Since the dawn of cyber security, audits have struck fear into the hearts of those forced to participate. Images of mysterious bean-counters sifting through every action you’ve taken for the past year come to mind as they “verify” that you’ve followed vaguely worded policies that you never really read. Policies which weren’t written by someone who understands your job and which you haven’t heard mention of since the last time they told you “You’re doing great, but…” It’s only fitting that there be a healthy amount of derision heaped on auditors and the work they do. Now, with this strong foundation of respect in place, allow us to offer an alternative view of cyber security audits and the role they ought to play in a company.
Whether it be your SOC 2 audit or your annual ISO 27001 internal audit, audits offer a chance for companies to recognize and understand the risks unique to their organization. It is ideal therefore, to not treat audits as a “gotcha” activity where unsuspecting IT staff and software developers are called into a smoky office and interrogated as to why they clicked on an email link from an unverified source 8 months prior (but really, don’t click on email links from unverified sources). Viewing the results of an audit as a window into the effectiveness of your overall security posture as well as your ISMS can lead to a more productive relationship with the auditing process. If there are audit gaps, then perhaps the ISMS should be retooled and redesigned to meet the specific needs of your organization.
Obviously, there are certain aspects of your security infrastructure that are paramount to the integrity of your system and the safety of your customer’s data. You may, however, want to consider that some aspects need to be flexible. Information security policies are an excellent example of this. Policies are too often written as part of a box-checking exercise and then summarily ignored for a few years until they are so horrendously out of date that you may as well scrap the old ones and begin anew. You may have wondered, is it even possible to create useful, thorough, engaging policies and, as a result, prevent unnecessary audit findings?
Collaboration is the key to not only writing excellent policies but also for the overall success of your security infrastructure. Creating buy-in for team members through actively seeking feedback and making changes when possible allows for greater ownership and flexibility. Specifically with InfoSec policies, consider how they are being presented. How do specific policies impact specific team member’s workflows? Have you created a space where teammates can honestly express their opinions? If not, taking the first step to consult with them regarding what works and what doesn’t can be incredible impactful. You may be surprised at what causes the most headaches or is poorly implemented and therefore costs time and energy resulting in additional audit findings.
Ultimately, audit findings offer stark examples of where an organization is not living up to its own standards. While this can be frustrating, it also gives a clear path towards improvement. If you are willing to reorient your relation to audits, you might just find yourself dreading them a bit less and saving yourself a lot of headaches.