Security audits are painful and often required for compliance but they aren’t adversarial unless you have a bad auditor or bad policy compliance. In this episode, Tom Hollingsworth sits down with Teren Bryson, Skye Fugate, and Ben Story to discuss the nuances of audits. The panel discusses the discovery of technical debt, external versus internal auditing, the need for flexibility in procedures. and how good auditors can make for a more positive outcomes.
Apple Podcasts | Spotify | Overcast | Amazon Music | YouTube Music | Audio
Thorough audits will uncover issues with compliance as well as technical debt. This could include older devices that should have been replaced at the end of their life. It could also find code versions that are vulnerable to exploits and could lead to more issues. While operations teams don’t like being told things aren’t as they should be it’s better to know about those problems early before they get out of control.
It is also important to understand that there are different reasons to have an audit. The most common perception is that external organizations are auditing your enterprise to comply with their polices and procedures, such as a partnership or acquisition. However, internal audits carried out by third parties to verify compliance with your own polices are much more frequent. How can you ensure that you are doing what you say you’re doing if you don’t have someone else take a look at your polices to ensure they’re being followed? This is also the place where you find issues with user compliance, such as executives that believe the rules don’t apply to them.
A good auditor can make the difference in your audit experience. The best auditors are knowledgeable in the subject area and understand what is needed for compliance. They also ensure that you have time to remediate the issues. A bad auditor is one that only follows the strict procedures and doesn’t understand the nuance in auditing. They are often perceived as adversarial and cause IT teams to dread audits.
If you want to have a good audit experience you should keep two things in mind. The first is that you should assume that it will be a positive experience. The auditors are doing a job and they aren’t trying to hurt you or your company. The second thing to keep in mind is to answer the questions asked without volunteering information. You can innocently offer additional information to a question that leads to a negative experience because it forces the auditor to uncover things they weren’t originally tasked to find.
Podcast Information:
Tom Hollingsworth is a Networking and Security Specialist at Gestalt IT and Event Lead for Tech Field Day. You can connect with Tom on LinkedIn and X/Twitter. Find out more on his blog or on the Tech Field Day website.
Ben Story is a Network and Cybersecurity Engineer and Field Day veteran. You can connect with Ben on LinkedIn or on X/Twitter and read more on his personal website.
Skye Fugate is a dedicated cybersecurity expert. You can connect with Skye on LinkedIn or on X/Twitter and learn more about his work on his website.
Teren Bryson is a Director of Engineering and Operations. You can connect with Teren on LinkedIn or on X/Twitter. Learn more about Teren on his website.
Thank you for listening to this episode of the Tech Field Day Podcast. If you enjoyed the discussion, please remember to subscribe on YouTube, Apple Podcasts, Spotify, or your favorite podcast application so you don’t miss an episode. Please do give us a rating and a review, it helps with discoverability. This podcast was brought to you by Tech Field Day, home of IT experts from across the enterprise, now part of The Futurum Group. For upcoming events and more episodes, head to the Tech Field Day website.
