Cybersecurity assessments: automated vs human

Updated: Jul 20

There are so many tools and offers around cybersecurity that it can be difficult to figure out which one is best for your situation. At Kosh, we see customers with different needs that typically fall into two categories:

  1. The need for constant cybersecurity evaluations coming from machines

  2. The need for a one-time or annual cybersecurity assessment with an expert

Both automated and human cybersecurity assessments are valuable in different situations. Automated will work best for companies that need constant monitoring and real-time reports. Human based is better for getting high-level business questions answered for risk analysis, cyber insurance, and budgeting.


In this article, I'll take a look at both types of assessments and break down the pros and cons of each. In general, automated cybersecurity evaluations are usefully for periodic testing and most useful to IT professionals. Alternatively, human evaluations with a cybersecurity professional work best for understanding the big picture technology environment of the company. This is great for CEOs and decision makers because they get a report in a language they can understand and take action on.



Automated Cybersecurity Assessments

An automated assessment is one where software is loaded on your network and "bots" go out and run some diagnostics. Some of the things these programs are looking at include:

  • Detect System Protocol Leakage

  • Detect Unrestricted Protocols

  • Detect User Controls

  • Detect Wireless Access

  • External Security Vulnerabilities

  • Network Share Permissions

  • Domain Security Policy

  • Local Security Policy

If those bullet points don't mean much to you, then you are not alone! That one of the issues with automated reports - they are great for IT pros but not for the layman.


Three Pros of Automated Assessments

Systematic and consistent

I think the biggest advantage to the automated reports are the systematic repeatable nature of the evaluation. It verifies or investigates and returns a yes or no. It can lack nuance, but is consistent.


Quick evaluation of large numbers of endpoints

These reports are nice because they can take in a lot of endpoints (computers, printers, laptops, mobile devices) and return valuable data.


Frequency - speed

This type of report can be ran as often as desired. Typically, it is just the click of a button and prepared within minutes or hours.


Three Cons of Automated Assessments

Difficult to understand

For most non-tech people, these reports are difficult to understand and are even more difficult to distill down to actions for the business.


automated cybersecurity report
Example of automated report

Lacks business intelligence

These reports do not take into account the specific situations of each business.


Doesn't typically address the biggest security risk - humans

Automated reports usually don't address the biggest entry point into your network...humans. According to Cybint, a global cyber education company, 95% of cybersecurity breaches are due to human error.

Cyber-criminals and hackers will infiltrate your company through your weakest link, which is almost never in the IT department.


Human Cybersecurity Assessments

This type of assessment is conducted by a cybersecurity professional. Typically, the IT pro talks with the company's decision makers and works to understand their current technology environment in relation to their business vertical.


Three Pros of Human Assessments

Custom and nuanced evaluation

Most automated reports don't evaluate the compliance need of the company's business vertical. This is a critical component for any business to make sure they get right. Regulated industries require specialized security setups which can be addressed by the cybersecurity expert.


Peace of mind conversation

A lot of the value of a human running the assessment is the company executives and decision makers can ask questions and get clarity. A business might have a question about cyber insurance or best practices and the cybersecurity professional will be able to address their individual situation.


Addresses the human component

This is the biggest risk when it comes to cybersecurity and a security expert should probe into the practices of your company to better understand the security posture of all your staff.


Three Cons of Human Assessments

Consistency

It can be difficult to get a consistent year over year security evaluation. This is partly because the needs of your business change over time, or the threat environment changed, but also because the assessment is conducted by a human and with have some level of variability.


Repeatability

This type of evaluation is not good for daily, weekly, or even monthly assessments. Human assessments are best carried out annually.


Takes time

A thorough evaluation will take time on the part of the security expert AND the stakeholders of the company. There will need to be at least one or two meetings between the IT pro and your company. in order for the IT pro to put together a well-thought out report, they will need a few days to digest your technology and business environment.


Automated vs human assessments

As you may have guessed, the best practice is to use both kinds for their different strengths. The automated assessment is great for staying up to date and is most useful for your IT team. The human assessment is great for annually getting a big picture look and delivering an easy to understand report to company leaders.

 

Kosh offers a human cybersecurity assessment. It's 4 steps:

  1. Sign up for the assessment here.

  2. Meet remotely with our expert to go over our cybersecurity checklist.

  3. Our expert prepares a unique set of recommendations for your company.

  4. Meet remotely with our expert to review your recommendations and develop an action plan.

If you'd like to see our full Cybersecurity Checklist fill out your name and email so we can email it to you!


 
Disclaimer

The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.