Why assessments and audits are likely a waste of time and money

Host Felicia King sits down with Rick Hernandez, CEO of N2Con, to unravel a common but dangerous IT story: assessments that miss the point and audits that leave companies exposed. Through candid examples—lost laptops, stale Active Directory entries, and policies that never existed—they set the stage for a real-world investigation into how businesses really manage (or mismanage) their digital assets.

As the conversation deepens, the tension grows: accounting firms deliver check-the-box reports, old tools miss cloud realities, and well-meaning assessments become expensive paperweights. Felicia and Rick walk listeners through the messy discoveries they encounter when onboarding clients, and the moment when a seemingly small gap in inventory can lead to a major security and financial risk.

Instead of one-off reports, the episode offers a roadmap—pick a practical framework, insist on executive buy-in, adopt continuous vulnerability management, and own your asset and compliance data. Short, vivid, and tactical, this episode turns audit horror stories into clear next steps for any organization ready to take responsibility for its security.

 

Quick recap

Felicia King and Rick Hernandez discussed challenges around assessments and audits in cybersecurity, particularly focusing on the issues that arise when clients approach MSPs after undergoing assessments with accounting firms. They explored how many organizations lack proper asset inventories and off-boarding processes for equipment, leading to security gaps and compliance challenges. The conversation highlighted the problems with one-time security assessments, with both speakers agreeing that a more effective approach involves implementing continuous monitoring tools and establishing proper frameworks like NIST or CMMC before seeking external assessments. They discussed how many organizations waste money on incomplete assessments from firms lacking proper cybersecurity expertise, and emphasized the importance of executive buy-in and proper risk prioritization for successful security implementations.

Asset Inventory Management Challenges

Felicia and Rick discussed challenges with asset inventory and management in businesses. They highlighted the importance of having an accurate inventory for security purposes and noted that assets are often tracked in various systems, including accounting, spreadsheets, and ticketing systems. They also addressed the issue of tracking assets allocated to employees, particularly when they leave the company, emphasizing the need to reclaim company property, especially devices containing sensitive data.

https://www.watchguard.com/wgrd-security-hub/secplicity-blog/security-gap-lets-attackers-walk-right

Equipment Disposal and Data Security

Rick and Felicia discussed the implementation of a new policy regarding equipment disposal and data security. The policy now requires proper wiping and decommissioning of equipment before it can be given to departing employees, who can then purchase it if desired. They emphasized that the previous approach of simply giving equipment to employees without proper data wiping was ineffective and potentially harmful to the company's data security.

Asset Inventory and Off-boarding Processes

Felicia and Rick discussed the importance of maintaining an accurate asset inventory and proper off-boarding processes for systems. They highlighted how common it is to find stale data and unmanaged assets in systems like Active Directory and Bitdefender platforms, often due to lack of formal off-boarding procedures. Felicia emphasized that an asset management platform can be cost-effective and significantly improve system maintenance efficiency.

IT Asset Inventory Management Discussion

Felicia and Rick discussed the importance of maintaining accurate IT asset inventory and lifecycle tracking, emphasizing that relying solely on IT vendors for documentation is insufficient. They highlighted how understanding equipment lifecycles can help IT managers forecast future replacement costs and plan accordingly. The conversation then shifted to addressing challenges when dealing with clients who approach Managed Service Providers (MSPs) after undergoing formal assessments or audits conducted by accounting firms, with Felicia noting the need to distinguish between assessments and audits in the IT context.

Traditional Security Assessment Limitations

Rick and Felicia discussed the limitations of traditional security assessments conducted by accounting firms and less experienced providers. They agreed that many existing assessment tools and methods are outdated, particularly in modern cloud environments where traditional network discovery techniques no longer work effectively. Both expressed skepticism about the reliability of assessment data from less experienced firms, with Rick noting he always questions the tools used in such assessments.

Assessment Report Scope Issues

Rick and Felicia discussed issues with assessment reports, particularly when the scope and intent of the assessment are unclear. Rick explained that while this information might be found in the initial statement of work, it's not typically included in the final report, which can lead to questions about the report's legitimacy. Felicia expressed concern about the lack of clear scope information in reports, describing the situation as potentially indicating "amateur hour" work.

Risk Assessment Method Discussion

Felicia and Rick discussed their concerns about assessment approaches, with Felicia expressing that she prefers a focused risk-prioritization method rather than comprehensive audits. They agreed that organizations typically already know their major risks, and leadership interviews can quickly identify key concerns. The conversation ended with them beginning to discuss how to approach clients who come seeking help after an audit, though the specific details were not captured in the transcript.

Security Implementation Challenges Discussion

Felicia and Rick discussed common scenarios where organizations seek help after conducting initial assessments with other firms that lacked proper implementation expertise. Rick explained that when clients approach his team, they often have gaps in their previous assessments and have become overwhelmed. They both emphasized the importance of executive management buy-in for successful implementation of security controls, with Rick noting that his team will walk away if they don't have proper support from the top leadership.

Cybersecurity Framework Implementation Discussion

Rick and Felicia discussed the importance of proper cybersecurity framework implementation and the pitfalls of one-time vulnerability assessments. They agreed that organizations should first establish a policy and framework, then implement continuous monitoring tools rather than paying for external assessments. Felicia emphasized that organizations should own their tools and processes, while Rick acknowledged that most IT personnel and MSPs lack the security expertise to properly implement complex controls without creating additional risks.