Why Security Audits Can Be Deceptive

Published On: June 9, 2017

June 9th, 2017
Chad Boeckmann, CEO, Secure Digital Solutions

We all deal with, on some level, audits. For highly regulated industries audits are a fact of life. The typical audit lifecycle is similar across virtually all industries. An audit is conducted, executives are briefed on findings and teams are assigned items to remediate before the next audit begins. As a result, oftentimes security performance metrics are presented in terms of audit or compliance status – a binary measure. For most, this serves as an appropriate KPI for cybersecurity and compliance performance.

However, according to the NACD, there are five key cybersecurity principles boards need to be concerned with. While an important function, audit is not specifically listed. Instead, the term cyber risk has been introduced as a key board-level initiative. This is significant because it forces security executives to reconsider the practice of demonstrating security posture primarily in audit and compliance terms and focus on a system of analysis that addresses enterprise risk. Traditional audit activities instead would then be viewed more as a transactional function of business and automated to the extent possible through trusted vendor relationships and tools to reduce repeated costs.

Audits are essential to ensure controls are established and effective in meeting regulatory compliance requirements. However, these activities are a point-in-time snapshot. They are not effective at measuring continuous performance, which is key when determining breach likelihood and current level of cyber risk – a metric that the NACD places significant focus on. An effective illustration of the difference would be the comparison between a digital and analog wavelength. Traditional audit and compliance reporting provides a digital – or stepped, square and unique – pattern while analog provides a more smooth, continuous output.

More and more security executives require both compliance and continuous views to form a true measure of the effectiveness of the security program. They need a compliance view at the control level as well as a continuous enterprise view for the executive suite. With TrustMAPP, organizations can measure their performance continuously, providing the capability to manage and maintain sustained compliance over time.

Browse These Topics


2022 Cyber trends Affordable Information Security Platform Affordable Security Assessment Tool analyze security data findings analyze your security data Assess Company's Security Readiness ciso CISO investment strategies Common Employee Data Security Mistakes company cyber security plans company that specializes in preventing data breaches company’s Internet security cybersecurity budgeting cybersecurity is discussed in board meetings data breach readiness Data Security Data Security Tactics Facebook Safety Federal Trade Commission’s cybersecurity standards fighting security attacks financial data stolen improving the information security of your company increase cyber security across your entire company information protected from a Malicious Cyber Attack Information Security Best Practices interactive security software platform Keep Cloud Storage Secure long term information security solutions maintain a successful security roadmap predict and protect yourself from potential threats prevent a devastating security breach prevent unauthorized access to your network prioritize potential threats Real-time Cyber Security Software real time information security Recent High Profile Companies with Data Breaches reduce cyber vulnerabilities security software dashboard for your entire company security team assess risk Simple Internet Safety stay ahead of cyber security threats unintentional data leakage valuable metrics and processes verbally explain the cyber security threats victim of a cyber security breach