What's a single piece of advice you'd give for conducting a thorough and effective security audit?

Question

In the quest for a robust defense against digital threats, we've gathered insights from top cybersecurity professionals. From fostering internal audit cooperation to adopting a hacker's mindset, here are five critical pieces of advice shared by analysts and founders on conducting a thorough and effective security audit.

John Milor · Answer

There is a distinct difference between internal and external audits and recommendations for both.
For internal audits, I have found it helpful to remind those being audited that I am there to help them; we're on the same team. To diffuse the adversarial nature of audits, I make it clear that my job is not to make anyone look bad but rather to help them shine. This is where I leverage the 'What's in it for me?' principle. I do not include only discrepancy findings in my reports, but I start with highlighting strengths. That way, those responsible for the work that is audited can refer to my unbiased audit reports for their employee evaluations. This helps with interview transparency, which improves the quality of the audit.
A risk analyst is also likely to have more access available on a given network or environment when conducting internal audits. With this in mind, the risk analyst should obtain at least read-only access to as many systems tied to the control framework as possible. For example, if the risk analyst has read access to Tenable scans, allow Tenable to answer questions about whether vulnerability scanning/patching is taking place. A risk analyst is better off using system/network/cloud tools to answer control questions, rather than taking the word of a subject matter expert with a potential for bias or human error.
When it comes to external audits, the stakes are higher, but there is still a tactic to diffuse an adversarial environment. I still start by referencing strengths, and I also make it clear that my job is to find possible vectors of exploitation before a real adversary finds them. While external audit findings can result in negative impacts, these impacts are still not nearly as detrimental as a system or network compromise, a major unplanned outage, or other types of negative impacts that audits are designed to detect. A proactive defense is always better than a reactive defense.
Secondly, the axiom popularized by President Reagan, 'Trust but verify,' is the rule of thumb for any audit. Simply answering 'Yes' or 'No' is not sufficient for most audit checklists. Each answer should include a narrative, and when a question is answered 'N/A,' there needs to be a justification with solid reasoning. Additionally, answers carry more weight when accompanied by sufficient evidence, such as reports, screenshots, configuration files, examples of settings, logs, and the like. An audit is only as good as its evidence.

Brandon Daab · Answer

The single most important piece of advice that I have is to have a complete and thorough documentation trail. It is all well and good to say that the audit was completed, but if you are unable to prove that it was completed, then it is like it never happened. Being able to show the results, who completed it, and when it was completed is paramount. Then, ensure that the results are stored in an organized and protected location.

Veryl White · Answer

When clients inquire about the pivotal factor to consider when preparing for a comprehensive security audit, I consistently advocate one cardinal principle: Focus on the execution of a thorough risk assessment prior to the commencement of your security audit for the following reasons:• To demonstrate due diligence to regulators, stakeholders, and customers by identifying and addressing potential risks.• To align security efforts with the organization's strategic objectives.• To enable the prioritization of security measures based on potential impact.• To ensure the efficient allocation of resources towards mitigating high-risk vulnerabilities.• To facilitate continuous improvement by adapting security measures to evolving threats and vulnerabilities.

Saif Azwar · Answer

To conduct a security audit, you first need to understand the purpose and scope of the audit. Determine what you are trying to achieve: Are you measuring your security maturity levels, meeting regulatory requirements, or preparing for a merger or acquisition?
Once you understand the audit’s purpose, identify all assets through interviews, questionnaires, and discovery tools. Assets are not only technological elements; they extend to include people, processes, procedures, and more.
This process will help you understand your digital footprint and effectively measure your security implementation levels and posture. By adhering to these steps, you can ensure that your security audit is conducted effectively and comprehensively.

Alex Stasiak · Answer

As the CEO of Startup House, I would advise conducting a thorough and effective security audit by thinking like a hacker. Put yourself in their shoes and try to identify potential vulnerabilities in your system. Don't just focus on the obvious areas, but also think outside the box and consider all possible entry points. Remember, the best defense is a good offense, so stay one step ahead of potential threats by constantly testing and updating your security measures.

What Are The Top Pieces of Advice for Conducting a Thorough Security Audit?

What Are The Top Pieces of Advice for Conducting a Thorough Security Audit?

Foster Internal Audit Cooperation

Maintain a Comprehensive Documentation Trail

Conduct a Pre-Audit Risk Assessment

Identify All Assets Clearly

Adopt a Hacker's Mindset