Auditors can be friends of good security, or its foe, according to the Infosec Big Debate at Infosecurity Europe 2013.
Speaking for the motion "Is the auditor a bigger threat to information security than the cybercriminal," Paul Simmonds, board member of the Jericho Forum, argued that auditors are incentivised to maximise their billable hours, and so to find faults in the companies they are auditing.
This, in turn, can lead to a checklist or flowchart approach that is often based on outdated, and irrelevant security practices. Worse still, companies can be force to address perceived shortcomings in order to clear audit points, diverting time and resources from tackling the real security threats.
Opposing the motion, Jitender Arora, senior programme manager for security and risk at GE Capital Europe, argued that auditors were stakeholders that shared a similar set of objectives to him: protecting the business. Security professionals should work with both internal and external auditors to identify any vulnerabilities or risks, and to ensure that they are addressed.
The shared objective, he pointed out, was to detect, deter and block cybercriminals. Companies should draw on all the resources at their disposal to combat attacks, he suggested. Internal audit, in particular, can be a freely available resource to draw on to identify, and help to lock down vulnerabilities.
None the less, Simmonds argued that auditors often emphasise the wrong measures.
"Irrelevant audit points get escalated so they have to be fixed tomorrow. Clearing audit points becomes the priority rather than fixing holes hackers can walk though," he said.
"Auditors cause more losses to companies as they are forced to put in solutions that are expensive and irrelevant to the business, taking security budget away from the things that are relevant to the business. You are unable to put in place the things that you have defined as strategic," he added.
"If you do not want your security strategy dictated by a 1990s check list, forced to spend that hard fought-for budget on non-strategic measures, if you want to downgrade your security due to knee jerk reaction to audit points, support this," he said.
But Arora countered: "If someone says there are problems I don't get defensive about it. If there is trust established, we are both trying to protect what matters to us: the organisation's interests. What we need to do is build a healthy relationship," he said.
Summing up, debate chair Dan Houser advised: "Don’t blindly accept auditors. Work with internal audit so that an external audit doesn't bring you surprises."