The Five Stages of Compliance Audit Grief

Written by

Any psychotherapist will tell you that there are a range of mind states adopted when dealing with grief of any kind. The popular Kübler-Ross model lays out a progression through denial, anger, bargaining and depression before finally reaching Acceptance (DABDA for short).

Nothing changes when dealing with the grief caused by having to manage a GRC compliance audit. The good news? You will get through it.

Some of us will need therapy during and after an audit – that’s not unusual – but the received wisdom is that all the other conditions of anger, denial, depression and bargaining will never truly provide a lasting solution. In fact, the sooner you can get to acceptance, the sooner you can move on – closure can be yours.

However, can a compliance audit really be considered as a form of grief? If you are involved in an audit, do you recognize any of these behaviors in yourself or colleagues? If it really is the case then, by extension, could we coach ourselves through the process to become more effective at dealing with future audit situations?

The Client Story: Compliance Audits for 11 Business Units – Good Grief!
By way of illustration, we recently worked with a major national corporation undertaking a PCI DSS audit for 11 business units simultaneously – enough to give anybody grief. When we applied the classic DABDA model to their change in attitude over time there was a surprisingly good correlation. 

1.    Denial: The first stage of compliance audit grief involves denial. In our instance, the client did exactly this, denying they had a problem and ignoring the very real issues they had with their existing compliance capabilities. Namely, huge costs to upgrade and operate their change system, no logging of any value. The fact they had a major audit approaching led to…

2.    Anger: The heat was on and they were blaming each other for their predicament. Most organizations with compliance responsibilities will resent the expense and disruption. Your therapist will tell you that if you are angry, this is actually a good sign – it shows you are making progress: you should be pleased!

3.    Bargaining: Could they delay the audit? Could they go back to what they were doing before? (In this scenario they were actually in the process of migrating to a better real-time file integrity monitoring solution from a new supplier – the existing change control and logging they had in place was considered unfit for purpose although they had passed previous audits by the skin of their teeth).

It’s a pretty common approach to adopt: ‘We don’t have the time to do this properly so let’s just try and make it through the audit this time BUT next time we will do things properly well in advance’ Would the results from a couple of vulnerability scans show enough willingness to make your auditor go away? Sometimes it is enough, but you’ve just made your problems ten-times as bad if you then suffer a breach having taken shortcuts and bypassed key security best practices such as file integrity monitoring and logging.

4.    Depression: Nowhere to run, nowhere to hide? Feelings of hopelessness are a natural reaction because the work needs to be done and now time has been wasted trying to ignore the inevitable and getting enraged. In this case, it began to feel like there was too little time to cover everything needed. Systems that were in-scope for PCI had to be hardened, with logging and change control implemented to maintain security. For centralized logging and FIM, network routing had to be configured and with an outsourced network and IT function, this only added further bureaucratic inertia to the PCI project.

However, to use a favorite cliché of all therapists, it is always darkest before the dawn, and now the denial, anger and bargaining have all passed without any respite from the audit, it was time to face facts. Only at this stage did they begin to make progress.

5.    Acceptance: Finally – at last, it was time to get on with it. With the PCI QSA and the new FIM/Logging solution provider collaborating, this provided a complete shift from what the client had been doing in the past. They were able to move from bluffing/winging it through an audit, to actually adopting and operating security best practices in a way that meant their daily and weekly routines gave the security assessor exactly what they wanted to see: configuration changes and all other activity captured then automatically analyzed for suspicious behavior to reveal any security breach.

Lie down on the Compliance Audit Couch
While most therapists use a couch to get to the root of their client’s issues, compliance audit grief is much simpler to diagnose and cure. There won’t be many of us that will ever be pleased that they are subject to a compliance audit, as there will inevitably be time and effort required to work with an auditor to give them what they need, not to mention there often being additional financial expense.

However, a compliance audit is good for you. Reviewing the operation of security best practices within your organization and taking a long hard look at where you may be vulnerable to attack is time well-spent. Take ransomware, for example. Are your mitigation measures comprehensive or are there gaps? How well prepared are you to deal with a ransomware infection? Now is the time to ask these hard questions, not after the event!

The key lesson is to recognize the stage of compliance audit grief you are experiencing and if it is anything other than acceptance, lie down on the couch and let it all out – you’ll feel far more secure at the end of it all.

What’s hot on Infosecurity Magazine?