In Chapter 10, I discussed the value of security metrics and which metrics really matter when building your program. Metrics are a valuable tool to convince company management that your efforts are paying off and that the company is getting an ROI from the resources committed to security. The subject of this chapter is working with the audit department.
Your goal in working with this group is to obtain some value from the time spent (or drained) by the audit process. If left unguided, the audit team will spend lots of time on audit endeavors that do not improve the company’s InfoSec posture. Few auditors know much about InfoSec. It’s your job to partner with the audit department and ensure its efforts move the security needle forward.
The Audit Team Needs Your Help to Be Effective in Cybersecurity
Let me start by saying I’m not a fan of the audit department. Why? Because auditors have taught me over the past 20 years that they don’t know how to audit the InfoSec space and rely on external auditors too much for guidance. As a result, much of my time and the InfoSec team’s time with auditors is spent on frivolous and insignificant activities. Without close partnership with the InfoSec team, corporate audit activities are often misguided and ineffective at moving the security needle for the good of the company.
As I mentioned in Chapter 4, relationships are the key to your success, and it’s nowhere truer than with the audit department. At publicly traded companies, the audit department is a powerful team, often reporting to the board of directors or a chief administration officer of some sort. In my experience, auditors will not reach out to collaborate with you, so it will be up to you to partner with them. If you’re able to form a good working relationship with the chief auditor, you’re on the road to ensuring that the company gets value from the auditing efforts in the cybersecurity space. This will take some work, though.
The audit department has the potential to waste lots of your time, with little improvement in security to show for it. This can be frustrating. You know the areas in which auditors could provide value, but rarely do they ask for your opinion. If your audit team does ask for your opinion, consider yourself lucky. Make every effort to be a part of the audit-planning process, and as each audit kicks off, try to steer the auditors in the direction of the greatest gaps in cybersecurity. Your intention here is to partner with the audit department to help focus its efforts on those areas where you need help to move security forward.
A Typical Encounter with Auditors When Not Guided by InfoSec
To illustrate my point on how misguided the audit department can be when not partnered with the InfoSec team, here’s an example from my past. I had been at the company for only a few months when “a helicopter virtually landed on my desk.” No one gave me any notice it was coming. There was no email or meeting invite. The chopper descended, and a bunch of suits jumped out and informed me I was needed in a conference room. I found my way to the conference room, filled with people from corporate audit and one of the well-known auditing firms. Nice suits, combed hair, bleached teeth, and friendly smiles. These were auditors. Paid to ask questions. Paid to follow the checklist.
The meeting was formal and ceremonial, a kick-off meeting for our annual IT audit. I said nothing. The only one who spoke was the lead consultant from the external auditing firm. It wasn’t until the very end of the meeting that I made the mistake of speaking up and offering to help. I suggested we work together to ensure the findings “made sense.” I should have known better. My offer was dismissed without much consideration. I should have known that collaboration isn’t a tool an auditor often uses.
The head auditor barely acknowledged my offer and assured me his team could handle it. I asked for a copy of the audit checklist (areas they would be auditing), but was told they’d focus on network security. I replied that was a broad area, and were there any specific areas they wanted to look into? I tried but got nothing other than the standard “We’ll call you if we need any help.” The meeting ended as pretentiously as it had begun. I shook hands with the attendees and returned to my office. The helicopter took off.
Remember, in Chapter 5 I said alignment to company culture is one of the keys to your success. I should have heeded my own advice in this situation and not been bothered by the auditors’ unwillingness to partner. I was only trying to ensure they spent time on areas within network services that truly needed help. But collaboration isn’t a remit of the audit department. This was one of those moments when I would need to just follow the process and submit to the audit department’s direction. I’d taken the first step, but was shot down, so my inner voice told me to back off and see how this played out. Often alignment means stepping back, purging some of your ingrained beliefs, and adopting new ones that jibe with the culture and environment.
The audit lasted six weeks. During that time, I heard virtually nothing from our audit department or the auditors working the project. There were no check-in meetings, no findings to be clarified, no status emails, and no progress reports. Silence. Then finally, unannounced again, a meeting was called for that afternoon.
This time, more auditors were present. They arrived as if their work was of national importance, carrying secrets of grave consequence. Folders were held tightly to the chest and sealed. Few spoke or greeted one another. We filed into the same conference room where we’d met weeks before and took our seats. The guy at the head of the table that day was from audit headquarters. The attendees all looked in his direction as if looking at the great Oz shrouded with smoke and flames. I took my seat and waited.
One of the auditors distributed a heavy slide deck to the attendees. I weighed the report in my hands. It was thick, and I thought they must have uncovered some serious stuff. I flipped through it quickly, not wanting to disrupt the meeting. The presentation was formal.
As the meeting started, I prepared myself for bad news. The meeting moderator began. Audit finding number one: a switch was found to have the manufacturer’s default password still in use. Audit finding number two: a closet containing network gear was found to be insufficiently secured. Audit finding number three: the network services team had little documentation of the network design.…One insignificant finding after another. Each finding was read as if someone was being sentenced to prison. After the seventh finding, I began to wonder if they would have anything significant in their report.
