerability to help your IT team prioritize and create risk treatment plans by focusing on the biggest opportunities first.

Any company can be exposed to the exploitation of their vulnerabilities; no one can claim to be 100% protected. But, without insight into those vulnerabilities and their effect on your organization’s business operations, remediation plans can’t be put into motion. While conducting your own vulnerability scanning in-house may be attractive for companies, it’s hard to beat the expertise of a third party security provider.

For some organizations, it may be more effective to keep all testing in house due to the understanding of the detailed environment and systems being accessed. On the other hand, for most small- and medium-sized businesses, it is difficult to maintain the level of expertise in-house that a third party provider can offer.

Requirements to properly assess vulnerability scanning results will depend on the company and its mission, and the requisite technical skills and work experience may be hard to come by. An in-house security assessment team may lack specialization, and it’s almost impossible to find well-rounded professionals who know networks, applications, mobility and cloud inside and out and are able to provide recommendations in all areas. Additionally, some compliance regulations require testing to be performed by accredited security professionals and certifying an internal team will come at an additional cost. Regardless of company size or size and expertise of the security team, there are inherent benefits to getting a fresh perspective on your systems and vulnerabilities. A purely internal team that is used to the “status quo” might miss something important.

Getting the maximum benefit from your vulnerability assessment involves adding context: tying the results to business impact through a comprehensive analysis of your company’s goals and vision and then applying that understanding to the outcome. The visibility into your security posture that vulnerability scanning services can provide isinvaluable. Whether there is a change to your organization’s environment, the need to prove security compliance, an initiative to transition to the cloud, or the need to handle proprietary customer information, ongoing scans can paint a picture of your security maturity and provide actionable insights for allocating resources and valuable time.

AT&T Cybersecurity offers vulnerability scanning services to meet a variety of needs. Here’s a short video where you can learn more.

Erin Edwards

About the Author: Erin Edwards

Erin Edwards is currently in AT&T Cybersecurity on the Cybersecurity Consulting team. In her role, Erin works as a delivery consultant and has been immersed into various aspects of cybersecurity consulting including marketing, creation of new services, sales training collateral, and identification of compliance requirements and mapping solutions to specific compliance requirements. Her primary areas of responsibility include client delivery engagements and consulting engagement process flow. She is viewed as a focused and determined individual offering the passion for knowledge to drive bottom line growth and business while identifying problems, anticipating risk, and communicating. Erin earned her Bachelor of Science in Information Technology with a concentration in Cybersecurity from The University of North Florida. Erin started at AT&T June 2017 in the Cybersecurity Development Program (CDP) and will graduate the program in June 2020.

Read more posts from Erin Edwards ›


Get the latest security news in your inbox.

Subscribe via email


Get price Free trial