Today I wanted to talk about audits. I know, I know, not super interesting.
But I think that audits have gotten a bad rap. Or at least from my point of view.
Whenever I have thought about audits in the past, there was always some form of dread attached. A stigma, perhaps. I think this point of view comes from Hollywood. If you think of an auditor in your head, right now, I can probably describe them. Let’s try:
A pointedly unremarkable 40-something man in a black suit, black tie and a white shirt. Perhaps they are wearing glasses, and may be carrying a briefcase.
Was I pretty close? I think I was probably pretty close.
An auditor, as Hollywood tells us, is there to check up on you. They are there to make sure that you cross the t’s and dot the lower case j’s. They also seem like they are a symbol for Government waste.
I think we should change our minds about that.
We have audits all the time where I work. It seems like there is a continuous stream of pointedly unremarkable men in black suits with or without glasses and briefcases in our office.
I recently switched job from being a tester to being in the security team. It’s a huge change, and a huge challenge, both of which I am pretty stoked about. It also means that I now have to be in on the audits.
Being in on the audit from my side meant that I was able to brief the auditor on the type of security awareness training we do with the developers, and others in the organisation.
Obviously we want to develop our code in a secure manner, but we also like to help everyone out with general security advise. If we build a mind-set among the people that we work with, and help them to live and develop more securely, its a non-zero-sum game.
For this reason, I this we need to re-asses how we perceive audits. I think there is a lot of opportunity to treat audits a as a form of training.
In our audit there was a lot of ground covered. It went over everything our business is about, and everything it was made of, from front to back. Some of it I began to understand properly for the first time.
This is not an indictment on our training process. Whenever we have a new starter, they are invited to a bunch of awesome sessions where various groups go through their functions, and how they are achieved in the organisation.
Every new starter will go through this, so they can get a feel for the business. Developers, testers, analysts, all are welcome. The idea is that you get an overview of how the business machine functions, and who to go to if you ever encounter problems.
I remember some of the sessions I had, even though they were a few years ago, so they are pretty good, if not at last memorable. I think we should embrace audits in the same manner.
Audits as training.
When you are having an audit performed, you essentially have a couple of days, to a week to explain the entire business vertical to your auditor. You also have to go through an entire architectural structure of how your applications work, and how your environment functions.
This is prime security training-territory. Learning how the business works from top to bottom is in my view one of the most effective ways to understand the type of problems you will face, day to day. You learn how the applications function, what things they should or should not be expecting to handle.
There are pieces of information that I discovered in our audit that have already helped me identify areas to direct my attention. These things would have been hidden from me otherwise, or at least obscured, in our otherwise excellent on-boarding sessions.
I came away from the audit with a much deeper knowledge of our systems, and infrastructure in general. Perhaps this is already well known in the IT Security industry, but it struck me as really useful, and something I really wanted to share. Very much different to the Hollywood offered procedure of utter boredom for several days.
I would love to hear from you if you have similar experiences to share, or vastly different ones.
I can see that once you have done an audit or five, it could become repetitive, and seem like a waste of time. Especially if you are treading the same ground that you have done on multiple occasions.
Maybe I will change my tune with time, but for anyone out there that is wondering how to train a new security analyst, malware researcher or infrastructure person, please consider bringing them with you on audits. I think it will teach them more about the intricacies of the business than it is possible to get otherwise.
It can also really help new employees to grasp the Service Level Agreements that you may have with your customers, and the reasoning behind sometimes obscure business logic.
So that’s it for this week. Please take your newbies on the audits. Maybe they aren’t fun for you anymore, but they might be for us!
I hope you have an awesome week!