It’s Not Just You: IT Security Audits are Stressful

Hannah Young
Hannah Young
.
March 10, 2023
5 min
 read

It’s not just you: IT security audits can be a pain for everyone involved. Audits are essential to your organization’s security, but they’re onerous and take a lot of time, collaboration, and enforcement to be effective. However, when you break down each of these concerns, solutions like resource allocation, collaboration, and automation (and any other “-ation” you can think of) can make auditing season just a little bit easier.

Time

Image of two people sitting under a tree, one of them says “Of the four dimensions I could have soent my life being pushed inexorably forward through, I guess ‘time’ isn’t the worst.”
Image by xkcd

One of the top searches regarding security audits is “why do security audits take so long?” Long review times are a significant pain point in these audits; third-party auditors can take a long time, and slow response times from other teams in your organization can add to the frustration.

Non-security teams may slow down the process because they can view audits as strictly a security problem rather than theirs to worry about. They may not answer their user access review emails or adhere to the necessary process. However, a brute force approach (like “answer my email or you lose all your access”) is usually not an acceptable tradeoff between business and security and usually doesn’t feel right to either side.

A feminine person with an orange shirt and pink lips says, “Wally, are you almost done with your part of the project?” Wally, bald with glasses, wearing a green tie, and holding a coffee mug, says, “I work best under pressure, so I wait until the deadline is almost here.” The feminine person says, “what if something more important comes up and you don’t have time?” and Wally says, “that’s the corner stone of my system.”
Image by Scott Adams Inc.

For these reasons, it’s important to consider resource allocation and collaboration during an IT security audit. Audits can take up considerable time and resources, resulting in paused or delayed essential projects. While there will always be opportunity costs, these can be mitigated by prioritizing tasks and allocating resources effectively ahead of time to ensure the audit is completed promptly and efficiently without sacrificing important work on any team. Infosec is a whole-company endeavor and requires everyone’s involvement to be effective because security threats can affect any member of your organization.

Collaboration

A web with “Admin account” bolded and connected to “User account on my laptop” which then connects to “Dropbox”, “photos & files”, “Facebook”, “Gmail”, “Paypal”, and “Bank.” The caption says “if someone steals my laptop while I’m logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can’t install drivers without my permission.”
Image by xkcd

Compliance is often seen as a Security/GRC/IT problem, but it requires the entire organization’s buy-in to be effective. Almost every compliance framework involves some form of employee education, process enforcement, behavior change, etc., meaning that they need the team handling the main portion of the audit (Security / GRC / IT) to solicit cooperation from other teams for it to work.

Getting non-security/IT/GRC people to care about audits — and security in general — can be challenging. While not a cure-all, collaboration is critical to creating an understanding between teams and thus constructing more effective security practices that reflect the genuine needs of your organization (a concept we expand on in “Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now” and our RSA piece “RSA Conference™ 2023: Stronger Together”).

Image of two people in suits, Person A has a briefcase that says “AUDIT” and Person B is throwing paper into a giant incinerator. The caption says: “…and here’s our filing system.”
Image by Huw Aaron

In addition to general collaboration, lack of adherence is another obstacle that must be addressed. People may not use policy documents, and enforcement can be challenging when people feel as though compliance checklists don’t reflect everyday usages or appear too abstract to be practically useful.

Enforcement/Ineffectiveness

A common complaint about compliance is that compliance checklists can feel disconnected from security reality. When policy docs are created but not used, and some continue to rubber stamp every request anyway, it’s hard not to see the compliance process as ineffective.

A bar chart titled “TIME COST.” ‘Strategy A’ and ‘Strategy B’ have a small time cost with Strategy B being only slightly larger, and the category ‘Analyzing whether Strategy A or B is more efficient’ is about six times larger than ‘Strategy A’ or ‘Strategy B.’ The caprion says “The reason I am so inefficient”
Image by xkcd

One solution is to revamp the documentation process to reflect actual usability. However, even when documents are written with good intentions (i.e., when they actually can work to enforce a policy), manual enforcement is difficult to ensure, and things can fall through the cracks.

User education can help here, especially in addressing the fact that people don’t want to be bad at security. Rather, many are just frustrated by not knowing what to do or by believing the best practices to be too complicated or challenging. Educating your org about your security policies can aid in their enforcement, especially when rolling out controls everyone will use, like 2FA or phishing email reporting.

Automation

Image of a person in a suit behind a desk talking to 20 or so people in suits with briefcases that say “AUDIT” on them. The caption says: “Following our thorough and extensive cost savings audit, our recommendation is that you spend less on auditors”
Image by Huw Aaron

While frustrating, security audits are a necessary part of keeping your organization secure (these audits can also be revenue-critical, and CISOs are often left “carrying the bag”). In brainstorming possible changes to the auditing system, some have looked to automation for an answer.

There are various prospects in the world of automating away the user access review portion of audits, but in general, the more your security practices are automated, the easier your IT security audits become. Crosswire has an entire blog post expanding on automation practices here, detailing that upfront investments in identity security products can save you time in audits later on.

White Crosswire logo over light blue, indigo, pink, orange gradient

Take, for example, if you have a security incident, like an active PagerDuty incident. With an automated security tool (like Crosswire’s), this can be automatically linked to the #active-incident channel so that whenever someone is added to that channel, Crosswire can automatically make that person eligible to pull Prod DB logs from AWS (the person can also request access and be automatically provisioned access). After a few hours, Crosswire can ensure the access is deprovisioned while recording a trail of all the events to make your subsequent audit that much easier.

Four-panel comic. Panel One: Man A with a blue T-shirt and glasses says, “For the security we said we’d hire someone to…” and Man B with a collared shirt and sweater over it says, “Hold on, that’s not the priority. Let’s get the project started first, we’ll see about that later…” Panel Two: Man A says, “Hey the project is nearly done, we should do a security audit to…” and Man B says “Too late man, we don’t have the time or the budget for that.” The site then gets hacked and Man B is upset.
Image by CommitStrip

While there are some preemptive practices to help the process, audits are still a difficult time for your organization. However, between resource allocation, collaboration, and automation making audits a little bit easier, you can help make your organization more secure by staying ahead of even more time-consuming and costly security incidents and compliance fees.

To stay up to date with Crosswire on all things infosec — trainings, webinars, blog posts, and more — come see us at Booth 21 at RSAC 2023 and sign up to receive our updates below!

More from our blog

How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read