So it's coming up on the end of the calendar year (and for many, the fiscal year), which means it's time for one
of the least favorite activities for security professionals. No, not budgeting, but audits. Yet rather than dread audits, we should actively look forward to them. Why? Because, to be frank, auditors as a rule get a lot more respect from the C-suite than we do. This means that auditors can be, and often are, our best chance to show what a good job we are doing and to get security projects funded. SOX 404, PCI and other regulations have only made this truer.
Why do auditors have this advantage? They are viewed as independent observers who are supposed to report to executives in an unbiased manner using their controls as a metric. Most companies have two sets of auditors: internal auditors who help prep the company for the external audit, and external auditors who report their findings to the SEC. An open secret, however, is that most auditors as a rule want to help make your company and your security program better. Translation: the auditors are and should be your best friends. To be blunt, the auditors are going find the issues (and we all have issues) in our security programs; wouldn't you prefer to have them reported as areas you need assistance with rather than as failures?
"But how do I get there?" you ask. First, make time on your calendar for the auditor. Like any relationship, it's going to take time and effort. So start by taking the time to openly explain and discuss your information security program. This is your chance to make a great first impression, demonstrate how strong your program is and show you are open to improvements. It's also good practice for future justification meetings with the execs.
Here is when you or your staff will start providing data to the audit team, which will compare it to its lists of controls. This is where having a close relationship will help a lot; it's the time to not only negotiate whether something is necessarily a primary control, but to appropriately justify the way your program has been architected. It is also the perfect opportunity to work with the audit team to address any concerns or misunderstandings before the audit report.
I repeat because it's key: This is your opportunity to control not only what issues get presented to the executive staff, but also how they get presented. Wouldn't you much rather have issues reported with your preferred solutions?
At this point, go to your superiors to ask for support (political, financial or both) to address the auditor's concerns. The best part about this approach is that you've let someone else do the selling for you. Much like the rest of IT, security is usually viewed as a cost center, and nothing supports your business case like another part of the company asking for what you are proposing first.
Remember, playing nice with the auditors also shows that you and your group are team players that understand the business need and have the best interests of the company at heart. The auditors aren't there to make your life difficult, but rather to help. They can be your best friend or your worst enemy.
An adversarial relationship with auditors will make life more difficult and quite possibly even shorten your tenure at the company. I'm not saying you should just roll over and do whatever the audit team asks. But when pushing back, be polite, reasonable and respectful--which is good advice regardless of whom you are dealing with.