An IT Audit Covers about 60% Your InfoSec Posture
One of the most common conversations I have with Boards and Senior Leadership is regarding broad assumptions that their IT audit or regulatory exam is a sufficient measurement for the effectiveness of their information security efforts. The reality is, an IT audit generally covers about 60% of an organization’s information security posture, a regulatory exam generally covers about 15-25% of an organization’s information security health, leaving major gaps and a misconception the organization is in good shape. As the saying goes,
“You don’t know what you don’t know”
This common disparity in understanding is where exploits may be lying-in-wait and can lead to a false sense of confidence. Many organizations I work with initially rely on IT for their security work. This is true at least until we have the discussion on why relying on IT is only a partial component of an effective information security strategy. As good as most IT departments are, they are always short-staffed, busy fire-fighting technical problems, replacing equipment, and, hopefully, introducing new technologies. Rarely is IT empowered to step back and take an objective and comprehensive view of the full information security landscape. Even more rarely are they interested in doing that because it generally just leads to more unsexy work for them to backlog.
Cybersecurity and Information Security: Is IT the Same Thing?
To get an even perspective on this dilemma, let’s first define Cybersecurity and Information Security. There’s an ongoing debate in the industry regarding the two concepts.
Generally speaking, Cybersecurity is what IT is typically charged with. Information Security, on the other hand, is usually assigned to someone; however, when the topic comes up, no one really knows who that individual is.
There are important differences between cybersecurity and information security. Security practitioners generally understand this, and cybersecurity practitioners think they do. For the purposes of this conversation, let’s define them like this:
Cybersecurity
The practice of protecting systems, networks, devices, programs, and data from digital attacks, unauthorized access, damage, or theft. It involves implementing technologies, processes, and controls designed to safeguard an organization’s digital assets, ensuring the confidentiality, integrity, and availability of information.
Information Security
The practice of protecting information from unauthorized access, disclosure, alteration, destruction, or disruption. It involves implementing a set of policies, procedures, and technical measures designed to safeguard the confidentiality, integrity, and availability of data, whether it’s in storage, processing, transit, digital, or in print form.
Now think of these two concepts relative to audits and regulatory exams. In reality, audits are generally limited in scope. They are designed to examine a sampling of controls by drilling into a few select areas, typically born out of a theme of emerging topics or “flavor of the day” directives in the industry. Annual audits and regulatory exams are not intended to be a comprehensive review of controls or validations of people, process, and technology. They are frequently thematic exercises where particular areas of the exam receive a concentrated focus. For instance, privileged account management may be a focus area for regulatory exams. However, the auditors usually select a small sample to review. Moreover, in my experience, responses are generally crafted to satisfy only the questions asked, and do not truly demonstrate how effective an organization is in that particular area. It is a bit like a game of cat and mouse between the auditor and the organization.
A Real-Life Example: Audit Passed, Security Assessment Failed
During a recent assessment my team conducted, we reviewed a copy of the client’s most recent audits, an IT audit, and a regulatory exam report. The auditor requested the policy regarding privileged accounts.
The policy stated that a Service Desk ticket was to be opened for adds, moves, and changes to accounts that required supervisor approval. A sampling of 10 recent privileged account changes was requested. The auditor randomly selected 3 to review and validate that the appropriate persons approved the changes. The IT audit passed.
Nonetheless, we discovered that while the IT audit passed, the information security assessment failed.
What happened? When we performed our information security assessment, we discovered that some privileged account changes may have taken place without Service Desk tickets. We compared log data and Service Desk tickets for privileged accounts and found disparities. It appeared that privileged accounts had been adjusted without tickets and account modifications had taken place outside of the Service Desk. Even worse, we also discovered accounts of terminated employees were still active and being used because HR hadn’t had time to open IT tickets.
The auditor was focused on the narrow scope: a supervisor/business owner had approved the change and so the audit was considered successful. The auditor didn’t do anything wrong, they followed procedure. Never mind that additional permissions were granted to the accounts of two terminated employees. Even worse, the terminated employee accounts still possessed remote access to the system that could have allowed transactions to be carried out remotely.
Lessons Learned: Effective Communication Is as Crucial as Technology
The bottom line is, regulatory agencies do not have the resources to conduct thorough exams, Thus, during audits they generally don’t have the luxury to take the time to look at everything. The problem in this particular case was that Human Resources was not communicating with IT effectively. As a result, it took an unacceptable amount of time, a few months, for HR, IT, Service Desk, and management to align. Yet, the IT audit and regulatory exam passed at the first try.
IT makes up about 60% of an organization’s information security. The other 40% may not be getting the attention it needs, because HR, management and IT may not be effectively communicating and may unintentionally be leaving the organization exposed. In the example above, IT followed the right process and disabled the accounts when they were notified.
However, the malfunction, which could have been critical, was due to the time gap between when the employees were terminated and when HR notified IT. For an extensive period of time, IT had no idea the employees accounts should have been disabled. Management, on the other hand, knew the staff left the organization and had assumed everything was operating according to procedure. In this case, the disconnect was not technology but communication failure.
IT Audits: Only One Aspect of a Comprehensive and Effective Information Security Strategy
The rule of thumb has always been that audits (and I’m including regulatory exams here, as well) should be conducted on an annual basis. Following up my discussion above, I’d like to play the devil’s advocate here and state the following. In my opinion, relying solely on annual IT or regulatory audits to build your information security strategy or your cybersecurity program isn’t enough.
