Learning to Love the Audit

Love 'em or hate 'em, security audits are now a way of life. Your best bet is to stop fighting and start automating

4:50 PM -- Death. Taxes. And if you're in the world of IT security, audits.

For years, many of us looked at security audits as a one-time deal, like having a tooth extracted or replacing the transmission in your car. If you can get through it this time, we thought, it will all be over.

This week, however, the Compliance Security Council -- soon to be renamed the IT Policy Compliance Group -- shared some sobering numbers with us. (See Winning the Compliance Game.) And they all point to one grisly conclusion: Security audits are becoming a way of life.

According to the Council, which is made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, about 80 percent of organizations have been through three or more regulatory audits in the last year. That doesn't count industry-specific audits, which require compliance but aren't regulated by the government, or internal audits, which some ambitious enterprises now conduct every 21 days.

Holy cats, even Katie Couric's colonoscopy wasn't this thorough.

The gradual, but inexorable, proliferation of audits is, for good or ill, completely changing the life of the security professional. Instead of spending their time examining new threats and building new defenses, security people today are increasingly called upon to test and evaluate their existing systems in an effort to expose flaws and vulnerabilities. Done in moderation, this sort of exercise can be helpful in finding and fixing holes that have been overlooked.

However, if audits continue to proliferate at their current pace, I can't help but wonder whether they will actually diminish the effectiveness of security organizations, and perhaps the infrastructure itself. A doctor can spend too much time analyzing a disease, rather than curing it. A business can spend too much time analyzing its processes, and completely miss out on new markets. Yes, security teams need to evaluate their infrastructures on a regular basis. But they need to look at future threats, emerging technologies, and new business risks as well.

The key, I think, is to accept the fact that audits are inevitable, and to consider methods for automating the audit process. Many organizations are leveraging security information management tools, for example, to do a rough "compliance monitoring" function, collecting alerts when systems stray off their requirements. In other organizations, it might make sense to dedicate a few hearty souls to the compliance or auditing function, so that others can be freed up to focus on future threats and defenses without getting too bogged down in self-analysis.

The Compliance Security Council's figures bear this out. According to the Council's research, companies that do continuous monitoring had the least number of audit deficiencies. The companies that are most successful in their compliance efforts are those that "are taking money out of labor and putting it into automating the processes," says James Hurley, the Council's director of research, who is also director of research at Symantec.

It's time, as Dr. Strangelove might say, to learn to stop worrying and love the audit. If you regard it as an inevitability, and not an anomaly, you can build it into your processes and prevent it from completely gridlocking your other security efforts.

Note: Your responses are invited! But please don't send email – post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading

Editors' Choice
Ericka Chickowski, Contributing Writer, Dark Reading
Lorna Mitchell, Head of Developer Relations, Aiven