Publish date August 2, 2018
In the increasingly complex world of cloud services, digital experiences, analytics, and shadow IT, the aptitude and maturity of information security programs are paramount to business success. Malware, breaches, and advanced persistent threats can rapidly impact corporate brand and reputation.
Furthermore, customer confidence depends on data security and privacy protection. In this challenging risk management environment, applying and measuring security controls are essential to success.
While strong frameworks and precise execution are the primary objectives of security teams, adherence to controls and compliance must be proven through security and regulatory audits and risk assessments. But with the current pace of change, proof of adherence to prevailing security standards is not enough.
Today’s enterprise must set goals to build and maintain a culture of compliance where each department and individual understands the business intent of controls, identifies risk gaps, and analyzes their impact on information security and business objectives. Importantly, audit teams must then measure and report progress towards achieving this culture of compliance and resulting customer trust.
Moving Beyond Routine Audits
Independent audits and risk assessments are frequently how customers evaluate security maturity and capabilities. Point in time evaluations, however, do not address rapid change. Inventive attacks on endpoints, applications, and networks materialize weekly and place intellectual property and customer data at risk.
Furthermore, inadvertent errors by internal personnel are frequent sources of hacks. In all cases, sanctions and lawsuits often follow a successful breach.
In addition to threats, new business models and regulations are pervasive. Audits must be retooled and designed into the business to reduce overhead, and go beyond routine compliance to existing regulations and standards.
Audit controls must continually measure business process risk and help the enterprise react to new requirements in day-to-day processes; not in a war room.
To reach this goal, audit teams must work closely with business teams to enhance each process with a cycle of risk measurement – assess security risk, modify the business process, and provide feedback to adjust and monitor controls. Furthermore, to prevent fatigue from taxing audit programs, audit leaders must measure and prove their value to the business.
Enabling the Business to Improve Operations
Less mature audit and assessment efforts often tax business teams and inhibit corporate growth and efficiency. To reverse this outcome, audit teams must empower the business to identify risk, improve their operations, and add value to the enterprise.
In fact, transforming business perspectives on security audits from being a tax to providing a benefit and reducing audit fatigue, cannot be accomplished without business cooperation.
Once audits enable the business, they become an effective method to improve critical processes by identifying gaps and helping business teams modify operations. At peak performance, the audit team’s measurement of compliance progress can become a strategic advantage to the business as it pushes faster into the unpredictable age of digital transformation. As a further benefit, business teams can add value to the audit and security groups efficiency by providing feedback that helps identify redundant or obsolete controls and improves the audit process.
Foundational Audit and Assessment
Establishing a strong information security audit and assessment program begins with alignment to required regulations and globally adopted control frameworks such as COBIT 5, ISO 27001, ITIL, CMMI and more. Audit teams then need to develop a strong roadmap that demonstrates adherence to these frameworks, governance, risk and audit, and compliance (GRC) programs that support this roadmap.
Thereafter, information security audit processes must be streamlined while also consistently maturing their security controls. Achieving these fundamentals requires audit teams to adequately invest in people, process, and technology that continuously measure compliance, identify gaps, and demonstrate data privacy and protection.
The program must also align with GRC efforts, as one of the three lines of GRC defense, and a contributor to its overall success. In fact, strategic information security GRC roadmaps drive more stringent and streamlined audit and compliance processes and help demonstrate security maturity to customers and shareholders.
And for GRC programs already synchronized with business objectives, security audits should more easily align with and enable the business to ensure current processes and new models are designed for security and privacy.
Audit Team’s Business Value
Without business alignment, a security audit team’s policy can be viewed as burdensome rules accompanied by restrictive and unsustainable policing. In these scenarios of minimum business cooperation, also audits present a false sense of security to the organization. Teaming with the board, executives, and managers to jointly define and own the intent of each policy, fosters an environment where business teams can self-assess and address critical enterprise risk aligned with security goals. In this coveted state, audit teams move well beyond point-in-time adherence and are well positioned to add enterprise value.
Manga Sridhar Akella-Program Manager Information Security @YASH Technologies