Last Updated on June 29, 2021
Part of my day job is acting as Pivot Point Security’s CISO. In that role, I have participated in our ISO 27001 ISMS Internal Audit and our Registrar’s Surveillance Audit over the last two weeks.
In the initial meeting, I always say the same thing: “Give me any nonconformities (NCs) and Opportunities For Improvement (OFI ) you can find.’” In fact, I often point out OFIs that are those “We probably should…” ideas floating around in my head that I just haven’t gotten around to.
From my experience as a Certified Information Systems Auditor (CISA) and ISO 27001 Certified Lead Auditor, I have been part of hundreds of audits where the non-explicitly stated message from the auditee was, “I hope you don’t find any NCs or OFIs.” Or, often far worse, “I will fight you tooth and nail on every NC or OFI you raise and if I am not happy with the audit I will find a new firm to do it next year.”
I understand why the average CISO/CIO/Security Director doesn’t want findings in their audit:
- Audit findings are an indication that things aren’t working right/can be improved, and hence are often perceived as a negative reflection on the auditee. No one wants management to think that they are not doing a good job.
- Audit findings often require some short-term and longer-term work to develop a Corrective Action Plan and likely solve a slightly challenging issue (or you would have solved it yourself already). Everyone is busy and more work is not what you are looking for.
But here’s why I take the opposite approach and embrace and even encourage audit findings:
- When we pull one of our ISMS consultants out of the field to conduct an Internal Audit, we want to get a return on investment on the time/money it takes to perform the Internal Audit.
- ISO 27001 and SOC 2 audits are expensive and time-consuming. If an auditor spends $40,000 worth of time and can’t find a recommendation to make to make you more secure, improve a process, increase your understanding… does that mean you hired a bad auditor? For $15,000 or $40,000, I want something tangible beyond a report or certificate to show our clients. I want value. I want to improve. I also want to know that the auditor has the experience and qualifications to do the work and invested the time that we paid them for.
Telling an auditor that you “want” findings gives them the latitude to tell you that your baby is ugly. You pay auditors a lot of money and the unfortunate reality is that if they give you a lot of findings you will be unhappy, and unhappy clients often become former clients. So auditors are “incented” to only give you findings when they “have to.” That dynamic is dysfunctional and “lose-lose.” Giving me every finding you can is “win-win.” It tells your auditor you want the best ISMS/Information Security Program you can have, and ensures you are going to get the best work the auditor can give you.
Your ISMS actually improves. Your year-over-year risk goes down and the likelihood that your organization has a significant security incident plummets.
- I am busy and too often procrastinate on improvements to our security that I know should get done but don’t (cobbler’s children, I get it). When I get an NC on our ISO 27001 internal or external audit I have no choice but to address it, now. Short-term pain = long-term gain.
- When I get an OFI, I gain the perspective and experience of others and I can apply (or not apply) that experience/knowledge to improve our security posture and/or simplify the operation of our ISMS.
- Audit findings get CxO/Board level visibility, which is often what is necessary to get you the funding and/or staffing you need to address the issues you have tried to address on a shoestring budget or with too few people/resources.
If you are a CISO/CIO/Security Director who wants to employ the “give me all the NCs and OFIs you can” approach, start by setting an expectation with management that this is what you are doing and explain the rationale. Management’s first reaction to a list of audit findings is trying to figure out who is to blame for each one of them. Getting ahead of that and explaining to them the value proposition of embracing audit findings is critical to your long-term success. Personally, I have found the CxO suite responds best to ROI-related messages. Explaining that you expect ROI on the $30,000 and 2 person-weeks of internal effort beyond a report/certificate you will hand to a client usually resonates.
If you are a COO/CFO/Board Member that wants to employ the “give me all the NCs and OFIs you can approach,” start by setting an expectation with the CISO/CIO/Security Director that you understand that there is no such thing as being 100% secure. Which directly translates to there being no such thing as a perfect Information Security Program. Hence, it would be foolish to think that an auditor worth the investment would not be able to find ways to improve our security program. Giving your CISO the ability to embrace “failure” gives you the assurance that you are going to get an accurate picture of your security/compliance. Plus, then your CISO is incented to share the truth instead of hiding it. I have been part of way too many conversations with clients where the focus of the meeting was about what we needed to do to eliminate or alter the finding so that the board doesn’t understand its significance.
Shift your security culture to one that embraces “ugly babies,” and you (and your ugly baby) will sleep better at night knowing you know everything you need to and that you are continually improving your security posture.