Reactive Rather than Proactive
A reactive approach to information security is inherently limited because it deals with issues after the discovery of a gap or possibly after the damage has been done. This results in higher costs, greater operational disruption, and damage to reputation and customer trust. In contrast, a proactive approach to information security is far more effective because it focuses on prevention, early detection, and continuous improvement. By being proactive, organizations can mitigate risks before they materialize, maintain business continuity, and build a robust security culture that adapts to evolving threats.
Limited Scope and Depth
In addition to being reactive rather than proactive, regulatory and annual audits are limited in scope. They typically focus on compliance within specific regulations or standard instead of providing a comprehensive view of an organization’s overall information security health. While compliance is important, and serves an important purpose, it leaves undiscovered gaps and a false narrative that your organization is protected against all potential threats. Audits may overlook nuanced or evolving risks that don’t fall within the audit’s narrow scope.
Lack of Continuous Improvement
An information security strategy needs to be dynamic, with continuous monitoring, assessment, and improvement. This is especially true in this day and age when technology is changing and evolving faster than ever before. While process and consistency have many positives, organizations need to be aware of the downsides, as well. Complacency in what you know and what has always worked can quickly backfire, especially as AI-enabled cybercrime continues to move faster and faster. Thus, solely relying on annual audits can create a false sense of security and lead to carelessness. Without a persistent and ongoing evaluation, your organization will miss opportunities to strengthen defenses or fail to address new vulnerabilities in a timely manner. Adopting a mindset of continuous process improvement, on the other hand, will put your business on a different, more successful trajectory.
Slow Response to Incidents
If your organization only relies on annual audits, you will be slow to detect and respond to incidents. Effective incident management requires real-time monitoring and rapid response capabilities. By the time an audit identifies a problem, significant damage is likely to have already occurred, like in the example above.
Gaps in Employee Awareness and Training
Employee awareness and training are critical components of a strong security posture that often remain overlooked in an organization’s overall information security strategy. One of the reasons for these deficiencies is the excessive reliance on annual audits as the primary venue to improve employees’ cybersecurity literacy. In fact, annual audits are not the best or most adequate format to tackle the need for ongoing education and behavioral reinforcement. Without on-going regular social engineering training and awareness programs alongside both positive and negative behavioral reinforcements, employees are highly likely to revert back to bad habits and risky practices. This, in turn, exponentially increases the likelihood of successful attacks, such as phishing, or other social engineering tactics that are constantly changing and becoming harder to detect.
Changing Compliance Requirements
Another important fact that needs highlighting is that regulatory requirements and industry standards often evolve faster than annual audit cycles. For example, when NIST CSF 2.0 was released in August of 2023, most Information Security practitioners were likely already incorporating the addition of the Governance function in their strategies because they knew of the importance of governance in an Information Security Strategy. If you rely solely on annual audits, your organization runs the risk of falling out of compliance between audits. The potential consequences can be severe and costly, leading to fines, penalties, and reputational damage. A robust Information Security Strategy and implementation program includes continuous compliance monitoring that provides organizations with the agility to adapt to regulatory changes between the annually scheduled audits.
Increased Complexity and Attack Surface
In the language of Information Security, an attack surface is defined as the entire area of an establishment’s people, processes, and technologies that is susceptible to attack. It’s made up of all the points of entry that an attacker could leverage to create chaos, misinformation, enter a system, including servers, ports, applications, websites, and contains vulnerabilities relating to exposed APIs, DNS configurations, digital certificate management, weak passwords, poorly maintained software, insecure coding, process timing gaps like the HR example mentioned above, uneducated persons, etc. Once inside your network or during a diversionary attack to cause damage or fraud elsewhere. As your organization grows and adopts new technologies, leverages cloud, generates more visibility to itself, the organization’s attack surface expands, and information security becomes more complex. Annual audits will not keep pace with these changes, leaving critical gaps in your defenses. continuously evolving and proactive Information Security Strategy ensures that your strategy evolves with your entire organization, proactively addressing new risks before they arise. A proactive Information Security Strategy does not rely entirely on IT, it incorporates the entire attack surface, including the immense array of threats introduced in the new gig economy and the expanding use of Cloud and outsourced services.
The Bottom Line: Audits Are Necessary but NOT Sufficient
In summary, while annual audits, and some IT audits are an important component of some Cybersecurity plans, they only address one aspect of an overall Information Security Strategy. A comprehensive and ongoing Information Security Strategy requires a solid Cybersecurity plan that includes continuous monitoring, proactive risk management, and ongoing employee engagement to stay ahead of evolving threats and protect your organization effectively, but a comprehensive and ongoing Information Security Strategy is better positioned to address the entire threat landscape of an organization.
Join our mailing list
Stay up to date with the latest iShift news and insights
About Rich
Rich Dussliere is an accomplished cybersecurity expert who heads the Office of the CISO and vCISO services at iShift. Rich relies on his real-world experiences as a cybersecurity practitioner to help organizations address the friction points that emerge within as cyberthreats evolve and cybersecurity challenges gain visibility. His experience spans diverse sectors, including financial services, manufacturing, and healthcare. Follow Rich on LinkedIn or contact him directly at [email protected].
Share this article on: