Why Security Audits Can Be Deceptive

Published On: June 9, 2017

June 9th, 2017
Chad Boeckmann, CEO, Secure Digital Solutions

We all deal with, on some level, audits. For highly regulated industries audits are a fact of life. The typical audit lifecycle is similar across virtually all industries. An audit is conducted, executives are briefed on findings and teams are assigned items to remediate before the next audit begins. As a result, oftentimes security performance metrics are presented in terms of audit or compliance status – a binary measure. For most, this serves as an appropriate KPI for cybersecurity and compliance performance.

However, according to the NACD, there are five key cybersecurity principles boards need to be concerned with. While an important function, audit is not specifically listed. Instead, the term cyber risk has been introduced as a key board-level initiative. This is significant because it forces security executives to reconsider the practice of demonstrating security posture primarily in audit and compliance terms and focus on a system of analysis that addresses enterprise risk. Traditional audit activities instead would then be viewed more as a transactional function of business and automated to the extent possible through trusted vendor relationships and tools to reduce repeated costs.

Audits are essential to ensure controls are established and effective in meeting regulatory compliance requirements. However, these activities are a point-in-time snapshot. They are not effective at measuring continuous performance, which is key when determining breach likelihood and current level of cyber risk – a metric that the NACD places significant focus on. An effective illustration of the difference would be the comparison between a digital and analog wavelength. Traditional audit and compliance reporting provides a digital – or stepped, square and unique – pattern while analog provides a more smooth, continuous output.

More and more security executives require both compliance and continuous views to form a true measure of the effectiveness of the security program. They need a compliance view at the control level as well as a continuous enterprise view for the executive suite. With TrustMAPP, organizations can measure their performance continuously, providing the capability to manage and maintain sustained compliance over time.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization