How to Make Cyber Audits More RelevantMumbai Panellists Share Views on Audit Perils
While there is little doubt that cybersecurity audits provide an additional layer of assurance, security practitioners often question their effectiveness. So much so that audits are now termed "painful" by many security practitioners.
So, how did cybersecurity audits lose their effectiveness and what are the ways they can be brought back into relevance? This question was discussed at length during the recent Cybersecurity Summit in Mumbai, in panel moderated by Vicky Shah, a Mumbai-based cybersecurity lawyer, entitled "Cybersecurity Audits-- Effectiveness in Building a Resilient Security Posture". The panel members included: Agnelo D'Souza, CISO with Kotak Mahindra Bank; Anish Ravindranathan, lead, cybersecurity detection and response, General Mills; and Nitin Bhatnagar, associate director India at PCI Security Standards Council.
From the discussion it was concluded that cybersecurity audits tend to look for the various controls that an organization has in place. And here lies the gap. "In the dynamic world of cybersecurity, this approach just does not work," said Shah. "Instead, cybersecurity audits must change their approach to check on the effectiveness of the controls that are in place."
The panellists said auditors need to insist on more details from the security team. "They need to ask for the kind of events that have happened as a result of absence of a particular control. I strongly feel this approach is needed to triangulate a better risk profile of a control gap," said General Mills' Ravindranathan. "For instance, when an auditor finds a control gap, he needs to analyze the various events that have been triggered because of these gaps and identify the events which have resulted in a risk."
The Current Challenges
Unfortunately, while audits are not something that are enjoyed by firms, at the same time they cannot be completely ignored. It is now believed by practitioners that the Equifax breach could have been prevented if the audit team had not only alerted about expired certificates that delayed breach detection, but had also followed up with the concerned team on the action taken.
The panellists called for an expanded role for auditors. For instance, companies have to bring in auditors during the inception of a project, which will result in better understanding of various security controls in place, remarked D'Souza. "Audit is an independent function and as a result auditors are never part of a project from its inception phase. Ideally, this should change so that auditors get a better view of the kind of controls in there. This also goes a long way in understanding the thought process of a security team."
Moreover, the panellists felt that auditors need to move away from the mindset of certifications. "Most auditors still believe that certifications are enough to become a qualified auditor. In today's world, extensive use of technology has become a must, and without them meaningful audits cannot be delivered. Hence, it becomes imperative for auditors to train themselves with the latest technology," argued Ravindranathan. However, the panelists agreed that this isn't an easy expectation to meet. "Technology changes every year and we do not have a formal institute imparting technology training to us. At least organizations can take up this initiative for their internal audit team," D'Souza said.
The Way Forward
The panellists also agreed that the findings by an audit team often gets less priority because no one is willing to spend time on them. "It is often tough to get a downtime from clients. So when we tell our clients that we need this much time for a patch, we are rarely given any downtime. Businesses must think of an alternate solution or should be able to push back. Else, audits will continue to get ignored," said Ravindranathan.
Typically, an auditor is given two to three days to conduct an audit of critical networks, so as not to interrupt business processes. The panel agreed that security audits are done under regulatory mandate or customer pressure. Nobody does the security audit suo moto to be aware of the risk and security vulnerabilities.
Moreover, the success of an audit to a large extent depends on how well an auditor knows the various standards, said PCI's Bhatnagar. "There are virtually no standards outside of the financial industry. But other industries can refer to these standards," Bhatnagar said.
He also called upon the industry to share their inputs on how to make the existing standards more robust and relevant. "There needs to be efforts from all end to make the audit process relevant. We need to respect an auditor's views. Else, the blame game between auditors and security team will continue and this does not help anyone," Bhatnagar concluded.