Akhila Nama, CISSP shares her experience of conducting security audits and how she’s tackled the challenge of such tasks sliding into being a routine exercise rather than a functional tool they should be.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
“I need evidence of this control for our upcoming audits…” – this is a request that comes to my desk every quarter, like clockwork. With growing concerns over privacy, regulations and general awareness, compliance checks and audits have become a staple element for enterprises. Though originally implemented to augment security, most audits gradually shifted into a routine compliance exercise with little impact on actual risk reduction. I read posts where people lament that their companies tend to look at these exercises as checklist items to cross off, and/or use as a sales or marketing term to be shared with potential customers. That got me thinking: how can security teams benefit from such controls?
It seems to be the case that a given publicly breached company has usually passed its compliance checks.
A compliant/X-certified organization doesn’t necessarily mean a secure organization. Compliance certifications and checklists look for certain security related controls to be implemented: – do you have an endpoint detection and response (EDR) agent on your endpoints, are your firewall rules reviewed quarterly, is your patching cadence defined etc. – but they stop at that. Audits rarely dive deeper to understand how well these controls defend your environment.
Does the EDR agent sufficiently block malicious executables? Do the firewalls allow for widespread access with “any-any” rules? How often are exceptions filed against critical patches that are not applied within a SLA? These are the follow-up questions relevant to identifying inherent security risks.
How I Leverage Compliance Audits to Advance Security Strategy
Governance, risk and compliance (GRC) teams are either part of the cybersecurity vertical or are sister teams which fall under a compliance vertical. It is essential for both teams to collaborate, as aligning their efforts can accelerate progress toward shared goals. Here are the main ways I’ve found to be most successful in using that approach.
I purposely build strong relationships with our compliance partners. Compliance and cybersecurity teams often have a transactional relationship: Compliance asks for evidence and the cybersecurity team can provide it.
What many teams overlook is that the very controls required for certifications can also elevate the organization’s overall security maturity. I engage with our compliance partners beyond just the audit window, especially to identify which controls are consistently underperforming; which ones are repeat problem areas; and where the organization tends to score lower.
In our interactions, I reinforce the message that we are aligned on a shared mission, thus driving secure and sustainable business growth. I encourage our compliance teams to look beyond the audit checklist. Helping them understand the 'why' behind each control from a cybersecurity perspective, so they can better assess its intended impact, advocate for smarter implementations, and become security champions.
I also validate my security strategy against the critical controls. Understanding which controls directly mitigate risks in turn helps me prioritize and stack-rank my initiatives more effectively. Having said that, this doesn’t imply I disregard projects that fall outside the mapped controls. My strategy for risk prioritization is driven by factors like exploitability, potential impact and likelihood and I merely use this as an extra layer of validation.
Securing funding for every cybersecurity roadmap item is tough, as most of you reading this are aware. Working with our compliance teams helps me to identify which controls are common with my strategy and highlight the dual benefits of funding them. As an example, I once identified a common item that would help with a PCI certification goal and mitigate a cybersecurity risk; I was successfully able to pitch to leadership and secure funding for that item at a time when we were budget constrained.
Another benefit of tag-teaming with compliance teams that I observed is securing commitment from external stakeholders to prioritize common projects, as there are immediate and tangible impacts of not delivering on them (fines, loss of customer contracts etc.).
Does this mean my strategy is driven by compliance? The answer to this is a firm “no”: I use compliance obligations to further enable my security strategy, but not to define it. A cybersecurity strategy that is governed by compliance can still be insecure as it does not necessarily assess your overall risks or the gaps that would be identified by threat modeling the environment.
My advice? Use compliance obligations to your advantage – but don’t let it become your primary focus or look at it as a mere checklist item.
Akhila Nama, CISSP, has over a decade of experience in security design, strategy, architecture and risk management. She has held management and technical roles, with a focus on securing modern enterprise environments while driving business growth. Her cybersecurity work spans cloud, identity, infrastructure, network and data security.
