Security Audits
- Teren Bryson
- Security , Xfd11 , Audits
- May 2, 2024
If you work in IT for even a few minutes, you’ll almost assuredly run headlong into the wonderful world of security audits—ostensibly, services to help you better secure your organization and its assets from internal and external threats. Suppose you’re a security engineer or architect, an IT Director, a CISO, or any of a myriad of positions dealing with security daily. In that case, you likely will take part in the initial analysis and the remediation efforts of several audits annually. And while some can be brief, many take up a considerable amount of time. So, this begs the question of how valuable these audits are if they take time away from the actual security work.
Some audits, like Sarbanes-Oxley or ISO27001, can be pretty extensive in scope, while others may take the form of a one or two-page questionnaire from an insurance company. While the short form may seem better at first glance, often, because they are for cybersecurity insurance purposes, there are mandates in order to get the best rates. So, the difficulty in any audit or gap analysis is not usually in answering the questions but rather in remediating them when gaps are found. Often, the remediations themselves take a significant amount of staff time.
I bring all of this up because of a recent conversation and because I was a guest on a Tech Field Day podcast1 where we discussed the topic of audits (under the somewhat provocative title of “Security Audits Cause More Harm Than Good”). The podcast speaks for itself (see what I did there?) so I won’t discuss that other than to say you should watch it and offer comments if you feel you have something to add to the conversation. What I’d like to comment on briefly is the discussion I had with a peer on the topic of security audits in general and ones initiated by cybersecurity insurance providers specifically.
The person I was chatting with contends that the insurance industry drives security audits to generate revenue and that they are wholly unnecessary and generally a more significant waste of time than knitting snake mittens. I do not argue that insurance companies don’t profit from what they sell, but I do not think that’s necessarily a bad thing. They are in the business of mitigating risk, so they don’t have to pay large sums of money in a claim. Just like car insurance, where your rate is based on your particular risk profile, so too cybersecurity insurance is the same.
Here’s the rub: insurance companies must have in-house experts asking the right questions and using the right tools to determine any organization’s risk profile. Running reports on what is visible from outside an organization is fine, but you have to have some visibility into the inner workings as well. And how to get that? In the not-so-distant past, insurance companies would send out questionnaires, and an officer of the company would have to attest to the veracity of the answers. While that still happens, insurance companies increasingly turn to more formalized audits—with proof—before issuing policies. Those audits are starting to resemble the more extensively scoped audits for things like SOX and ISO27001. My contention is that the trend will continue to expand in this direction.
As to the question of how much good audits do, I believe they are an essential part of good security hygiene. Forcing an IT organization to look critically at its risk profile, as seen by outside entities, is good. We all get blinders on, and a hard look from a third party is often needed to get us back on track and see what we’re missing. And the difficulty of remediation is directly tied to how your IT security organization is performing, or at least how they are trying to perform (often, security organizations are stymied by bad business policies).
I understand that each year, the stakes increase as the audit teams get more sophisticated and the cost of recovering from a ransomware attack grows. The bigger question is how long are insurance companies even going to offer this type of insurance? The difficulty in preventing or recovering from a ransomware attack grows exponentially yearly. At some point, much like flood insurers in Florida, the cybersecurity insurers are likely to pull out of the market entirely.
Every organization has to evaluate what would happen to them in the event of a severe outage, whether caused by ransomware or something else. Business continuity is essential to most organizations, as most would not survive long with all critical systems down. The damage to reputation as well as to the flow of revenue has, in several cases, led to the bankruptcy of organizations hit by serious ransomware. Would cybersecurity insurance have kept them afloat long enough to remedy the problem in those cases? I don’t know for all cases, but I’m confident that the answer is yes for at least a few. That makes insurance and the security audits you must undergo to get it incredibly valuable.
