Today’s Reality: Every person and organization is currently at risk for being hacked, identity theft, or any of the other problems that have evolved from our massive dependence on information and communication technologies.
In light of this, it is important for persons and organizations to understand and develop deeper insights into cybersecurity in order to develop strategies and systems to bridge cybersecurity vulnerabilities.
One method of ensuring greater protection: to undertake regular and programed cybersecurity audits and assessments.
The dreaded “A” words… Audits & Assessments…
The thought of an audit may strike fear in many individuals at all levels in an organization. For some, the stakes are very high from losing insurance or dismissal from a trade group or even losing a critical industry credential that customers have come to expect. Mostly, audits are routine and serve to ensure there is at the minimum a check-and-balance to satisfy whichever regulatory body requires it.
What if the auditor finds a non-conformity?
What if it’s two audit findings? Five findings? Ten? In all cases, you should see the results as great, because you have found some shortcomings in your company and now you are in a position where you can fix them.
Some feel that obtaining an audit finding is an indication of a “failure”, which is harsh in context and not reflective of what auditing seeks to achieve.
Last week, while I was staring at water pouring through my ceiling, I began to think… there were no signs of a problem, no warning, I thought everything here was running smoothly… but apparently, there was an internal issue with the pipe being old, and it was only a matter of time before it burst…
Much like any structure we build, there are always vulnerabilities, always hidden or future risks and gaps... no system, no infrastructure is perfect. If there was perfection in everything, there would be no plumbers, mechanics, firemen, or SOC engineers…
As time goes on, it is inevitable that any Information Security Management System will have weaknesses and different gaps or NC’s will arise, as technologies change and people change… We need to view our audits not as a test of how “perfect we are”, but rather as an exercise to see how flexible, versatile, adaptable, strong, and realistic we are in our efforts to manage our security system and handle unexpected changes.
Typical risks can be predicted and mitigated, but what about the “unknown-unknowns”, which we all have, whether it’s a burst pipe or a new malware not yet able to be detected… this is the essence of a LIVING Information Security Management System: build a strong foundation, maintain the framework consistently, work to make it work for you, and always be mindful of potential new problems, be able to take a realistic approach to self evaluate, and if the auditor comes in and tells you that you have “an old pipe that even though it’s working now, it could potentially burst in the future,” don’t fight with him and tell him that the pipe is still working just fine… take his advice to heart and evaluate the budget on replacing the pipe and risks associated with having an old pipe.
Non-conformities during a routine audit aren’t the worst thing to ever happen to your information security system, sometimes, they can be the best thing.
This month, I have a few questions for you my readers: What are your thoughts on audits? Do you have any audit stories to share good and bad?
Send your responses to firstname.lastname@example.org .