Auditors and chief information security officers are both focused on finding vulnerabilities, fixing security problems and stopping data breaches. So why do they so seldom see eye-to-eye? This story helps explain:
When I was the first chief security officer in Michigan, my team faced our first enterprise-wide cybersecurity performance audit from 2005 to 2007. This effort was led by the Auditor General Office under the Michigan state Legislature. Initially I thought the upcoming “quick review” (my words to our team) would be an easy, six- to eight-week project that would find some minor issues, balanced with lots of praise for the award-winning work that our team was doing to protect state systems.
But I was wrong — very wrong.
I first sensed my assumptions were off when five auditors showed up for the kick-off meeting. We needed a bigger conference room. My two-month project estimate turned out to be the time needed to just determine the audit scope and topics to be covered, including who needed to be included in upcoming interviews and what documentation was required.
Eighteen months and nine audit findings later, I had learned many valuable lessons. Here are five timeless challenges to address.
1. Misunderstandings. My initial overconfidence was partially based on the assumption that everyone had the same goals. We didn’t. Or, at least we measured “a successful audit” in different ways. I was eager to “show off” our leadership and what our team had accomplished, including national awards for cybersecurity projects. They were not interested in our awards; rather, they focused on repeatable processes and proof.
Also, I assumed our 30-person team would not attract much statewide attention. However, they were hearing “audit the Office of Enterprise Security” from other state agencies. Centralizing enterprise security made us a target, and agencies had plenty of concerns.
Tip: Make sure you read and understand previous audit findings and relevant reports prior to starting a new audit process. Assign a well-trained internal audit lead to help track your progress.
2. Formalities. In almost every area that was discussed, the audit team asked us these questions: What’s the standard? Where’s the policy? Can you prove you are following it? We had many good practices that were not adequately documented, while at the same time fell short with older policies and procedures that had not been updated or formally communicated.
Tip: Just because your team is doing some security functions well, it will not impress auditors if there are not documented standards, policies and procedures to support your efforts.
3. Pride comes before a fall. My team is smarter than your team — or so I thought as CISO. Sadly, we kept explaining “who, what, when, where and how” to the auditors during repeated meetings, and kept getting puzzled looks and incorrect draft writeups. In reality, we were doing a poor job of communicating (see item No. 1 above).
Tip: Review detailed minutes at all meetings and document all requested actions. Pay special attention to gaps and weaknesses identified.
4. Pushback. The initial draft report seemed like a bad nightmare to me, including numerous material findings and no kudos. I called the lead auditor immediately and expressed my dismay. I also followed up with my articulated reasons for disagreeing — even questioning the truth of some statements.
Tip: Be ready to go through the stages of forming, storming, norming and performing. Prepare for tough conversations, but be kind and professional throughout the review process.
5. Negotiation. Our team offered formal counter-arguments to the final audit report, suggested new language, added awards received, actions taken, additional resources needed and more. It was clear that the auditors wanted us to agree with their findings. Finally, we agreed and offered our road map to close all results.
Tip: While we still ended up with (fewer) material findings, we were able to soften words, and drop the severity of initial findings.
Over time, both sides gained mutual respect, and worked together well to strengthen Michigan’s overall cybersecurity posture. Yes, auditors and CISOs can become friends, but it takes work and time — often years — to get there.
Never miss a story with the daily Govtech Today Newsletter.