March 3, 2016

4 Reasons why security auditing just isn’t enough for CIO

Markus Melin

Head of Tieto Security Services, Tieto

The role of CIOs in our hybrid world isn’t always enviable.

They feel the heat coming from all directions: cyber security issues, employee requests for better tools and easier access to data, tightening bureaucratic and legislative protocols, drive for cost reductions, privacy of personal information… Add the more and more common shadow IT, i.e. the unauthorized usage of systems and solutions, and everybody understands it is a lot to handle.  

Just like a traffic police standing in the crossroads, the CIO must deal with the swarming traffic hastily with inadequate tools. Traditionally, they have used auditing to stay on top of things.

The role of auditions in enterprises is strong for an understandable reason. They trace back to economic processes and serve as the backbone for account revisions. As time has passed and business environments have grown more complex, the demand for corporate controls has evolved. Thus, auditions are nowadays the main checkpoint to company security as well.

Unfortunately, this isn’t enough anymore. In the era of mobile workforce, cloud computing, BYOD, and Internet of Things, traditional auditing just doesn’t cover all the angles.

1. 24/7 operations

Normal procedure nowadays is to order an annual or quarterly audit. Cyber security is one part of that risk management. When closing financial accounts this is a crucial and sufficient action.

This doesn’t apply to online world where employees, devices, and software are connected 24/7. A snapshot view of the situation today is just a temporary glimpse. If a security breach happens one week later and the CEO starts bombarding the poor CIO with furious questions, that audit report doesn’t give the answers needed. It doesn’t ensure business continuity, damage containment, or business development either.

2. Inadequate impact on infrastructure

Often, very few people see the results of the security audit. Especially if audits are seen solely as  higher security level issues.

It's not unusual that the report gets buried somewhere under other similar reports. But it just might happen that the status information doesn’t reach the staff who could help interpreting the data. If the audit has no broad impact on the infrastructure or practices, why was it ordered in the first place?  

3. Too technical for the CxO

For a long time, IT has been a universe controlled by experts. If you had a problem in your network and asked the system administrator what was going on, the answer was usually too difficult for a non-IT person to understand.

The same problem lies in IT reporting. Many vendors provide very technical incident reports of their own narrow field. What the CxOs want is a comprehensive and strategic overview with actionable information. Nobody wants to lose the top executives in translation. After all, not only are they the ones who make the decisions but also write the checks.

There is art in making difficult procedures understandable for everybody. In cyber security it isn’t easy, but it can be done.

4. Human mistakes are not accounted for

As I wrote earlier, it is a hard fact that a large portion of security issues trace back to your own staff. Be it accidental or deliberate, that is where CIOs must pay closer attention.

Unfortunately, security audits are not a comprehensive tool to manage employee behaviour. Sure, authorisation and access management are usually covered. But the perspective to day-to-day work is often lacking. And that would be crucial to be able to arrange suitable compliance trainings and guide modifications to codes of conduct. Found weaknesses in processes and work methods should be adjusted with thorough and wide learning programs rather than a new top-down guideline without any explanations.

There is an old saying: “where there’s a will there’s a way”. It applies here well.

Should we ditch audits?

No. Auditing is not futile. On the contrary, it serves a very important need. But when it comes to security, companies need more than a rear-view mirror.

I’ve had many conversations about these issues. Business continuity relies on trust both from customers and partners, and cyber security is the core in building that confidence. What CIOs are lacking is a strategic tool that gives instant and real-time information on the security status.  

Luckily new business models are invented and implemented. Let us know what you think of our approach to strategic security management and what would be the most valuable thing serving your business needs.

For more depth, please see our white paper.

Stay up-to-date

Get all the latest blogs sent you now!