Manage Learn to apply best practices and optimize your operations.

Five fearless strategies for surviving IT security audits

An auditor's visit can make an IT pro squirm like nothing else. But a change in attitude might turn an audit into a useful, if not enjoyable, experience.

Small or medium-sized businesses were once able to ignore compliance issues, for the most part. Regulations like the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act were for doctors and banks. The Sarbanes-Oxley Act was applicable to only publicly traded companies, so that wasn't an issue for most private small and medium-sized businesses (SMBs), either.

But times have changed. With the advent of the Payment Card Industry Data Security Standard, compliance concerns are now common to SMBs of all shapes and sizes.

Even small companies are now subjected to the ritual humiliation of the auditor visit, which too often ends with the auditor telling you that you don't know what you're doing. The result, of course, is that many SMBs view auditors as the enemy and try to hide issues from them.

There is a better way of dealing with an auditor visit, and it's based on the compliance techniques I originally detailed in The Pragmatic CSO. Here are five sure-fire strategies to make sure IT security audits are as painless as possible.

Strategy No. 1: The auditor is your friend.

Huh? When they hear this, most of my clients give me a blank stare and figure I've finally lost my marbles. But it's true. Auditors shouldn't be your enemy. They are after the same thing you are: to protect the assets of your organization. Of course, they've got the added responsibility of covering their own hindquarters, as well.

Case in point is Arthur Andersen LLP. The consulting firm no longer exists because the U.S. government went after it for negligence relating to the Enron fiasco. No audit firm wants to suffer the same death sentence, so a firm will look deep and wide to make sure you are doing the right thing. Because if you aren't, it's also responsible.

So step one is to understand that you and the auditor are in the same boat, rowing in the same direction. You may have different ideas on how to get there, but it's still the same destination.

Strategy No. 2: Learn as much as you can.

The breadth of experience a longtime auditor brings to the table is lost on most information security professionals. They figure the auditor is just there to make life miserable, not to help solve problems and maybe even add some value by suggesting alternative ways of doing things.

But that experience is exactly what gives auditors credibility. They see different companies, different problems and, ultimately, different solutions every week. If it's happened, they've probably seen it. You, on the other hand, have been holed up in your own little cocoon for years.

So as you go through the process with the auditor, keep an open mind. When he or she suggests something, actually listen to what the auditor is saying. There may be reasons you can't do what he or she says, but that doesn't mean you can't learn something by actually considering it.

Strategy No. 3: Admit you are not perfect.

I have yet another surprise for you: Auditors expect to find problems. As I mentioned before, these folks see a lot of different environments and a lot of different problems. Since no environment is 100% secure, of course, they are usually going to find something, even at your SMB.

The trick is not make the same mistake twice -- after an auditor has pointed it out to you -- and when you do have an incident, handle it quickly and effectively. Remember, everyone is going to have issues from time to time -- it's all about how you handle them. What did you do to isolate the issue and remediate it? What new controls did you implement to make sure it doesn't happen again?

These are all things the auditor needs to hear. A little honesty will make you much more credible in the eyes of the auditor, as well.

Strategy No. 4: Give them what they want.

Auditors come in all shapes and sizes. Some like to stay at a high level of discussion and rely primarily on what you show them from a controls standpoint. Others want to roll up their sleeves and dig into your stuff. Just to be clear, you are not in a position to dictate what approach the auditor uses.

An audit is not like sitting on the beach sipping a margarita, but it's not a root canal without anesthesia either.


Make sure, then, that you are prepared before IT security audits begin. Of course, you want to start your examination out at a high level, focusing on your security program and the incident response plan. But you should have a supplemental pack at the ready with a lot of granular detail, including security device configurations, independent pen test results, log files and reports, and pretty much anything else you use to operationally manage your environment.

Strategy No. 5: Make sure it's fixed.

Nothing puts you on the wrong side of an auditor like ignoring the auditor's recommendations. After an audit, the auditor will issue a statement of findings discussing what he or she thinks needs to happen. When you see the auditor again, be sure you've acted on those recommendations.

There will be times when the auditor's recommendations are either not feasible or not practical. In that case, have a logical explanation ready as to why a recommendation couldn't get done. Don't skirt the issue, but rather address it and do it early in the process.

Keep in mind, you are allowed to disagree with the auditors, because they aren't perfect. But you have only a few of those silver bullets, so use them wisely.

The main point to understand is you don't have to fear IT security audits. They can often, though not always, be positive learning experiences. Remember: An audit is not like sitting on the beach sipping a margarita, but it's not a root canal without anesthesia either.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at, read Rothman's blog at, or reach him via email at

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.