Audits vs. Assessments & why they’re not the same thing
It’s much easier to mitigate a risk when you know the risk exists. Using the analogy of a snake in the grass, people don’t go running off into the woods by a creek without surveying the ground at their feet. Likewise, maintaining a blindness to risk is a sure-fire way to get bitten by it.
To gain a perspective of organizational cyber security risk, audits and assessments are performed. They help us paint a picture, at various levels of granularity, of the potential that bad things could happen – focusing on areas that can be improved to reduce that potential.
Governing bodies tend to tell us what to do. Whether or not we like it, it’s reality. And since information plays such a large part of organizational operations, and can negatively impact those organizations and associated individuals, regulations and standards have been created to guide in protecting information. Audits allow these governing bodies to verify that the entities they govern are at least attempting to meet their requirements. They also help the governing body have an active part in assisting these entities with their cyber security maturity.
Organizational leadership can use regulations as a starting point for their security practices. And when the governing body shows up to audit, they can use these opportunities as a show of good faith that the organization is not ignoring the requirement. These audits can also be used to bolster the priority that security gets within the organization’s fiscal planning. Understanding the importance that the governing body puts on security should make the organization stop and think about dedicating a line item in the budget for security with reasonable resources to make it effective.
Security professionals can use audits to communicate the importance of cyber security to leadership from the perspective of the people that make the rules. In some scenarios, the governing bodies can withhold information that allows the organization to operate. In other scenarios, negative audit findings can cause service providers to withdraw services. Either way, as a security professional, our jobs are to support the business, and if operations get shut down because of a lackadaisical approach to security, everybody loses.
Overall, in an audit situation, the goal is to pass so that operations are not impeded. Never lie to an auditor, but answer the questions only. No more, no less.
Assessments are a different ball game. Assessments are documented internally and are not intended to be shown to the world. They should be as granular as possible to point out as much risk as can be found. The results of assessments are intended to be used to guide security strategy, as well as point out the tiny details of risk that can be tactically acted upon to reduce vulnerability footprints in technologies, processes, and people – all of the things that make a “system.”
Assessments are not intended to be passed – they’re goal is to find failures. Organizations should use assessments to strengthen themselves, to build resilient and trustworthy systems & services on which their clients can rely. Trustworthy and resilient systems & services, in the end, produce a trustworthy and resilient organization – one that’s able to enact its mission in perpetuity.
Cyber Security professionals have to have honest assessments. These give them tactical direction, lists of areas of risk on which to focus and make better. Assessments help security teams budget and know where to focus their resources (money, people, time, etc…). Assessments often yield results that are too much to handle in a short time frame, and that’s fine. Plan your actions & milestones and put resources on the greatest risks first.
So, the summation of this is: Organizations want to pass audits. Organizations want to mature from assessments. Understanding those nuances, leaders and security professionals can use both as ways to improve the security posture of the system or organization they support.