The Joys of Security Audits

I am back from my week of trips, and ready to get back into the blogging routine. While travelling and talking with clients about security audits some thoughts came to me.

If all your security audits are involuntarily performed by external entities and you are simply struggling to survive them for fear of punitive recourse, then you probably don’t have the best attitude when it comes to security. A security audit should help your organization improve and grow – it is not something to be scared of.

I was reminded of the saying that no security is actually better than poor security. This is because with no security, at least you know how secure you are and won’t act in such a way that would put your data at risk. But with poor security, you might be fooled into a false sense of security that can put you in position for staggering losses when a breach does occur.

This is why security audits are so important; they inform you on the current level of your security. This knowledge empowers you to make informed decisions regarding data risk analysis. You should conduct your own security audits often and after implementing new security defenses.

Now I’m often asked if it’s better to conduct internal audits yourself or pay for outside security consultants to conduct external audits. Personally, I feel there are a few more advantages to outsourcing the audit.

1) Security consultants make security audits a core function of their business. They probably have more experience and a wider knowledge base to find more gaps than an internal audit.
2) Internal audits tend to be lax when it comes to identifying gaps. The focus shifts to checking check boxes rather than actively trying to break the system.

3) If something is missed in the security audit and a breach occurs – at least you have someone else to blame. You may even be able to hold your security consultant company accountable depending on the contract.
4) There is no reason you cannot perform an internal audit and then have an external one which you compare for accuracy and team skill set building.

I hope to see more security audits met with welcoming arms than with dread and uncertainty. Just remember, that security is never final and the audit is just a part in the continuous effort to improve your defenses.

Related posts

• “Disinformation” Now a Big Trend Among Hackers (0)
• Why did they even have the data in the first place? (0)
• Understanding Your Attackers with a Honeypot (0)
• Smartphones Set to Overtake Laptops as Biggest Security Risk (0)
• Server Hack Leads to Data Loss, Suicide (0)

Tagged as: external audits, internal audit, internal audits, risk, risk analysis, security, security audit, security audits, security consultant, security consultants