Introduction
As cyber threats evolve and regulatory requirements tighten, businesses face increasing pressure to protect their sensitive data and strengthen security practices. This blog will give you some helpful insights from an auditor’s perspective (mine!) auditing organisational information security, exploring the challenges, best practices and the common pitfalls I encounter. Whether your organisation is just beginning its security journey or striving to optimise an established programme, understanding these dynamics is crucial for ensuring a successful compliance audit.
Your Security Strategy Maturity
As an auditor, I get to see a good amount of organisational information security practices. Some organisations have a well-formed information security function: this may be a single person or a group. These entities have established policies and procedures and conduct their governance effectively. While there is always room for improvement – as is the case for most departments in any business – one of the key elements auditors look for is continuous improvement and the intent to optimise the information security department’s capabilities.
Well-functioning departments are typically supported by the business and, on the whole, perform admirably, often with limited or restricted budgets. Contrary to popular belief, auditors do not seek perfection; as any experienced professional will attest, perfection is an unattainable goal. But they do their best.
In contrast, there are organisations at the beginning of their information security strategy journey. While the intent is present, they may lack resources or are still working on reaching a more advanced level of security. The path from minimal security to a more advanced state is lengthy and complex. It’s important to recognise that this is a journey: progress is not instant. It takes time to establish robust cybersecurity measures, gain business acceptance for policies, and build out an efficient and effective defence in depth strategy.
Regardless of which situation you find yourself in, this is what auditors want to see. Even those organisations in early security stages have essential components present. A significant bedding-in period is necessary to refine and achieve the desired state, assuming you have completed the required tasks. In these cases, you are likely to pass an audit or possibly pass with recommendations for improvement.
This is a fact of life in the auditing process.
Key Considerations for Auditors
Most auditors do not audit to the letter of the requirement; instead, we look to ensure the requirement is being met based on its underlying intent. While we still need to make sure that controls are in place, as long as the intent is sound and the necessary items are present, you should have no problems or, at least, very few that cannot be remediated. As auditors, we also understand the challenges that organisations face in ensuring information security. It is not an easy task, especially for those just beginning their journey towards a more secure environment. However, this does not mean that these organisations are failing or not doing enough to meet security standards.
In fact, auditors appreciate the effort and dedication put into establishing and improving information security measures. We know that it takes time, resources and continuous learning to achieve a certain level of security. We also understand that security teams are often thrown curve balls, as there will always be new threats emerging and vulnerabilities discovered.
Therefore, what we really look for during audits is not flawless security systems or policies, but rather the organisation’s commitment to improving their current security posture. We want to see evidence of a proactive approach towards identifying and effectively mitigating risks. We want to see how effective the organisation’s incident management processes are and their ability to learn from these incidents to prevent future occurrences.
But most importantly, we want to see how organisations integrate information security into their business operations. It should not be seen as a separate function or an afterthought, but rather an integral part of the organisation’s culture and strategy.
The Importance of Continuous Improvement
So, if you are part of an organisation working hard on your information security, do not feel discouraged if you are not where you want to be yet. Remember, that it is a journey filled with challenges and learning opportunities. As long as you are committed to improving your security posture and have the right mindset, you are on the right path. As auditors, we are here not just to evaluate your current state but also to provide guidance for improvement based on best practices and industry standards. From our perspective, it’s better to have an organisation actively working on enhancing its security measures than one that is merely box-ticking.
Keep moving forward in your journey towards better information security – every step counts, no matter how small it might seem at the moment. What I have described above is what good information security programmes and business functions look like.
The Misconception of Information Security as an IT Issue
Conversely, there exists another category of organisations: those that merely pay lip service to security requirements or lack a genuine intent to meet them. These entities often perceive security as an impediment to organisational operations. Regrettably, I have seen situations (more times than I care to), where individuals are given the role of a CISO without the necessary security skills or experience, simply due to their background in IT, compliance or risk management. Information security is a specific discipline: protecting people, processes and technology through layered and blended protection and training requires years of specific skill development.
A common misconception in some organisations is that information security is solely an IT issue. Often, the compliance or security frameworks they are obligated to follow have not been thoroughly reviewed, and the team may be unaware that these are often contractual or legislative requirements. This lack of understanding regarding their obligations leads to errors, omissions or refusal to implement necessary measures. While they may possess some relevant knowledge, they lack the intricate understanding of the profession, potentially overlooking critical factors due to their different professional background.
Challenges in Auditing
As you might imagine, auditing organisations like this presents significant challenges. If the intent to meet requirements is not there, and it’s evident that the organisation does not fully comprehend the security framework and relevant legislation, a trained auditor cannot pass them.
As an auditor, we have to be objective and impartial when conducting audits. We have to ensure that organisations are compliant with all applicable regulations and standards, and to highlight any issues so that they can be addressed. In most information security frameworks and legislation, an organisation is usually required to:
- Understand the standard
- Understand your obligations and
- Maintain your knowledge as it evolves.
Typically, organisations are given ample time – usually a year or more – to understand and implement the necessary changes to meet new versions of the standard.
An experienced auditor will invariably pick up on these points very early on in the auditing process.
Key Advice for Passing an Audit
To pass an audit, it’s therefore extremely important for organisations to take information security seriously. It’s not just about ticking boxes or meeting regulatory requirements – it’s about protecting sensitive data and ensuring that business operations are secure. Information security is a crucial aspect of any organisation and it should be treated with forethought, and as a priority. Organisations need to invest in appropriate information security measures and ensure that they have skilled professionals overseeing their security efforts.
If you’re not sure where to start or how to improve your current information security posture, it is advisable to engage a consultant or seek professional advice. There are plenty of resources available out there – take advantage of them.
As I said – auditors do not expect perfection. We understand that every organisation has its own unique challenges and constraints when it comes to information security.
What we really want to see is a genuine commitment towards improving information security, continuous learning and improvement, and a proactive approach towards managing risks.
A Holistic Approach to Information Security
Good information security extends beyond robust systems and policies. It’s also about having the right people with the right skills managing these systems and policies effectively. And most importantly, it’s about integrating information security into the core business operations and culture of the organisation.
It is the unfortunate truth that so many organisations, regardless of size, do not understand the implications of operating without a fully functioning information security department. This persists despite the extensive media coverage of high profile breaches in recent years. Some companies have gone out of business as a result of one single security incident, while others have had to spend millions in fines, PR and recovery costs.
The evidence of this is there for all to see.
Conclusion
Finally, remember this: security doesn’t need to be expensive – it needs to be effective. It is less expensive to create a robust security strategy than deal with the financial and reputational costs of a security breach.
About the Author
James Rees CISM, PCI DSS QSA, PCIP, ISO 27001 LA
Managing Director, Razorthorn Security
James, MD and Principal Security Consultant at Razorthorn Security, brings 25+ years of expertise in information security and consultancy. Having delivered CISO services to global giants, he possesses vast PCI DSS advisory and audit experience. James excels in crafting robust information security infrastructures and implementing intelligence-driven strategies to combat cyber threats. His experience solidifies him as an authority at the nexus of intelligence, cybersecurity and business protection.
Beyond his role at Razorthorn Security, James is a recognised leader in the field. He hosts the popular cybersecurity podcast, Razorwire, providing insights and interviews with industry experts. As a published author and journalist, James’s contributions extend to being a regular contributor in the dynamic realm of information security. His commitment to advancing the industry and sharing knowledge underscores his influential presence and impact in the cybersecurity landscape.
James Rees can be reached online at https://www.linkedin.com/in/jamesrees and at our company website at https://www.razorthorn.com/
