The idea of audits probably irks the average person, invoking fears of having to retrieve crinkled receipts or pour over ancient invoices. Not all audits are financial, however, as some can be operational or technological, investigating anything from energy consumption to risk exposure. Yet all audits examine whether something is inaccurate, dysfunctional, or amiss, and thus can only at best confirm what was hoped or presumed to be true anyway. Information security leaders are not free from this burden, regularly having to provide audits of their services to appease clients and prove the efficacy of their defenses.
Security leaders don’t like these audits. That much was apparent in recent IBM research that studied the roles and responsibilities of security professionals. The respondents explained their aversion to audits, calling the exercises expensive and time-consuming and, thanks to the rising incidence of data breaches, in high demand.
The irony is, considering their purpose in assuring safety, audits don’t promote a thorough approach to security. Instead of examining entire security ecosystems, they encourage a checklist mentality that assumes protection is guaranteed based on the well-being of a mere sample. Moreover, the problems they do uncover are often repeats that keep security teams from investigating the underlying causes by focusing their resources on fixing recurring symptoms.
One answer to endless audits is automation—automated compliance monitoring, that is. Where audits and other repetitive security procedures lack, automation excels, providing a security perspective that is both faster and more holistic. Automated compliance tools assist every step of the way, continuously surveilling entire databases and systems, investigating and addressing suspicious incidents, translating findings and initiating report deliveries to reassure auditors.
Automated compliance monitoring is more than just an aspiration. Many an enterprise, aware of mounting regulatory requirements and the sky-high cost—in both dollars and public perception—of a security breach, are looking for ways to revamp their governance, regulation and compliance efforts. A 2014 report to the U.S. Congress on implementation of the Federal Information Security Management Act demonstrated how automation is fast becoming a standard in the public sector. For certain cohorts of federal agencies, automated configuration management jumped from 54 percent adoption in 2012 to 80 percent in 2013, while automated vulnerability management spiked from 65 percent to 87 percent in the same timespan.
So as the volumes of data and the responsibilities of their caretakers expand, proof of comprehensive compliance will become more complicated and also more often requested by clients. The key is to have a vigilant system with a panoramic view of security procedures, which is where automated compliance becomes a valuable instrument.