Posted: 4 Min ReadProduct Insights

The 3-Step Configuration Review

How to maximize security and efficiency with expert reviews

Security products often remain in place for years, even decades, after installation. Initially, great care is taken to configure them to address current threats and regulatory requirements. In these early stages, post-installation reports are scrutinized, tests conducted and issues like false positives investigated. And meetings with vendors to address support tickets are common.

However, as the product stabilizes over time, attention shifts to other priorities. While proactive security vendors periodically inform customers about new features or recommended changes, many organizations only revisit their configurations when prompted by a noticeable drop in performance, or worse—a security incident. 

Why are configuration reviews so essential? 

Security landscapes evolve rapidly, and solutions that aren’t updated to address new threats or infrastructure changes risk falling behind. Misconfigurations, overlooked features and outdated policies can create vulnerabilities that weaken an organization’s security posture. A configuration review identifies and resolves these issues to keep your solution operating efficiently.

Having conducted hundreds of configuration reviews for large enterprises over the years, I felt compelled to share insights on the process of reviewing security controls. Packed with real-world examples from my time spent in email security cloud, this blog is designed to help you understand what to expect when requesting a review from your vendor.

When should you review configurations?

You certainly shouldn’t wait for a security incident. A thorough, expert-led configuration review should occur at least once per year. But reviewing isn’t the only way to maintain efficacy and optimization of your solution—teams should also adhere to best practices for their security solution and conduct relevant housekeeping tasks far more frequently. Vendors should meet with customers every six months to discuss product roadmaps and recent updates, ensuring upgrades can be planned well in advance.

3 steps to conduct a configuration review

A secure configuration review is a process your security vendor can lead, but it helps to know what to expect. You’ll examine and assess your organization’s IT systems, applications and security solutions to identify vulnerabilities, misconfigurations and other security risks that could be lurking. Here’s that process broken down into three steps.

Step 1: Initial meeting

Meet with your security vendor to walk through your solution’s current configurations. This allows for real-time discussion of settings that might deviate from best practices and provides context for decisions that may seem suboptimal on paper but serve specific business needs.

Step 2: Review the findings

After the meeting, your vendor will provide a report outlining their findings. These typically fall into the following categories:

Misconfigurations

These are critical issues that directly impact security or efficacy. Examples include:

  • Core features not enabled
  • Whitelist entries allowing malicious emails
  • Weak access control settings

Suggestions for improvement

These address opportunities to enhance performance or user experience. For instance, adjusting outbound email retry schedules can improve delivery notifications for users.

New features

Often overlooked, new features can significantly improve security and functionality. Highlighting these during reviews ensures they’re not forgotten.

Housekeeping

Regular maintenance tasks center on:

  • Admin accounts: Regularly review access permissions to ensure only appropriate individuals have configuration manager access. Implement enforced federated single sign-on to reduce risks.
  • Whitelist entries: Temporary entries for mitigating false positives should be reviewed and removed once the vendor adjusts detections.
  • Registered domains and routes: As organizations evolve, domain names and email routes must be updated.
  • Data protection policies: Ensure these remain accurate and relevant to enforce privacy and compliance.
  • Custom settings: Track and review custom configurations periodically to ensure they align with global changes.

An actionable report often organizes the findings by two criteria:

  1. Risk prioritization: Assess the likelihood of a threat exploiting a vulnerability and its potential impact. For example, a domain added to a spam-approved list and excluded from DMARC scanning poses a high risk of phishing attacks.
  2. Implementation effort: Evaluate the complexity of changes. Some may require minutes. Others, like enabling a new feature, could necessitate extensive planning, testing and user communication.

Step 3: Take action

Address your findings based on risk prioritization. Simple issues may require minimal follow-up, while complex problems might demand additional meetings, ongoing projects or consultancy engagements. The key is taking timely action to determine needs, mitigate risks and improve performance.

Your first step starts today

Neglecting reviews until issues arise is a costly gamble. You can save significant time, effort and expense by partnering with your vendor for annual reviews and staying proactive with periodic. Ultimately, a well-executed configuration review is an investment in resilience—your security tools need to do the job you expect of them, now and in the future.

When was the last time your organization reviewed its security configurations? If it’s been more than six months, schedule a review today—your organization’s resilience depends on it.

About the Author

Warren Sealey

Email Security

Warren Sealey has worked in email security since 2001, building expertise in technical sales, training, support and leadership. His current focus is on helping customers understand the risks around email security and get the most from their solution.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.