First, I want to make sure we are in the same playing field. This post is specific to audits that are not driven by a regulatory purpose. It does not apply to SOX audits, or financial audits, or GLBA audits. It does not apply to the FTC calling you to ask polite questions about COPPA compliance, nor the ITA inquiring (also politely) about your intriguing, public GDPR statements made in the Privacy Shield portal. It also does not apply to an audit forced upon you because you, naughty naughty, got breached and had a forensic examiner appointed by an agency whose sole goal is to attribute blame to you so that they can make an example out of you (ask me in person, I have some fascinating stories in this area).
I am explicitly referring to voluntary or private industry audits acquired by many firms across all industries that purportedly show their adherence to security standards. Examples include SOC2, ISO27001/2, PCI, HiTrust, and so on. Yes, I know it will come as a shock to some that PCI is not law, or that HiTrust is not bound to HHS regulatory approval, but them are the breaks. PCI itself is a special case, because while retail and hospitality firms are required to do it as part of their commercial reality (basically, VISA tells them to) and in that context this column does not apply, many other firms (most often SaaS/PaaS players with retail and hospitality customers) choose to obtain PCI audits for the same purpose as the others - showing adherence without being required to do so.
So now that the stage is set, let me get into the making everyone upset at me part. I'll start with a simple question:
What is the purpose of these audits?
Oh, I can hear the litany of answers: it's a way to measure our security. It's a way to prove that we are secure. It's a way to exhibit a strong security posture.
Or the more advanced versions: it's a way to remove sales barriers. It's a way to provide reassurance to prospects that we are secure. It's a way to cover our asses by having a provable and generally acceptable level of due diligence of our security program.
I use these latter ones myself fairly often because they are easy to understand, and are better aligned with business goals. But they still skirt around the edges.
So again, what is the purpose of these audits? drilled-down to the very core of the question, I mean. Why are we doing them?
Because they provide commercial grease.
The reason we do them is to ease the inherent, ever-existing commercial contract tension between business customer and provider. For one thing, you don't typically see a consumer-facing company doing these unless they also have business customers, which is one very big clue as to their real purpose. The reality is that b2c companies generally carry all the liability of dealing with consumer data on their books anyway (largely via the means of the ever-popular class-action lawsuit), so they don't have to prove anything to anybody. They have bigger problems to deal with. In the b2c world, the company is the parent, and the consumers are the children to be protected from evil forces and the parents' terrible tendencies to misuse drugs and alcohol and engage in depravity.
b2b is different. In the b2b world, the underlying assumption is that everyone's an adult. It's assumed to be a consensual relationship. And so, if I run security for a business, and my business wants to engage a vendor that will inevitably see my sensitive data or have access to my sensitive operations, I am under constant pressure to resolve an internal conflict.
What conflict is that? simply, between my need to protect my own ass - sorry, protect the company from evil vendors - and the business need to facilitate its operations, whatever they may be. Even better, as the security bozo - err, chief - I'm usually in the enviable position of being the fall guy, no matter what happens.
If we sign up with a vendor after I give approval and that relationship is hunky dory, I'm not even a footnote down the road. Nobody gives a damn that I approved it. It's the default expectation.
If I don't approve it, then the business will be upset with me, usually override me (very rarely does this not happen, and if it does, then the business owner who wanted it in the first place didn't want it hard enough), and then all everyone will remember is that I said "no", and the clock for my inevitable replacement as security chief will begin ticking ever more rapidly.
If things do go bad, I'm no better off. If I approved it, then I'm fired. That's pretty much the expectation, too. It doesn't matter what the details or context are, the unwritten part of the job is, I get fired.
If I didn't approve it, but the business overrode me, then I'm still going to get fired for "failing to properly alert" the business, or some other excuse. The reality is that I'm the designated fall guy, and that's that.
And if I didn't approve it, the business didn't go through it, and that vendor goes bad... well, all I'll say is, while it may make me feel happy and oh-so-wise, good luck trying to then come up and toot your own horn without pissing off some other "more important than you" people in the organization. Politically, it's a non-starter, self-back-patting notwithstanding.
I mean, let's be real, people. These patterns are familiar to anyone who has spent any decent amount of time running security.
Now let's switch sides. I'm the security head at the, say, SaaS vendor. Business needs to grow, and my entire role is to support it. If I don't get that to begin with, then I shouldn't be there. Now comes the big enterprise customer, with the person on the other side facing the happy dynamic described above, doing their best to navigate these choppy waters.
Even if I don't realize that one of my goals is to help them - a very common blind spot for security leaders - it is my own unhappy dynamic that then comes into play.
Because nobody's security program is perfect. The reality is that security operations is a difficult, often mind-numbing job, and controls fail all the time. There is no environment anywhere in the world that has a security program that runs flawlessly. That would be the real mythical unicorn, now that the valley has produced about 200 of the other ones all waiting to IPO this year. I don't mean things at the edges; all companies at all times fail to do things like stay on all ze patches, or monitor all ze logs, or ensure that their RBAC model works correctly everywhere and all ze time, or any number of things. You do your best, and hope for the best. If someone really wants to get you, and they have the skillz, they will. That's the reality of security.
Now, if I tell them the truth, then I put them in a position where they have to knowingly agree to deal with me even though I told them all the places where things don't work properly. They can't do that. So now that other person is unhappy because I triggered their internal dynamic where they piss off their business unit who wants to do business with us, which hurts them politically. And my business unit is more upset, and I get fired, because I essentially stopped business from happening. I can scream all I want that we have to improve and be responsible and all that, but nobody really cares. What the company needs to do is sell, not deal with cranky IT morons.
