This is one of those topics that years ago I would have said you’re crazy to even consider being cool with being audited. I came up in IT through a pharma company and we’d get HIPAA audits and I’d have to sit silently next to our regulatory lawyer with a giant book. The other side of the table would ask questions and I’d whisper to the lawyer, who would translate it into regulatory’ese and then he’d share with the other side what he felt was OK for them to know. I learned to never tell an auditor more than they asked and they are under any circumstances not your friend.

Years later, I’m in security, and one way or another audit is a really common thing. We have to deal with PCI audits, QSA, etc, so while it’s a lot more lax than I remember the idea is stuck in my head that you never tell them more than they asked for and even then, scope the response so tightly that they can’t poke at it.

The first internal audit I was all braced to button up and try to stonewall the IA team. I sat next to the CIO who blasted them for even suggesting there were problems and I felt like, “hey, this is pretty much like I remember, lovely…” Then, after that super exciting experience I sat down with the auditors and they explained, they’re not trying to shut us down and fine us, they’re trying to help the company, the one they also work for. Nice people, I started to come around to the idea of not only working together, but being able to get some benefit in my team from the audit findings.

Well, months go by and I’m off to my SEC460 class on vulnerability assessment and I come back all ready to tweak our internal scanning and vulnerability management process. We make some changes, we are spinning good reports in a bunch of different ways but the remediation part is still out of our hands. No matter how many ways we hand over the data, people just aren’t getting it. We have management buy in, but it’s just not going above the director level. People make excuses on why they can’t patch or change a config, or mostly just ignore it all.

So we have a few months of just beating our heads against that wall. And then, I hear that our parent company is going to order our IA team to audit our vulnerability management program. They started by bringing in a trainer to teach 20+ auditors how to audit network security. My boss at the time dropped a phone book (remember those?) sized book on my desk after and said she used it for the week long class and comprehended almost none of it. After who knows how much money they spent on training the staff, they realized they were far outside of their technical range and decided they were going to hire a 3rd party to do the scanning and assessment.

Why wouldn’t they just use the data we already had? Well, I work at one of the child companies of a larger international company and the parent org wanted all the child companies assessed equally and didn’t trust the individual inputs. After they burned an exotic super car worth of money hiring an outside firm that found less than we already were internally a few interesting things happened.

First internal audit was able to highlight that my team was doing pretty well in the assessing, and while they didn’t want to admit it, we were doing better than the outside company. It’s not even a brag, we just know our own environment better than they do. But, the most important finding was that they were able to highlight that the issue wasn’t the security team not finding the problems, we had tons of records for that, but that the other teams weren’t remediating the problems.

I walked into an audit meeting with some people far (faaaaar!) above my pay grade who acted very shocked about the reports they were seeing and I was glad to point out that none of this should have been a surprise to them. It seems there was someone along the chain who didn’t want the Sr management to know about the problem, so the higher level support just wasn’t happening.

Suddenly, the idea that these results were going to the board was terrifying for people. I had told them for a long time, but they got used to tuning me out and without a hammer big enough to make people fix things, the most I can do is keep escalating but that only works so much. Sure, they would patch PCI scoped items, but outside of that there was zero fear of consequence of not doing the right thing.

That CIO who was yelling at the auditors in the first meeting, he was silent. Afterwards we were told “this all needs to be fixed, I need to know what it’s going to take!” Out of nowhere we had resources, because it wasn’t the security guy telling them there was a problem, it was the audit committee (and in turn the board) who was telling them.

I don’t want to say a few teams were given a blank check to clean up, but this added push went further than anything else we had tried before. This year, on one of our fundraising days, I came back to my desk to find a bunch of candy, from the internal audit team, for being so helpful to their work. Talk about a change I never would have anticipated happening a few years ago!