More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?
A periodic IT check
The idea of having an external expert taking a look at your IT infrastructure and its security is not necessarily a bad thing. Having an extra pair of eyes to check for any risks couldn’t hurt. It is comparable to having your car checked once a year to make sure everything is still working within safe limits. Should anything be wrong, this audit will result in a score and determine what needs fixing.
And yet, that is where the comparison ends. You probably don’t check under your car to see if every bolt is still secured more often than the mechanic does. An organisation’s IT Security team does. They monitor the state of their digital assets continuously. And (almost) all organisations in every sector have outsourced parts of their IT infrastructure for expertise security services.
The dangers of a snap-shot audit
And that brings us to the biggest criticism on the topic. Not much might change to your car over a year, but your IT systems definitely will. New domains are created, certifications need to be updated, email traffic is monitored, attacks need to be prevented or handled… This can only be done effectively when environments are managed continuously. A once-a-year IT audit can be outdated the day after it is presented.
Now, an IT audit might force organisations to think about their security and incident response procedures and evaluate these more often than they might already do. It could help elevate low-mature organisations to a higher level of security or bring fundamental flaws in an organisation’s basic IT setup to light.
However, this again depends on the way such an audit is performed. Looking at the infrastructure from within the organisation is prone to result in blind spots. It’s like determining what’s wrong with the car’s engine by sitting in the driver’s seat. You need an outside-in perspective to notice the little details that might eventually lead to a bigger leak.
Risk scores don't reflect a high security
Relying on a periodic scoring card to assess the security of an organisation is not the way to stay in control over your complete attack surface. Your IT environment is constantly changing, growing, and shrinking. And though insurers might look at your audit score, hackers really don’t care whether you get a pass or not. It’s the littlest risks they are after, so they can systematically work their way into more important systems. A yearly audit won’t prevent that.
We probably haven’t seen the last of this discussion yet. Even if the intention of making more organisations cyber-secure if fair, the execution leaves more the be desired. As an essential part of the IT security process, we have created a post to help you set up a successful IT governance. Read it here.