Embarrassing – or inevitable? How you view a failed security audit, whether in IT or at an overall organisational level, depends on whether you think security is a result or a process. There is a fundamental difference between the two points of view. In addition, current trends suggest that security is becoming less of an achievable state, and more of a continual improvement. Surveys confirm that many organisational executives consider that security breaches are no longer a question of “if”, but of “when”. In that case, a security audit should always “fail”. What counts is the reaction to such failure.
A “failed” security audit becomes desirable, in the sense that it identifies the next critical hole to be plugged or the next level to aspire to. In other words, internal security teams or external consultants that find nothing to report on may not be doing their job. Hackers have more potential routes into enterprises than ever. The information age has also multiplied the vulnerabilities due to mistakes or carelessness when handling confidential information. When management understands that there will always be problems to be addressed, it can start looking for practical cost-effective ways forward.
It may not always be preferable to try to repair existing security systems. Adding an extra layer of defence may close more gaps overall. In IT terms, that extra layer can be a better firewall, a software application to monitor data movement and user behaviour, or a routine to start applying vulnerability testing on a weekly basis. Deployment of available third-party solutions is often much faster and less expensive, compared to staff time spent on trying to re-engineer existing assets. Whichever choice is made, it will be driven by the results of the audit and the priorities of the problems revealed. Remember also to schedule another audit afterwards. Yes, you’ll “fail” again, but you will already have scored points by not “failing” in the same way.