The list of 15 or so items didn’t amount to much and posed little risk to company security. I looked around the table at all the auditors. For six weeks, they had been living in local hotels, and this was the sum total of their findings? I was saddened at the waste of company resources. Not a single item on the list was worth talking about. All the findings were of low severity. Items overlooked by busy network engineers in the course of their daily routines. Sloppy housekeeping. Hygiene issues. Nothing I or the company should be concerned about. So here I was with the audit department as my teacher, and little improvement in security to be happy about. This is a clear example of one of my biggest problems with an audit: it often produces findings that are distracting and waste valuable resources.
I listened intently as the lead auditor continued to wrap up the meeting and his presentation. I could tell he’d given this pitch many times, but everyone sat politely and listened. No one seemed bothered by the insignificance of the findings. Maybe this was a good thing. Perhaps my colleagues had wised up to the value of an audit and realized it was safer to say nothing, and to simply march in place until the auditors left.
After the monologue was over, the lead auditor from headquarters asked if there were any questions. I couldn’t believe my mouth was moving and out of it I was asking a question; I asked the head auditor if he’d had the chance to look at the architecture of our DMZs. The head auditor looked at one of his young staff members along the side of the room for the answer. A quiet yes was offered. There was some nervous commotion. I asked how many of the DMZs at our internet POPs they looked at? More nervous commotion. One had been audited.
Then I asked if they had reviewed the architecture of the one they’d audited. Again, the answer was a sheepish yes. They found the security architecture to be compliant with the company standards and industry best practices. Really? I asked if they noticed we didn’t have any IDSs installed? “None?” they asked. More commotion. The lead auditor looked again at one of the youngsters on the sidelines. People around the table began to squirm a bit in their chairs.
An IDS, a key control spelled out by policy, is difficult to miss. These systems were fundamental to security. One of the most basic devices in the InfoSec architecture was nonexistent in our DMZs, and no one noticed. Yet they had pages of worthless findings, and pomp and circumstance like you’ve never seen. The meeting ended awkwardly.
I watched as the lead auditor carefully collected every copy of the findings he’d had earlier so ceremoniously and proudly distributed to all attendees. The room was silent and a bit tense, as the lead auditor indicated they’d be reissuing a new report within the next couple of weeks that contained a more thorough summary of their findings.
They had been professionally shamed, although this was not my intent. Even after this meeting, no auditor stopped by to see me or inquire about our IDS systems. The IDS issue did get added to the final report. And for my “collaboration” I did become the recipient of weeks of harassment from our audit department about the missing IDS systems. In the end, getting IDS systems installed was a win for the company, but being beaten by the audit department for a follow-up action item I provided was bittersweet.
Partnering with the Audit Team to Influence Change
To get value out of the audit process, you have to learn how to partner with the auditors to leverage their ability to influence change. If not properly aligned with the InfoSec process, an audit is often an impediment to the advancement of security, since most system owners can outwit auditors. You’ve probably seen this many times: an auditor asks questions of one of the IT engineers, and the engineer totally blows smoke the auditor’s way while giving them no valuable information. Auditors are outmatched and don’t have the experience in IT or cybersecurity to hold their own with an experienced engineer.
If I had kept my mouth shut during the meeting with the auditors, the report sent to our corporate office would have reflected only a few small housekeeping items. We would have cleaned up the discrepancies and been no more secure than we were before the audit began. Little improvement would have been made. But this would have been a colossal waste of everyone’s time.
The challenge for the InfoSec team is to help the audit team in such a way that the company benefits from the time spent on audits. This isn’t an easy task. It can take a long time to build a relationship of trust between the two groups, in which the auditors are willing to allow InfoSec to weigh in on their processes. One of my soft goals is to be a part of the annual audit-planning process. If I ever get to this point, I feel as though I’ve done my job and sufficiently partnered with the audit team. This isn’t easy to achieve, however.
Where Did Auditors Get Such License?
Why is it that a corporation will fly a half dozen auditors across the country, put them up in expensive hotels, and pay exorbitant fees to receive a final report that contains few to zero findings of value? The short answer is fear.
After the Enron and WorldCom meltdowns, audit firms capitalized on the new laws and offered audits that “promised” to protect companies and the public from misrepresentations in the financial reporting system. Naturally, these new laws contained large sections devoted to IT and InfoSec/privacy, as they supported the integrity of the company’s financial reporting system. To ensure that the public was not ripped off again by fraudulent financial reports (like Enron’s), audit firms stepped in to provide a level of assurance that public companies were adhering to the audit firm’s long checklist of security controls lifted right out of some industry framework or playbook.
