The idea of an internal audit is to help companies run themselves properly according to rules and policies. So, if and when an internal auditor uncovers some uncomfortable truths around a company’s data security – whether that is inadequate data privacy or lack of adherence to regulation – security professionals are faced with three options:
Option one: Try and hide the problem as if the audit never happened
Option two: Try and hide the problem and work on a plan to fix it in isolation
Option three: Use it as a mechanism to raise budget for areas that need addressing
Naturally, option one wouldn't be advised, and option two might not be the best approach to take because of time and money. Rather, information security professionals can use any audit points to their advantage by taking option three. For example, they can be used to open conversations with the budget committee and used to highlight where education, training programmes and equipment may be required.
There is a balance to be struck here. Although audit reports can be used as a tool to help shape future programmes, they should be used as more of a communications tool with the board as information security programmes should not be driven solely by audits. They can also be good evidence for raising awareness, pushing through short-term projects, as well as a stepping stone to plan for the future.
Defining your approach
However, chief information security officers (CISOs) that do get lots of audit points need to take a slightly different approach. They should build a relationship with the audit team to understand how they have come to their conclusions and why they have raised those audit points.
Read more about best practices in responding to internal audits
It is impossible to work hand in glove with internal audit teams, but by developing a good working relationship with them it becomes easier to discuss the details behind problems and more of a collaborative effort.
Ultimately, internal audits can be used as a tool for progress for CISOs. They should determine the scope of the problem – whether the points are limited to a department or are enterprise-wide – and from there, use the audit points as a metric of progress where they can demonstrate progress to management and the board.
Also tied into this point, they can be positively used to make the case for more personnel and give cyber security a seat at the boardroom since audits can highlight how the whole organisation is susceptible to security threats and is not just an ‘IT department’ issue.
Adrian Davis is managing director for Europe at (ISC)2.