Insights: Audits are useless, but the act of auditing is invaluable

Edward Farrell

Late last week I was empathising with a client about the fact they were about to undergo yet another cyber security audit. Lamenting at the constant product generated from this process and ongoing questioning, it had sparked two trains of thought:

  1. It’s actual outcome, the production of reports, offers little utility.
  2. The overlooked outcome, getting internal teams to think, is invaluable.

The title of this article is adulterated from a phrase often attributed to Ike Eisenhower, the 34th President of the United States and a General in the United States Army said:

Plans are worthless, but planning is essential.

Eisenhower went on during a speech in November of 1957:

…when you are planning for an emergency you must start with this one thing: the very definition of “emergency” is that it is unexpected, therefore it is not going to happen the way you are planning.

The reality is audit, assurance, architecture and planning functions within cybersecurity often place a heavy emphasis on doctrinal processes in preparation for problems, the product generated at the end of an activity (IE the 400 page report that is meant to give a sense of security) or even on the sheer size and scale of the event even though its outputs may not be fully appreciated. These points which are often emphasised are the antithesis of what the intention of such an activity should be, and the over reliance on these items often leads to a substandard outcome.

The audit process should emphasise a collaborative effort into gaining insights, collectively probing people, processes and technology to deduct and improve, as well as coercing training and education of stakeholders. I have found that such a has given greater value to customers rather than a report saying everything is okay (or not). Other benefits within cyberspace (or other domains) include deterrence of threats in specific circumstances, holding vendors to account on the delivery of services as well as enabling personnel to work intelligently towards an objective, an act which cannot be “winged” or simply achieved by layering a template over the target of the audit, especially in such a complex environment.

An audit or assessment up front is not going to find everything, much less result in immediate remediation, but at least it will be able to initiate thinking and processes to support organisational objectives. Managing expectations and driving the process towards this intended outcome over the “green tick” does more for our wellbeing and the value of an audit process.