Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
Do you agree that the auditor is more feared than an attacker/hacker? Is this reasonable?
It has been said that an auditor is feared more than an attacker because of the likelihood of an audit versus the likelihood of an attack. Do you agree and if so, is this a reasonable fear?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
6 Answers
I'd really hate for that to be true but the reality is such that it probably is. Regulations and compliance scare me as businesses see security as a necessary evil or a tax rather than an opportunity to differentiate and create resiliency and sustainability - and ultimately of course - to build amazing customer loyalty. This outside-in view of security that most organizations have, then, lends itself to doing very little more than what regulations enforce. Regulations are always outpaced by technical evolution by design - and so organizations with this perspective miss opportunities to manage security completely and holistically. Especially in down economic times, regulation encourages this notion of "how do we satisfy auditors as quickly and as cheaply as possible" and little more. You can rest assured that those with ill intent are using bleeding edge technology to carry on about their work - regulation & compliance doesn't encourage a sound defense as well as a solid company wide perspective around security with the resources behind it to succeed.
I don't know if the word "feared" is correct. Auditors are definitely more annoying than an attacker.
In my experience with auditors, the auditor usually has a narrow IT background and doesn't understand many areas in IT. A project manager may not understand VPN technologies or a programmer may not understand encryption, and neither of these may understands fire controls.
For example, our security requirements for VPN specify that a VPN must use at 3DES encryption or better (it's an older document that we need to update). Several years ago we moved from 3DES to AES (we never updated the policy document - our fault), about two years ago we were written up for using 3DES for our VPN clients. I had to spend several hours educating management and the auditor why were in compliance with the policy.
Last year I went through an audit where one of the findings was "inadequate fire suppression in several wiring closets." The auditor recommended that we install FM200 in all of our wiring closets and remove the existing sprinklers. First, building code (at least in our city) requires sprinklers (gas is not an acceptable substitute), second, Dupont, the manufacture of FM200 recommends that it sprinklers remain in an operation with FM200. Finally, many of our wiring closets only have a single switch installed, the FM200 installation would surpass the cost of the equipment by three or four times the cost, not to mention the annual maintenance.
With an attacker, I understand that I don't want him in our network. I know what resources I can draw on to help mitigate this threat. I know what state laws we have to comply with for reporting of a breach.
You're doing it wrong if this is the case.
If you are being audited, it means your organization has a set of assets that are deemed to have enough value to pay someone externally to evaluate them. Anything that is turned up in an audit can be brought to management to be fixed or ignored.
IT Manager: "The auditor says our perimeter security is weak and we should spend $30k on new firewalls, like I told you last month"
CFO: "Well, we still can't spend that now. We'll acknowledge that as an ongoing risk".
Malicious attackers will never alert you to your flaws until they are already doing bad things within your infrastructure or are already holding your data hostage. Auditors can be managed and worked with -- malicious attackers not so much.
The question should be re-phrased to explicitly tell us what type of auditor.
Is it your CPA firm, and the audit is for your financial statements?
Is it your internal auditor, to find waste, fraud and/or compliance issues, as well as best practices?
Is is an insurance audit for premium validation?
Is is a bank audit?
Is is a governmental authority looking at compliance or validation of tax or other records submitted?
Each of these has different purposes, different anxiety levels and different results and/or perceived penalties. A bank audit for a possible loan could result in a worse effect on a company than an IRS audit of a tax return.
Everything in moderation.
For a lot of organisations, hacking is still something that happens to someone else. Auditors happen to everyone. Every year, and on a variety of subjects.
I'd imagine anyone who has been subject to a successful attack welcomes auditors with open arms if they provide assurance that they won't be hacked again.
Good point, Wayne. What type of auditing, SOX, OSHA, HR compliance, etc? I can speak to what we do-HR compliance. I'm not selling here but Compli provides workflow automation and allows companies to have immediate visibility on where every person within the organization is with regard to any compliance issue. Many of our clients use this reporting to measure managers, HR or other aspects of their org. The program pushes all new regs out and has multiple alerts for people not in compliance, haven't completed training (IE: 2 hour harrassment training that's mandatory in CA).
What I hear most are 2 things: First, they have less worry and can focus on their core competencies-sales or whatever they do. Second, that they are no longer "low hanging" fruit for litigation because they can prove good faith compliance and have accurate records as such for every employee.
Dan-I also agree with what you said. Many times we receive calls for what we do after there's an action because they didn't want to spend to minimize exposure. These types of situations are sometimes very costly as we all know but each company needs to spend some time evaluating their process, exposure and possible solutions, whether it's via a partner like Compli, or another solution.
Answer This Question