If I lie, then it brings a whole host of issues into play, which I don't need to describe. Lying is never good. Getting caught lying can be a career killer, but it's also just bad karma, and if you outright lie, you deserve what's coming to you. But honestly, I don't think this happens a lot.
My real goal is to find a balance of sorts; present the way things are managed in a reasonable way that will give out enough good vibes to allow the transaction to proceed in an acceptable fashion. That's not just for me, or my business people - it's also for the folks on the other side. They need to be given reassurances they can live with, become comfortable that I don't present a risk to their job.
And this is precisely where these audits come into play. They serve as a shorthand way to get through this awkward phase. They are that first coffee date. What they really do is ease the process of entering into a legal commercial transaction. The grease the wheels of commerce.
For if I am the buyer and I had to do my own audits on every vendor, that's all I'd be doing - forget taking care of my own security. And if I am the vendor and I have to undergo an audit by every buyer, then that's all I'd be doing - forget taking care of actual security. An ISO certification gives both sides a way to agree that some basic level of common understanding is in place in terms of due care. And don't tell me that, with the right budget, you can hire somebody to do your audits for you; if you're in a role with that kind of budget and don't admit that you're simply implementing another mechanism to shift liability, I say you're lying.
Most importantly, though, is that this is all they do. These audits are purely a GTM (go-to-market) effort. They are not about security, they are about sales, and about legal. They make it easier for legal to negotiate liability, because it gives them a tool they can use; vendor agrees to maintain such-and-such audits as a commercial obligation. Critically, they are not designed to "catch wrongdoers", nor to expose issues, nor to make anyone accountable to anything beyond their own existence as a commercial obligation. Those are simply not their purposes.
And an auditor that treats them that way has no business doing audits.
(took me long enough to get to the really upsetting bit, didn't it?)
See, the auditor here plays a weird role. What are they supposed to do? some auditors think that their job is to ensure that the company choosing to undergo the audit is really, totally doing everything according to the letter of the standard. That is beyond naive. Let's examine that idea: who are you doing this for? certainly not the buyers, with whom you have no relationship. You're also not doing it for the certification authority - they are not involved in the business between two commercial entities. So are you doing it for the company who hired you. Really? do you really think that they volunteered to undergo this audit by you just so you can "expose them" and exercise your supposed authority over them as "the auditor"?
Right... and good luck justifying to your bosses why this company will never use their firm again. If you still have a job after that fiasco.
So - is your job to lie down and take it? well, of course not. If you did that, then the word will travel quickly, and your firm will acquire a name as rubber-stampers. While there is plenty of business to be picked up that way, and some audit companies almost take pride in taking this approach, your customers' buyers will end up hearing these rumors too, and may ignore the value of your audit reports, thereby dramatically reducing their utility.
The reality is that, like all of the parties involved, you have to strike a reasonable balance. It's not about what the standard says. It's about your experience, professional judgement, and understanding of your role. Which is simply to apply the oil to the wheels, while giving both parties some assurance that it is indeed some form of oil and not, say, processed sewage. It's definitely not to point out every crack in the can, or ensure that the oil is of the purest grade.
As the auditor in these scenarios, you may be pretending to be a neutral arms-length referee of certain rules. But you are neither neutral (one of the parties is paying you), nor arms-length (you want that to continue), nor really refereeing any rules. Let me put it a far more crass fashion: you're just there to do an STD screen for an adult patient, before they engage in consensual sex with others. And if you do this right, then you'd be screening them every year for the foreseeable future, because that's what responsible adults do. You are most certainly not paid to do a full physical, comment on their lifestyle choices, tell them to go on a diet, or follow them into the bedroom. If they tell you they are acting responsibly, nod your head, take that blood sample, and give them the results.
Here are things that an auditor should never, ever say when performing one of these audits:
"I am the auditor and it's my decision" (and my decision is to fire you, never hire your company again, and tell all my friends never to hire your company for anything ever)
"I don't care what you tell me", usually combined with the ultimate hammer "that's what the standard says" (standards always have room for interpretation, and if a reasonable one can be made, then that's the one you need to accept - oh, did you think auditing is as easy as checking boxes?)
"it's not my job to tell you how to answer my questions" (if your questions are designed to entrap your customer so that you could then feel the glory of failing them, then I feel really sorry for you. Being flexible and working with your customer is an essential part of your job)
If the company being audited is being egregious in its behavior, then certainly, by all means, do what you feel is necessary. But if you're finding yourself getting hot and bothered about, say, documentation not being to your liking, then help them develop it such that you can accept it. Don't just tell them you have decided that they aren't compliant, and definitely don't give them a report saying that. Because in the end, the only reason they have you there is to give them a report they can use with their customers. It has no other purpose than being a sales tool. And your job, what they hired you to do and are paying you for, is to help them obtain that tool. So help them. Push them where truly necessary, but as long as they aren't of the lying kind, you are serving literally no one by being righteous.
In fact, you're just being an asshole.
And lest someone bring up the objection of the auditor's personal liability or some nonsense like that: I said we aren't talking about regulatory audits. Show me the auditor who suffered personally because they signed off on a SOC2 audit and that company subsequently got breached, and I'll show you a real unicorn.
Before I wrap this, I do want to make sure I state this clearly: the above is not a condemnation, nor does it reflect any negative feeling I have about security audits. I love security audits. I think they are an essential part of commerce in the modern world of e-everything with fuzzy data control boundaries, and if we didn't have them, we'd all be either slowing down to unacceptable levels, or far more likely, not even trying to pretend that we care. But please, I beg of you to treat them as they really are: a GTM tool. Commercial grease.