The relationship between information security professionals and auditors may not always be comfortable. This can, in part, be due to communication issues or styles.
Anyone who has been on a modern management communication skills course will know that the key challenge is always to be effective; yet how many times do we forget about it in the rush to get our point across, regardless of the receiving audience’s needs?
Also, auditors may not have a security or information security risk background, and so not only do we have the communication piece to concern ourselves with, but also the application of nuanced approach to an audit in order to capture the real picture of what is happening.
The audit is, after all, a tool. It is a means to understand how we are performing against a defined set of criteria. It is not the goal in and of itself.
Add these elements together and you get the perfect storm for frustration, misunderstanding and a potentially toxic cocktail of obfuscation and back-protecting leading to a lack of real progress or improvement. In other words, the failure of the objective of the audit.
Yes, the audit has been carried out, which was probably a requirement, but the information security person feels threatened and unwilling to pass the findings on, and the board or senior management may be lacking the level of oversight or governance it should have because the message may not be getting through.
Information security professionals keep security measures proportionate; this may call for a layer of interpretation or common sense to be applied when it comes to an effective audit and an effective communication of the findings.
Read more about best practices in responding to internal audits
A non-conformity may not be a bad thing if the risk mitigation in place is actually proportionate, just not the thing on the list with a box to tick. Take, for instance, a clear desk policy that requires a desk to have all sensitive material locked away, but not all desk items locked away. Is it proportionate to flag a non-conformity if the business does not need the desks to be actually empty, as opposed to clear of sensitive material?
Or if someone is working in a sensitive environment, but does not keep their office door locked at all times when they are working. If there is sufficient perimeter security in an appropriate place, such as a door entry system to an outer office area with no unauthorised staff entering, then it may be part of a nuanced approach to accept the small risk of working in an un-locked office.
However, if the auditor sees only a non-conformity and cannot agree that acceptable and proportionate steps have been taken and the risk is acceptable, then the spirit of policy has been missed and the information security professional will see only a non-conformity mark too, making it a very uncomfortable place for them when it comes to reporting this back to the organisation because, of course, it makes them look bad or somehow lacking in expertise or application skills.
Need to understand
That is not to say that this is always the case, of course. This brings us back to the need to understand what we are being told and apply it to our organisational needs. The audit is a tool, and tools are useful and meant to work for our benefit, not to make life harder or less productive.
Viewing an audit as a tool, a means to an end, is a better way to interact with it, the auditor and the findings. After all, everyone should be on the same page: protecting information assets.
If the audit is done well, it can provide a invaluable insight into what is being done well and can therefore potentially be repeated in other areas – what needs improvement and what needs to stop.
It is a means by which the information security professional can communicate with the senior management or boardroom. It can provide evidence for business cases to be built for bigger budgets, to prove return on investment in key areas and build confidence in the security team's capabilities and approach.
It can back up assertions on strategy and policy and give further credence to board-level communications. By showing areas that are weak and need further layers of security, the audit can show the nature of security, because the threat and risk landscape rarely stands still.
If senior management is used to having IT security project-style results delivered by an IT security team, then the fluid and cyclical nature of review and refinement/improvement may not be something they are accustomed to. Infosecurity audit results provide a perfect opportunity to do this.
Yes, there will be bad news sometimes, but the information security department will not be unique in this. As security professionals, we have to understand the difference between feedback and criticism and remind ourselves of how to communicate sometimes complex security or risk issues to someone who does not have a risk or infosec background.
The best possible result is for an audit to provide us with confirmation of what we do well, what we need to review or improve and potentially where additional resource or budget is required.
Ultimately, great information security solutions rely on layered approaches of strategy, policy, process and education which consider people, places and technology. In the same vein, security professionals need to appreciate the roles that many other professionals play in assurance and governance and, most importantly, in maintaining our security culture.
Internal audit done well, in a collaborative, not combative manner, can be a fantastic tool in our quest to manage our information risk effectively and appropriately. Security professionals have a duty to engage with auditors, if necessary help to educate them and, ultimately, to accept their findings in a non-protectionist manner.
We are stronger together as a team.
Mike Gillespie is director of cyber research and security at The Security Institute