Why Security Audits Can Be Deceptive


June 9th, 2017
Chad Boeckmann, CEO, Secure Digital Solutions

We all deal with, on some level, audits. For highly regulated industries audits are a fact of life. The typical audit lifecycle is similar across virtually all industries. An audit is conducted, executives are briefed on findings and teams are assigned items to remediate before the next audit begins. As a result, oftentimes security performance metrics are presented in terms of audit or compliance status – a binary measure. For most, this serves as an appropriate KPI for cybersecurity and compliance performance.

However, according to the NACD, there are five key cybersecurity principles boards need to be concerned with. While an important function, audit is not specifically listed. Instead, the term cyber risk has been introduced as a key board-level initiative. This is significant because it forces security executives to reconsider the practice of demonstrating security posture primarily in audit and compliance terms and focus on a system of analysis that addresses enterprise risk. Traditional audit activities instead would then be viewed more as a transactional function of business and automated to the extent possible through trusted vendor relationships and tools to reduce repeated costs.

Audits are essential to ensure controls are established and effective in meeting regulatory compliance requirements. However, these activities are a point-in-time snapshot. They are not effective at measuring continuous performance, which is key when determining breach likelihood and current level of cyber risk – a metric that the NACD places significant focus on. An effective illustration of the difference would be the comparison between a digital and analog wavelength. Traditional audit and compliance reporting provides a digital – or stepped, square and unique – pattern while analog provides a more smooth, continuous output.

More and more security executives require both compliance and continuous views to form a true measure of the effectiveness of the security program. They need a compliance view at the control level as well as a continuous enterprise view for the executive suite. With TrustMAPP, organizations can measure their performance continuously, providing the capability to manage and maintain sustained compliance over time.