Security or "Security Theater"?

TriNet
ejdgahwuzx

Go to company page TriNet

ejdgahwuzx
Apr 8, 2021 9 Comments

Do security audits performed by internal auditors or external auditors assessing compliance for standards/regulators justify the time they take to collect the evidence to provide to the auditors?

Is it just "Security Theater" at the end of the day?

Am I the only one who feels this way? Audit/compliance evidence collection drudge work is awful.

How can I get auditors not to bother me or my people?

Examples of audits I'm talking about:
- PCI DSS
- SOC 2
- NIST
- SOX
- or any global regulations

NOTE: Moving post to #DataScience & Analytics to see if anyone has used data science to collect regulatory related data. Doesn't have to be security related data, would like to just know a few use-casea

#cybersecurity #security #audits #compliance #devops #devsecops #datascience #softwareengineer #operations

comments

Want to comment? LOG IN or SIGN UP
TOP 9 Comments
  • New
    scasc

    New

    scasc
    The best auditors are the ones that understand the tech, can identify risk based on non compliance/threat actor behaviour and also can communicate to their stakeholders regarding why certain things are done/purpose of work etc. The problem with most auditors is that they don’t understand the underlying environment and therefore it’s treated as a tick box for the sake of it, frustrating everybody else in the process. There is tremendous benefit in a proper assessment - and one that can benefit all parties involved not to mention keeping SM in the loop regarding most material risk faced etc. GRC has a bad name but it needn’t be like this if it’s true purpose is understood.
    Apr 10, 2021 1
    • Agreed if the auditors are technical, the issues I've seen from client audits is that they are not... Hell even the guy who handles our audits isn't technical. Agreed I think grc does get a bad name but it's because they usually are not technical. I do agree the value is there on a good assessment with good questions and good understanding of controls.
      Apr 11, 2021
  • New
    scasc

    New

    scasc
    Yeh, unfortunately an audit has become pretty much a tick box exercise and the ppl performing not particularly forthcoming. To answer one of the questions originally - yes can be pretty mundane collecting evidence and information, particularly if the subject matter is dry. Only advise I can give here is that planning ahead and even delegating to a junior could ease that burden.

    If you ever go to the cloud, AWS have brought out a pretty interesting service called AWS audit manager which automates and collects all evidence for you based on your security controls deployed. Pretty neat new feature which saves so much time.
    Apr 12, 2021 0
  • New
    scasc

    New

    scasc
    This one is a double edged sword. Security folks can be rigid focusing on tick box compliance as opposed to understanding the intricacies around the tech to truly identify risk. I speak as a security guy myself. With the compliance standards mentioned they define in black and white what should be done. It’s probably best to understand the policies and regulatory requirements to then make sure you have things in order so when auditors come knocking you can provide what they need. Also, remember compliance standards are there to protect your information assets, personal data, reputation etc.

    Sounds like if they keep bothering you again and again then policies are not being followed to ensure compliance. Only way around this is to get to the root cause. Hope this helps.
    Apr 10, 2021 1
    • Reddit
      FlaminGoat

      Go to company page Reddit

      FlaminGoat
      Most check boxes are based off prior exploits and there is a special breed of script kiddie that gets joy exploiting known holes even if there is no prize or valuable data to be had. So the checkbox obsession helps limit exploits to the novel class, which in most cases are easier to see when not in a constant state of mitigating script kiddie fires.
      Apr 10, 2021
  • PayPal
    qhstjandr

    Go to company page PayPal

    qhstjandr
    Automate
    Apr 9, 2021 1
  • I think auditors from companies generally are there to tick boxes and it's really dumb. They don't understand how the tech works and just want an explanation for why the box isn't ticked off. I think auditors for tech grc type stuff are the lowest on the pole, because there isn't many who have technical skills. I think it's all fan fair for the most part, but sometimes it helps get things done inside the org if you have a finding. Having a finding pushes upper management to get off their ass and do something about it
    Apr 10, 2021 0