Automation and audits: an analysis

The idea of audits probably irks the average person, invoking fears of having to retrieve crinkled receipts or pour over ancient invoices. Not all audits are financial, however, as some can be operational or technological, investigating anything from energy consumption to risk exposure. Yet all audits examine whether something is inaccurate, dysfunctional, or amiss, and thus can only at best confirm what was hoped or presumed to be true anyway. Information security leaders are not free from this burden, regularly having to provide audits of their services to appease clients and prove the efficacy of their defenses.

Security leaders don’t like these audits. That much was apparent in recent IBM research that studied the roles and responsibilities of security professionals. The respondents explained their aversion to audits, calling the exercises expensive and time-consuming and, thanks to the rising incidence of data breaches, in high demand.

The irony is, considering their purpose in assuring safety, audits don’t promote a thorough approach to security. Instead of examining entire security ecosystems, they encourage a checklist mentality that assumes protection is guaranteed based on the well-being of a mere sample. Moreover, the problems they do uncover are often repeats that keep security teams from investigating the underlying causes by focusing their resources on fixing recurring symptoms.

One answer to endless audits is automation—automated compliance monitoring, that is. Where audits and other repetitive security procedures lack, automation excels, providing a security perspective that is both faster and more holistic. Automated compliance tools assist every step of the way, continuously surveilling entire databases and systems, investigating and addressing suspicious incidents, translating findings and initiating report deliveries to reassure auditors.

Think automation, not audits

Automated compliance monitoring is more than just an aspiration. Many an enterprise, aware of mounting regulatory requirements and the sky-high cost—in both dollars and public perception—of a security breach, are looking for ways to revamp their governance, regulation and compliance efforts. A 2014 report to the U.S. Congress on implementation of the Federal Information Security Management Act demonstrated how automation is fast becoming a standard in the public sector. For certain cohorts of federal agencies, automated configuration management jumped from 54 percent adoption in 2012 to 80 percent in 2013, while automated vulnerability management spiked from 65 percent to 87 percent in the same timespan.

So as the volumes of data and the responsibilities of their caretakers expand, proof of comprehensive compliance will become more complicated and also more often requested by clients. The key is to have a vigilant system with a panoramic view of security procedures, which is where automated compliance becomes a valuable instrument.

1 responses to Automation and audits: an analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Pingbacks & Trackbacks