The Security Auditing Manifesto: Shared Values for Effective Security and Compliance Management

In today's fast-paced business environment, organizations need a more efficient and effective way to manage security risks and comply with audit and compliance requirements.

This requires a shift away from traditional audit and security frameworks and a move towards a collaborative approach that values transparency and shared understanding.

This isn't a post about picking the right technology, this is a post about process and rules of engagement.

All the tech in the world can't fix bad, broken, or non-existent processes.

To overcome these limitations and build a more robust security posture, organizations need to adopt a collaborative approach that values transparency, shared understanding, and continuous improvement.

In this blog post, I'll explore how organizations can implement a set of shared values that promote stronger security partnerships, reduce friction, and mitigate real risks to the business.

Embracing Transparency Over Secrecy

Open and honest communication is key to building trust between security partners.

Sharing information freely, rather than playing things close to the vest, can lead to better decision-making and improved security outcomes. Here are a few ways you can do that in your own organization:

• Develop a communication plan for sharing security updates and progress with your company and your customers

• Create a centralized repository for security documentation accessible, both internally and externally

• Conduct regular meetings with auditors and stakeholders to discuss findings and share what you're seeing

Transparency also encourages accountability and fosters a culture of continuous improvement and dialogue.

Encouraging Dialogue Over Prescription

Asking questions and fostering open dialogue is more effective than just assuming.

By engaging in conversations and actively listening to each other's perspectives, security partners can develop a more comprehensive understanding of risks and work together to find the best solutions. You can:

• Organize brainstorming sessions to encourage the exchange of ideas and foster collaboration

• Perform an after-action report for all of your audit findings and go over what went well and what can be improved. I personally like the "stop, start, continue" framework

• Implement a feedback loop with auditors to ensure concerns and recommendations are addressed

Developing a Shared Understanding of Risks

It's essential for security partners to have a shared understanding of risks.

Rather than one group solely dictating what the risks are for a company, the auditing teams should be included in the process of risk definitions and challenges.

• Collaborate with your auditors to develop a comprehensive risk assessment plan

• Hold workshops to educate team members about common compliance risks for your company's compliance requirements (i.e. SOC 2 and PCI DSS)

• Utilize risk management tools to track and prioritize risks consistently

This ensures that all parties are on the same page and can work together to address the most pressing issues.

Establishing Expectations Upfront

To avoid confusion and wasted effort, it's important to establish clear expectations from the outset.

• Clearly define the scope and objectives of security audits and assessments

• Create a timeline for security initiatives, including milestones and deadlines

• Develop a shared glossary of terms to ensure consistent understanding among stakeholders (this can also be useful for customers in an external knowledge base)

This helps all parties to focus on what's truly important and ensures that their efforts are aligned with the desired security outcomes.

Supporting Operational Flexibility

Which groups are the best suited to identify and mitigate risks? The groups closest to the work.

Allowing for operational flexibility is crucial, as it enables organizations to adapt to changing circumstances and respond to emerging threats more effectively:

• Empower teams with the autonomy to make decisions based on their expertise

• Establish a balance between oversight and trust in decision-making

• Implement agile methodologies to adapt to changes and emerging threats

Avoiding decisions by committee can streamline decision-making processes and promote agility in addressing security risks. This keeps all teams focused on addressing relevant risks, not arguing over which esoteric threat might happen.

Prioritizing Functioning Security Controls

RACI charts have their place but functioning security controls is the goal. This goes for both technical and procedural controls.

You can support this by:

• Conducting regular security control self-assessments

• Allocating resources to prioritize the implementation of critical security controls

• Provide training and support to ensure the proper execution of security controls.

Valuing Security Outcomes Over Strict Compliance

While compliance with industry standards and frameworks is important, the ultimate goal should be to achieve meaningful security outcomes and mitigate risks.

Here are a few ways you can do this:

• Set performance metrics that align with desired security outcomes

• Review and adjust security strategies based on evolving threats and business needs (actually put that annual risk assessment to use, and don't let it be a check-the-box exercise!)

• Foster a culture that encourages innovation and proactive risk management

This will often require going beyond the minimum requirements of compliance frameworks and taking a more proactive approach to security management.

Embracing Continuous Security Validation

There are several ways you can piece this together through various technologies, but the broader concept is often called Continuous Controls Monitoring (CCM). CCM is a way of operating, not just a set of technologies.

• Implement a Continuous Controls Monitoring (CCM) program

• Automate security monitoring and reporting processes where possible

• Implement regular assessments of detection engineering capabilities and make necessary adjustments based on the insights gathered

Regular security validation is essential for maintaining a robust security posture. By conducting ongoing assessments, organizations can identify potential vulnerabilities and take corrective action before they become critical issues.

Wrapping Up

In conclusion, effective security and compliance management requires a holistic and collaborative approach that prioritizes transparency, shared understanding, and continuous improvement.

By adopting these shared values, organizations can build stronger security partnerships, reduce friction, and better manage real risks to the business while effectively addressing compliance requirements.

Mind you, none of this will be easy to do, but your company and your security and risk management programs will be better off for it. This also is not a one-time effort but a continuous process that requires ongoing attention and care.

By staying committed to these values and continuously improving their security and compliance programs, organizations can build a culture of security that protects their assets and fosters trust with their customers and stakeholder

If you have any thoughts or suggestions about these values or believe something is missing, please feel free to drop me a note.