In a talk at the ISACA EuroCACS Conference in Munich, London Chapter director external relations Raef Meeuwisse described a situation where he had completed a third party audit of a company, and how many of the ‘mega-breaches’ occur because companies fail on the basics.
He said that every major cyber-breach was down to three major or critical security safeguards which were either not in place, or were not fit for purpose. He asked: “Why is it we can identify problems, but not get buy-in to get these fixed?
“Organizations often spend a fortune on layers of security in one direction. but leave other potential attack vectors open. No security department says ‘we’re not particularly good’, they always believe thy are doing a great job under the particular circumstances. In my top ten someone said that they were surprised security culture was not in there, and if there is a sharing culture you can enforce a good security practice, if not it goes the other way.”
He said that when auditing cybersecurity, you learn where the gaps are, and it is rare that the company security function already fully and correctly understands their own status. “Intelligent hackers are also looking for those gaps, and the purpose of an audit is to find out those gaps first so they can be addressed,” he said. “One key thing missing in most organizations: they usually don’t have an independent annual audit, robustly checking what they’re doing by an audit entity with nothing to lose or gain from the outcome. Unless that happens, an organization will have no clarity over their real security position.”
Meeuwisse said that the point of an audit is to check that firstly, the security function is providing the right processes and procedures, and secondly that the business is following those procedures. "Unless you do a regular audit, you cannot check that the right things are happening".
He recommended that businesses recognize the symptoms of failure, and while security knows there are unresolved gaps, often nothing is done to fix it.
“Finding gaps is important and using a framework is straight-forward, but remember if you’re auditing cybersecurity you don’t take accountability and responsibility for what they are not letting you check on,” he argued. “You can only be responsible for the scope that has been approved. If that audit scope has significant gaps, undetected problems will continue to be present and cause you problems later on.”