Manage Learn to apply best practices and optimize your operations.

What's the best way to handle external security auditors?

Dealing with external security auditors can make IT professionals uncomfortable. Here are some ways to handle and make the most of the audit process.

A survey conducted at RSA Conference 2015 found that only about 68% of IT pros are honest with security auditors...

about the occurrence of security incidents, leaving 32% of respondents in a decidedly gray area of ethics. What should enterprises do when it comes to dealing with external security auditors? What are the pros and cons of reporting a security incident?

Of the 32% of the 1,107 conference attendees polled who were not honest with auditors, 20.3% said it was best to "steer them away from bodies," while 7.3% said to ignore the auditors and 7.1% said to disclose a gap to get the auditor to leave you alone. One of the biggest fears surrounding information security audits is that a bad report will reflect poor job performance, and a good security audit will result in a reduction of the security budget.

There are three major issues to consider when dealing with external security auditors:

  1. Silos. Silos exist between business units, technology groups, staff versus line functions, and, of course, information security and auditors. Technologists may find it difficult to accept criticism from security auditors who have not had any experience in the field they audit. The auditor might not be an expert in the field, but they do have specialized analytical skills in identifying anomalies and issues. They understand controls, risks, regulations, retention and governance. An experienced security auditor, aside from attribution, will recommend realistic remediation options that -- if delivered without influence -- are more likely to be respected and accepted by IT. A key objective is to break through the silos and focus on what is best for the company.
  2. NIH (not invented here). Don't immediately reject something just because it came from an outside source. Auditors have an advantage of performing similar information security audits for many different IT environments. They see the good, the bad and the ugly. Over time, they can provide guidance to the company being audited, with insightful options for consideration. This is where audits can add value. The IT environment might have already considered the options recommended by auditors, but have been unsuccessful in obtaining the necessary management support or budget. IT should leverage the audit results to accomplish what has been difficult to achieve on its own.
  3. Tone from the top. Generally, the view and respect for the auditor's work is inherited from the top. If the CIO or CISO instructs their staff or those being audited not to share more information than what is asked by the auditor -- preferably, in one syllable answers -- it will be reflected in the audit. This type of behavior is doing a disservice to the staff, company and executive management. It sends the message that auditors are the enemy and a necessary evil. It raises ethical questions that the staff will carry with them to other jobs. A wise CIO or CISO will use the audit to his favor, and not worry about looking good.

One point worthy of note is that most auditors typically have accessibility and visibility to executive management, whereas information security or the CISO might not. And it is not uncommon for the board to ask the auditor, without the CISO present, on his or her view of IT and information security operations, and how well they are being managed. But the board should be presented the audit report, with mutual agreement between IT and the security auditor.

While 32% negative responses may actually be a conservative figure, there is the laudable 68% of respondents that do work well with security auditors. This means IT, information security and auditors have a collaborative working relationship aimed for the common good of the enterprise. IT and auditors need -- and many have already learned -- to come to terms on mutual objectives and goals for the audit.

Do information security audits find all vulnerabilities? Will information security ultimately find the right way to protect critical assets? There is no such thing as absolute security. Passing an audit does not mean the company is secure; it means it is compliant. Everyone should have security policy and procedures, as well as proper change-control procedures and secure coding standards. Additionally, everyone should deploy risk-based controls, run vulnerability scans and penetration tests, and set baseline configurations for Layer 3 devices and servers, application controls and RBAC. Rather than resort to rolling disclosure, IT and information security should know that without the audit, the IT environment may very well remain wanting in many areas that they might not otherwise address.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn who should perform HIPAA and HITECH compliance assessments

How to avoid failing your annual FISMA audits

Check out the four keys to a successful security audit

This was last published in December 2015

Dig Deeper on IT security audits and audit frameworks