Fearful companies bought up these compliance packages to avoid the possibility of fines they might receive for noncompliance. Few questioned the checklists or considered what the laws were trying to accomplish. Because of fear, companies bought into the “audit is important” mentality and have paid dearly for it. Inexperienced auditors became IT auditors and then branched into IT security, the latest hot market for auditors. Rather quickly, an army of auditors was formed.
A general Sarbanes-Oxley Act (SOX) audit consists of a set of questions that ask for things that often have nothing to do with the integrity of the company’s financial reporting systems. Occasionally, I’ve tried to reason with auditors in the spirit of collaboration but have learned that no amount of reason will steer them from the safety of their audit checklist. They hold on to their checklist ferociously, never wavering from the topic of what they’ve come to audit.
The intent of the SOX law, enacted in 2002 in the shadow of the Enron and WorldCom debacles, was to ensure that a company’s financial reports were processed over systems that were free of tampering and that protected the integrity of the financial reporting process. The results of the audit process of the financial systems would allow a shareholder to read the company’s reports and rest assured that the numbers were accurate—a good and reasonable expectation.
This turned out to be a colossal waste of money spent by public companies. In a desire to comply with the law, companies hired IT financial auditors to ensure that their companies complied with the law’s demands. Companies felt they needed a sheet of paper from an external audit firm attesting to the soundness of their process. This became a huge financial boom for audit firms.
The problem was that the law relied on the belief that lawmakers knew how to ensure a system’s integrity through the written mandates of the law. They assumed that if we audited the systems, security controls were in place to ensure accurate financial reporting. Unfortunately, this is simply not true. In the first five years after SOX was enacted, no company had been fined for any violations, and yet in late 2008 we had the largest financial meltdown ever. I often told our chief financial officer we’d save more money paying the SOX fines than paying for the annual SOX audit.
Do you think I’m being too hard on auditors? Consider your own experience. Can you honestly say that after the auditors have left, all the reports have been issued, and management has chased their tails addressing the findings, your company’s systems or data are any more secure? I cannot.
Audits have the potential to be disruptive to the valuable work being performed by the InfoSec team. The InfoSec staff knows the weak areas of security. Auditors do not. And auditors seldom ask the InfoSec team for input on the annual audit plan. This is where you should focus your efforts. Do your best to be a part of the annual audit plan. This will ensure that the audit department’s efforts are focused on areas that move the security needle toward greater improvements in security.
Getting Value from an Audit
The secret to effective partnership with the audit team is to spend time on the relationship between the two departments. If you put some effort into this relationship, audits can be used to improve security—a goal you both share. To achieve this, cultivate a relationship with the audit department and aim to strike agreement about your mutual interests. You know where the security holes are in your armor, and if you can steer the auditors toward those holes, you really help the company. Both departments have the same desired outcome for the company. Playing on the same side makes the most sense.
I’ve had one relationship with an IT auditor that truly worked. He’d learned the value of always checking with me before he started any IT audit. When the time of the audit came, he would visit me and ask for my thoughts on the upcoming audit. He was looking for buried carcasses. We would review the audit checklist together. I would highlight those areas that I thought he should focus on. We in InfoSec knew where to look, and he was the one with authority to peek under the hood.
If I encountered teams that repeatedly refused to own the security in their area, the audit department was my tool of last choice. What a difference it made to have an auditor in my corner who could influence system owners for improved security. Sometimes it’s best for system owners to hear from auditors after they’ve repeatedly ignored the InfoSec team. The audit department holds the ultimate hammer.
Auditors who blindly follow their generic lists will never know where to shine the flashlight. Auditors worth their salt know that partnering with InfoSec has the potential to yield the best results. If the auditors in my network services example had partnered with me, I would have discussed the areas of greatest need (in this case, the absence of IDSs), and they would have avoided embarrassing themselves in front of their boss. I still can’t say an audit is worth all the time and money, but in partnership with InfoSec, you have an opportunity to use it for good.
Conclusion
Unfortunately, most audits begin with an air of distrust. The auditors come in with the assumption that something is amiss, and it’s their job to uncover it. At the same time, IT often feels like the auditors are out to get them and report their shortcomings to management. Most auditors feel successful when they have something of substance to report. Getting the word that your department is getting audited is never a good feeling.
One of the goals of any good InfoSec department is to partner with the auditors to improve those areas of security that are truly lacking. Identifying those areas will not come from the audit department, but from the savvy InfoSec team that is able to partner with the audit team to use them for good. Unless the audit and InfoSec teams are aligned, the audit focus areas will do little to move the security needle forward. Unfortunately, the audit standard operating procedure does not include collaboration, so it will be up to the InfoSec team to build the relationships necessary to make a difference.
It’s worth the effort, though, to develop good working relationships with the auditors. With patience, you’ll learn you can use them to cause positive change in areas of IT where you may have been previously unable to do so. Do all you can to partner with the audit department for the sake of your company. It’s well worth the effort. You just may find that this group can be a useful tool to open doors previously sealed shut to you and your team. The audit department has that ability. Partner with them wisely, and good luck!