tiero - Fotolia

Death, taxes and data security audits

According to Benjamin Franklin, nothing can be said to be certain, except death and taxes. In the business world, audits could easily be added to this list

Many view all three in the same light, but while there is little or nothing to be done about death and taxes, business can take the sting out of audits, mainly in terms of preparation and response.

This is particularly true of data security audits, when information security professionals have an important role to play in handling any uncomfortable truths that may emerge.

The key is for information security professionals to view audits as an opportunity to improve security, not as a personal threat or indictment.

"Any security professional worth their salt should embrace the advice and gaps found by good auditors with open arms," says Tim Holman, an international board director at the Information Systems Security Association and CEO at security consultancy 2-sec.

"They certainly should not try and brush it under the carpet in the hope their bosses will not find out, as this cover-up behaviour leads to data breaches and people losing their jobs," he adds.

It is about acceptance and attitude – accepting that auditors will almost always find something that needs attention and having the attitude that this is an opportunity to do a better job of protecting the organisation’s data assets.

Rather than regarding an auditor’s fault-finding in a negative light, Holman says if an external auditor does not find anything that needs fixing, find another one who will offer better value for money by providing the opportunity to improve.

In the real world, however, things such as payment card industry data security standard audits have annual deadlines which can result in battles between qualified security assessors (QSAs) unwilling to sign off systems that are not compliant and information security professionals tasked with meeting the deadline.

Avoiding surprises

Holman, a QSA himself, advises that information security professionals should engage with auditors early so there are no surprises and there is enough time to fix any gaps.

Internal audit often undertakes a crucial assurance role in an organisation, with particular attention to risk management and control, says Isaca international vice-president and Vodafone technology risk, compliance and assurance leader Steven Babb.

"Given the connected world that we live and conduct business in, cyber security typically holds a key spot in an organisation’s risks profile and, consequently, is a key area of focus for internal audit," he says. "It should therefore be seen – and treated – as a business partner, with increased reliance placed upon it to make a significant governance contribution."

But considering the rapid rate of change, Babb says this requires that security risks are assessed regularly and for mitigation to take place. "The truths that are often uncovered can be wide-ranging, from faulty processes, legacy infrastructure and end-of-life systems, the lack of patching and ineffective supplier management programmes, through to weaknesses in the management of customer and employee data," he says.

Articulating risks with execs

The role of information security professionals continues to evolve, with increased demands being placed upon them to act as business leaders. The expectation is that security risks are identified and assessed, and that plans are put in place to appropriately mitigate. But this requires investment, with CIOs and the board often having to balance investment in security maintenance programmes with investment in more direct revenue-generating activities. 

"It is therefore increasingly important for information security professionals to be able to articulate these risks in clear business-focused language,” says Babb.

"The reality is that both functions need to work closely together, supporting each other in ensuring that key security-related messages are presented appropriately and at the right level, thus ensuring the necessary levels of support and buy-in are achieved," he adds.

But the relationship between information security professionals and auditors may not always be a comfortable one. "This can, in part, be due communication issues or styles," says The Security Institute director of cyber research and security Mike Gillespie. "It is not always easy to be effective and meet an audience’s needs when rushing to get a point across."

Gillespie says auditors may also not have a security or information security-risk background and so information security professionals also have to apply a nuanced approach to an audit to capture the real picture of what is happening via the audit.

"The audit is, after all, a tool," he says. "It is a means to understand how we are performing against a defined set of criteria. It is not the goal in and of itself. So add these elements together and you get the perfect storm for frustration, misunderstanding and a potentially toxic cocktail of obfuscation and back-protecting, leading to a lack of real progress or improvement, which is the real objective of the audit."

Information security professionals keep security measures proportionate, says Gillespie, which may mean a layer of interpretation or common sense needs to be applied when it comes to an effective audit and an effective communication of the findings. The event of a non-conformity may not be a bad thing if the risk mitigation in place is actually proportionate, he adds.

"For example, if someone is working in a sensitive environment but does not keep their office door locked at all times when they are working," says Gillespie. "If there is sufficient perimeter security in an appropriate place, such as a door entry system to an outer office area with no unauthorised staff entering, then it may be part of a nuanced approach to accept the small risk of working in an unlocked office."

But if the auditor sees only a non-conformity and cannot accept that acceptable and proportionate steps have been taken, and the risk is acceptable, Gillespie says the spirit of policy has been missed and the information security professional will see only a non-conformity mark. This puts them in an uncomfortable situation when it comes to reporting this back to the organisation because it makes them look bad or somehow lacking in expertise or application skills.

"This brings us back to the need to understand what we are being told and apply it to our organisational needs" says Gillespie. "The audit is a tool – tools are useful and meant to work for our benefit, not to make life harder or less productive."

According to Gillespie, viewing an audit as a means to an end is a better way to interact with an auditor and the findings of an audit.

"After all, everyone should be on the same page: protecting information assets. If the audit is well done it can provide invaluable insight into what is being done well and can therefore potentially be repeated in other areas, as well as what needs improvement and what needs to stop," he says.

The audit is also a means by which the information security professional can communicate with the senior management or boardroom, says Gillespie. "It can provide evidence for business cases to be built for greater budgets, to prove return on investment in key areas, and to build confidence in the capabilities and approach of the security team."

Gillespie adds that the best possible result is that the audit provides information security professionals with confirmation of what they do well, where they need to review or improve, and potentially where additional resource or budget is required.

"Security professionals have a duty therefore to engage with auditors and, if necessary, help to educate them and ultimately to accept their findings in a non-protectionist manner. We are stronger together as a team," he says.

Build relationship with audit team

However, CISOs that get lots of audit points may need to take a slightly different approach, says (ISC)2 European managing director Adrian Davis.

Read more about security audits

"They should build a relationship with the audit team to understand how they have come to their conclusions and why they have raised those audit points," he says. "It is impossible to work hand in glove with internal audit teams, but by developing a good working relationship with them it becomes easier to discuss the details behind problems and more of a collaborative effort."

To ensure that an audit results in progress towards better security, Davis says CISOs should determine the scope of the problem and whether the points are limited to a department or are enterprise-wide. From there, he says, use the audit points as a metric of progress where they can demonstrate progress to management and the board.

"Audits can also be used to make the case for more personnel and give cyber security a seat at the boardroom since audits can highlight how the whole organisation is susceptible to security threats and is not just an IT department issue," says Davis.

If security audits are regarded in a positive light and approached in a positive way, while they will remain as inevitable and unavoidable as death and taxes, the outcome will be much better, and the information security professional has a key role to play in ensuring this positive outcome.

Read more on Regulatory compliance and standard requirements