Audits, assessments and risk management activities can sometimes be confusing or misunderstood/mis-applied. When issues of overlap, scope creep, or lack of coverage comes up, it usually comes down to a few common failure modes. These can be avoided with the right levels of partnership, understanding, and planning.
I’ve typically seen three failure modes around how organizations use assessment and audit type activities to find and fix people, process and technology security issues across the organization.
Failure Mode 1: Head in the Sand
This failure to see/failure to act is pretty obvious. It typically either stems from the flawed thinking that writing a policy/procedure/standard and publishing it to business areas or the company will enact and sustain behavior change. I’ve also seen this breakdown when there is a belief that a corporate audit group will drive all compliance and hold people accountable.
If you have been in security, risk, or compliance roles for long, you have already rolled your eyes and moved on to the next section. Publishing a corporate expectation in a company document will accomplish very little as it will quickly become forgotten if there aren’t other interventions (one of which is an assessment). I’m also a firm believer that your corporate audit group should be the LAST line of internal defense, not the main mechanism of accountability (e.g. the police).
Failure Mode 2: Assessment/Audit Spaghetti
This failure mode is quite the opposite of #1. This is where there is such a sense of compliance that there are multiple assessment and audit groups (with overlapping coverage). This situation is not only redundant but can tend to drive a “check the box” compliance culture and not leave a lot of room for true risk management and risk-based thinking. This can also cause fatigue in the organization if they think all of the checks are redundant and bureaucratic .
Failure Mode 3: Not Permeating Beyond the Walls of IT
The last failure mode is regardless of whether #1 or 2 is in effect, the team responsible has a “passport” that does not allow or empower them to focus on anything outside of the IT organization. This can be a result of numerous root causes, including: poor business relationships, an “info sec is IT’s problem” thinking, or just lack of risk management leadership to think holistically.
To avoid these failure modes from occurring, it starts with good risk management practices. To be effective, you first must understand the business in which you operate, build trusting relationships, and think about the company as a whole regardless of corporate organizational structures, cultural deficiencies, or politics. Get educated and practiced on solid risk management skills.
Second: Determine key risks to the business you care about and what current mitigations, standards and expectations are in place. In parallel to fixing some of these basics, determine what current risk/assessment/audit resources are in place today and what they cover. Build a current and future state RACI (responsible/ accountable/ consult/ inform) matrix to determine how you can most effectively help the organization meet risk management, compliance, and program implementation goals. Build a deep standing partnership between audit and assessment groups and help the organization understand how resources are positioned to help.
Third: Continuously gauge the results of these teams. Are the things being discovered shockers to employees and management? If so, it either means they missed the memo OR you forgot to send it. Assessments and audits should not be a surprise as expectations for action should be clear and transparent.
If you are experiencing any of these symptoms or are just looking to start, enhance or plain fix your current capabilities, drop me a note! Reveal Risk can help you reduce complexity, accelerate risk reduction, and win in this space.
Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming. If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at email@example.com. More information can be found on www.revealrisk.com
(Note: These are my views/opinions only and do not reflect any past, current or future employer’s or client’s views. For educational and discussion purposes only.)