Why passing audits won't keep you safe
Organisations often focus their information security risk management solely on passing an audit.
The problem with this approach is that audits are typically focused around a specific scope and/or number of controls, and are not holistic.
This is according to Manny Corregedor, COO of Telspace Systems, who will present on "Why passing audits won't keep you safe", at ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
Corregedor says the auditor performing the audit or collecting the evidence often lacks adequate experience or skills to be able to thoroughly question the IT team, which results in the IT team almost "tricking" the auditor into thinking the risk has been mitigated.
He warns of audits that lack "hands-on" testing, or are constrained to a list of controls in a "checkbox" manner.
"It's important to note, however, that my talk is not about saying audits are not required and/or that they don't add value."
Corregedor says organisations are spending large amounts of their budgets on technology that they see as the 'silver bullet' that will tackle all their risks.
"This is further fuelled by the fear, uncertainty and doubt that is sold to organisations by different vendors and suppliers. Organisations need to take a step back and understand their context and risk before making decisions to invest in new technologies, launch new programmes, outsource certain functions to third-parties and suchlike," he explains.
Once this is established, he says organisations must test their security controls to ensure they are working effectively. "This is critical, as in most cases, we find organisations have the best technologies in place but they have been misconfigured, or the staff getting the alerts don't understand them, or are not able to adequately respond to them due to a skills shortage."
Corregedor says it is important for organisations, and particularly IT teams, to realise the auditors or vendors that provide penetration testing or similar services are not the enemy. Instead, organisations should work together with such teams and vendors for the better good of the organisation. Likewise, he would like to see different vendors, in particular those that are competitors, working together for the greater good.
Delegates attending his talk can expect hands-on tips on how to go about conducting cyber security audits to help them become more effective and proactive.
"All stakeholders should understand where the real risk is and why thinking outside the checkbox is important," he concludes.