Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best). And in the corporate world, the word itself is sure to draw ire. But Drata’s Troy Fine talks about the nuances of cybersecurity audits and why companies should welcome rather than fear them.
There is no shortage of misconceptions when it comes to compliance. But perhaps one of the most pervasive is the idea that audits have to be confrontational. Maybe it has something to do with the fact that the word “audit” usually brings to mind financial audits, tax returns and letters from the IRS. That, at least, is easy to understand — financial audits are inconvenient and nerve racking at best, with the potential for costly penalties looming throughout the process. Little wonder, then, that the word “audit” tends to inspire a negative knee-jerk reaction.
But cybersecurity audits are a horse of a different color. There’s no reason security audits need to be confrontational or even inconvenient — at its core, a security audit exists to help the organization identify potential vulnerabilities and address them before attackers can take advantage.
Security audits aren’t about penalties or citations — they’re about measuring and validating the cybersecurity measures the company has in place, gauging them against established guidelines and standards in a way that makes them easy to understand. These audits are about providing the means for organizations to establish trust with potential vendors and customers. Working hand-in-hand with auditors can help make the process seamless so organizations are better able to protect themselves and their partners.
We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a poorly trained worker is the same as one not trained at all, and in too many tech companies, training isn’t exactly exciting or inspiring. As Stu Sjouwerman explores, there are simple-but-effective methods to get everyone on board for security compliance training.
We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a poorly trained worker is the same as one not trained at all, and in too many tech companies, training isn’t exactly exciting or inspiring. As Stu Sjouwerman explores, there are simple-but-effective methods to get everyone on board for security compliance training.Read more
Clearing up common misconceptions
Even though security audits are nothing new, there are a series of misconceptions that continue to stubbornly persist. First, and perhaps most importantly, many organizations still operate under the impression that security auditors are not security experts.
This may have something to do with the fact that security audits are generally performed by the same auditing firms that perform financial audits — therefore, people may assume that security auditors are simply financial auditors who have been moved over into a new department. Not so.
The truth is that a growing number of auditing firms are hiring people specifically for their IT and security backgrounds, in order to ensure that their security auditors have the necessary knowledge and expertise to provide relevant feedback and recommendations to clients. This is an important point, because the idea that auditors lack the security knowledge to provide valuable insight taints interactions between companies and auditors in a negative way.
Another common misconception is that auditors all follow the same methodology and that the standards themselves prescribe the process that the auditors must follow. That simply isn’t the case. In general, compliance frameworks don’t specify the manner in which controls should be tested, instead leaving it up to the judgment of individual auditors. Many auditing frameworks have strict accreditation requirements, meaning that an auditor who is accredited to perform (for example) SOC 2 audits brings to bear a considerable amount of expertise. Rather than dictate to those experts how to go about testing controls, these frameworks allow individual auditors to approach problems differently.
Finally, there is a persistent myth that auditors are “out to get” the companies they work with — that they are looking for excuses to levy fines, demand updates or upgrades, or make the organization look bad. The reality is quite the opposite: Auditors, by and large, want to help their customers succeed and achieve their compliance goals. In fact, because the audit process is often subjective, many auditors are willing to give companies the opportunity to provide evidence of compensating controls when the initial evidence indicates noncompliance. In order to be successful, they need to be both flexible and knowledgeable.
What to look for when choosing an auditor
One of the issues that continues to plague the auditing field — and one that contributes to the negative perception surrounding it — is the relative lack of oversight. Many companies assume that audit firms are held to high standards, but that isn’t always true. The American Institute of Certified Public Accountants (AICPA) provides some oversight, but the reality is that audits like SOC 2 are just a small part of what they do.
AICPA and other oversight bodies are limited with the amount of oversight they can provide, which can lead to problems. Many organizations aren’t even aware that there is an accreditation process for different audit types — they simply don’t know that it’s something they should be looking for — which can lead organizations to engage with less reputable audit firms. This can result not just in a lower quality audit but reputational damage when potential partners and customers see an unaccredited firm listed on the company’s audit report or certificate.
Conversely, the right audit firm can be a significant value add for any company. That doesn’t mean it needs to be a “big four” auditor, either — there are plenty of small and mid-sized auditing firms that provide exceptional service. Auditors that are highly responsive, answer questions thoroughly and demonstrate a dedication to collaboration and transparency should immediately rise to the top, especially if they have experience conducting audits within the relevant industry. It’s always wise to check references as well — a strong recommendation can go a long way, and hearing from a customer directly can help establish whether an auditing firm meets specific needs.
This also underscores why it is important to avoid brushing off auditors or treating them in an adversarial way. Security auditors are security experts, and, more importantly, they want companies to succeed. In fact, many firms even offer a readiness assessment in advance of the actual audit to help companies understand and prepare for the expectations they will have to meet.
Often, auditors can provide recommendations to help reduce the likelihood of known issues arising during the audit itself (though some audits, like ISO 27001, do not allow the auditor to consult with the company ahead of the audit). It’s also important to remember that security auditing is not a “one and done” process. Audits will need to be conducted regularly throughout the life of the business, and establishing clear lines of communication with auditors can help build a stronger relationship and ensure all expectations are clearly understood.
Work with auditors, not against them
Today, many of the tools companies use to improve their security can also be used to make the auditor’s job easier. An auditor is there to gauge the effectiveness of certain security controls, and there is no reason a company can’t measure those same controls outside the bounds of an audit. In fact, implementing continuous monitoring over their security stack is a good idea for any company, whether they’re gunning for a SOC 2 audit or not.
Fortunately, there are automated tools available today that can help organizations do just that, measuring how well security tools are performing against known threats and providing alerts and feedback when vulnerabilities are identified. Not only does this help companies ensure that their systems are continuously protected, it also keeps surprises to a minimum. If the company’s security is being measured against the relevant security frameworks in real time, the auditor isn’t going to tell them anything they don’t already know.
Making things easier for the auditor doesn’t just improve the auditor’s life — it can have a measurable and positive impact on the company being audited, as well. And while the word “audit” probably isn’t going to conjure positive feelings anytime soon, erasing the stigma around security audits and focusing on building better relationships with auditors is a good idea for any company. Security audits are designed to keep not just the company being audited safe, but their customers, partners, and vendors as well.
A good auditing firm works to help companies identify and remediate potential security vulnerabilities, and companies themselves can improve that process by making it easier for auditors to get the information they need. It’s a mutually beneficial relationship with positive repercussions that can reverberate throughout the market. It’s time today’s organizations started working with their auditors rather than against them to prioritize security, compliance and building a safer digital world.