Cybersecurity Audits: What to Expect, How to Perform One, and What to Do With Your Findings
One of the most eye-popping events in cybersecurity this year has been the former head of security for Twitter, Peiter Zatko, releasing a whistleblower complaint about the social media giant, alleging all manner of shortcomings. Anyone responsible for cybersecurity audits should take note — in fact, take lots of notes.
Zatko raised concerns such as poor access controls that left the company in violation of a consent decree with regulators; ill-defined roles and responsibilities for cybersecurity; an inability to segregate different types of data; and more. His 84-page complaint makes for painful reading.
One lesson, however, cuts across all of Zatko’s allegations. His complaint underlines the importance of effective cybersecurity audits — since they are critical tools to find weaknesses in your security program and assuring that those weaknesses get fixed.
So why do some companies fare so poorly with cybersecurity audits and with putting audit findings to good use? What should a cybersecurity audit actually accomplish, and what capabilities do you need — in technology, personnel, and commitment — to make audits a worthwhile exercise?
Those are questions any CISO should be able to answer, so let’s dive into them.
What Cybersecurity Audits Should Achieve
Fundamentally, a cybersecurity audit validates whether your current policies, procedures, and controls actually work to address the cybersecurity threats your company faces.
Quite often, the answer is no, they don’t. That might be because your controls have a flaw in their design (say, failing to implement multi-factor authentication at some required point) or because your company faces some new risk that your controls were never intended to address in the first place.
It’s also possible that your business operations have changed (you moved crucial systems to the cloud or began capturing new types of data), and controls that worked effectively in the past no longer work effectively now.
What to Expect During a Cybersecurity Audit
Cybersecurity audits are meant to bring all those issues to the surface, and they do so in several ways. For example, auditors actually test your controls to see how well they work. Auditors also talk with people across your organization to understand the security risks and compliance obligations you face so the auditor can assess whether your controls are designed properly.
Most importantly, a cybersecurity audit results in an audit report. This is a list of recommended steps that you should take to improve whatever weaknesses or concerns the auditor found. Essentially, the audit report gives you a battle plan for future improvement — if you follow through and implement the report’s recommendations.
Why are audits important? That’s an easy question. Many times, audits are required to achieve compliance with some regulatory obligation. For example, HIPAA (the regulations governing the protection of personal health information) and PCI DSS (those protecting credit card data) both require audits of your data protection program as part of compliance with their respective standards.
Cybersecurity audits are also valuable even aside from regulatory compliance. In today’s highly interconnected world, where organizations routinely give technology providers and other third parties access to mission-critical systems and data, you need to understand whether those third parties have trustworthy cybersecurity programs themselves. It’s quite possible that their poor security habits could jeopardize your data, or even your customers’ data, exposing you to regulatory penalties and civil lawsuits.
Quite simply, audits illuminate the landmines that exist in today’s cybersecurity world and help you avoid stepping on them. So, the ability to perform those audits efficiently and effectively is crucial.
How to Perform Cybersecurity Audits
First, understand the criteria against which you want to audit. For cybersecurity, this will typically be one or more frameworks — that is, widely accepted standards for cybersecurity that you can use as a template to guide your own program. Popular frameworks include:
- The NIST Cybersecurity Framework, from the National Institute of Standards and Technology
- PCI DSS, a framework for protecting payment card data
- HIPAA and HITRUST, two frameworks for protecting personal health data
- FedRAMP, a framework used by the US federal government to protect cloud data
- Numerous ISO standards from the International Organization for Standards, on issues including quality management, risk management, and information security
Your cybersecurity audit should map your existing policies, procedures, and controls for cybersecurity against the framework’s desired controls. This is known as a gap analysis, since you’ll typically find numerous gaps where your security program isn’t as robust as the framework suggests.
Audits will include a phase where the auditor talks with employees in the organization to understand how business processes happen and what risks the organization faces. The auditor might ask to observe a process (say, provisioning IT access to a new user) or to view documentation that describes how a process works. All of this is to understand whether any policies, procedures, and controls are missing; and whether they are designed properly for the risks at hand.
Auditors will also test controls to see whether they work as intended. For example, the auditor might try to find instances where a user should be challenged to provide two-factor authentication, but that doesn’t happen; or the auditor might perform a vulnerability scan to find any flaws in ERP software that should have been patched but weren’t.
Two other points to remember here are evidence collection and the audit report.
All evidence from the cybersecurity audit should be collected and stored in a single repository to assure that no important data is forgotten, misplaced, duplicated, or otherwise invalidated. Auditors need a “single source of truth” so that all decisions about your cybersecurity program flow from the same set of data. This means that collecting data manually — chasing people via email, storing PDFs in a shared folder, and the like — is not a valid way to manage your cybersecurity audit. The risk of errors and omissions in the data is too great.
The results of the audit should then be written into a final audit report. The report will typically document all shortcomings and weaknesses found, and offer a list of remediation steps your organization should take to rectify them.
Which brings us to perhaps the most important point about cybersecurity audits of all.
What to Do With Your Cybersecurity Audit Findings
Let’s bring all this back to Twitter and so many other companies. The shortcoming that can happen with cybersecurity audits occurs at the end: companies simply fail to take the findings of a security audit and use them as the basis for improving security.
Instead, those findings should be the foundation for remediation plans. They should be translated into specific tasks — drafting a new policy, implementing a new technical control, conducting tests more often — which are then assigned to specific employees in your enterprise, who are responsible for getting the work done.
The CISO or compliance manager should also track the organization’s progress on those tasks, complete with alerts when something isn’t done by a certain deadline — and, when necessary, escalation to more senior executives so they lean on tardy employees to get the tasks finished.
In other words, audits, compliance, and cybersecurity risk management are all inextricably connected. An effective audit will help you with compliance and risk management; but an audit can’t truly be effective unless you have a compliance and risk management program that assures the audit findings are addressed in a timely manner. That includes a CISO or compliance officer empowered by the board and senior management to drive a strong security program, and technology that embraces automation, dashboards, and other IT capabilities mentioned above.
Only when all that is in place can your organization take full advantage of security audits for better risk management and a more agile response to today’s difficult, complex security environment.
Otherwise you’re just going through the motions of auditing for its own sake — and that’s not enough to protect anyone anymore.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.