Who’s Watching the Watchmen?

The majority of large organizations have a solid security posture, devoting significant resources to ensure that their systems are secure. But why do some of these same organizations experience massive security failures with breaches that compromise their clients’ data, leading to long-term damage to the company’s reputation? It’s because sometimes bad things do happen in spite of your best efforts. One phishing attempt breaks through the spam blockers with disastrous results or a former employee —who you thought you could trust — publishes your sensitive information on the internet. These things can happen, but in my experience, bad things can also happen simply because you’re not paying attention. Senior management depends upon their IT staff to maintain their systems and keep the controls current. But even the most well-intended team can sometimes get overwhelmed and put off the latest patch or scan in order to put out IT fires. The average time it takes for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days (Edgescan Stats Report, 2018). This presents a big risk to your organization that you need to be aware of. Separation of duties is essential in ensuring that one person is not solely responsible for a critical activity. But what can senior managers do with their limited time? Here are some suggestions.

Vulnerability Scanning and Patching

Senior management needs to ensure that scanning is performed based on a current regular schedule and that patches are implemented in a timely manner. Every senior manager should request an aging report of scan findings to ensure that vulnerabilities are being corrected based on their severity and according to policy and procedures. They should also ask to see an actual scan on a monthly basis to ensure that the aging report captures current data.

Malware Protection

Be sure that antivirus software is updated on a regular basis. You can likely determine if you’re using the latest version by looking at your own workstation, but asking your IT team basic questions can provide valuable insight.


Are phishing tests being performed as planned? Often these tests fall off the radar when things get busy, and this could be critical based on the risk and impact of a successful phishing attack. If you don’t have time, consider outsourcing it. This can be one of your most important risk mitigators.

Training Compliance

Are there sometimes a few employees, often senior staff, who say they don’t have time for training? That’s where senior management comes in, helping IT to enforce training for everyone.

Audit Logs

Are audit logs being looked at or just stored? Senior managers won’t have time to dig into log reviews, but requesting regular reports helps to ensure that your team is reviewing logs.

These are just some examples of how senior management can ensure that the company’s security processes are actually being executed effectively. The key is to ask questions. Continuous monitoring is not just for IT folks. Senior management needs to monitor continuously at a high level to ensure that the basics are being done. Sometimes a third party doing monthly checks can help with this. We keep a continuous monitoring calendar for several clients and perform brief monthly compliance reviews to ensure that the core tasks are being done properly. Reach out to BSC Systems if you don’t have the bandwidth to monitor these activities yourself. It may even lower your insurance rates if an independent third party is watching the watchmen. It could also save your business.