Preparing for a compliance audit…and why companies aren’t


Compliance Audit

Ideal World

In an ideal world, a robust Information Security Program is a prominent feature of any IT or service organization’s security, compliance and audit strategy.  An overseeing governance, risk and compliance committee, comprised of key stakeholders, would complete a risk assessment prior to a service being launched.  Including having process and system risks identified and remediation plans in place. Personnel with responsibility for sensitive data would undergo requisite security checks and training.  Perimeter and internal security monitoring applications would be correctly configured to monitor for malicious events.  Key metrics from monitoring services and security processes would have been reviewed by the GRC committee, with changes made to enhance security program effectiveness.

Compliance Reality

In the real world, however, the story is usually much different.  To understand why, it’s important to note the difference between operations and security, and how those differences create the issues most organizations face when preparing for a compliance audit. “Operations” is a term that describes the processes in place for the organization to function and serve customers. In the short term, an organization will favor operations processes that allow for more connectivity to services and access to data, as ease of access drives a good customer experience.  Typically, the more mature an organization’s operational processes are, the more successful the organization will be in securing, retaining and serving customers.

Often security is seen as the exact opposite of operations – restricting access to systems and data, to ensure that unauthorized personnel cannot access them.  Organizations with immature security programs often find operations and security to be at odds.  Implemented correctly however, security and operations processes do not have to impede one another. In fact, any IT organization that is not supplemented by an effective enterprise wide security function, is akin to a runaway train headed for a crash.  Security can be thought of as the processes that prevent a crash, and help get the train going again if an incident occurs.

The reason many organizations have little to no security is simple: operational processes are needed to generate revenue and security is a cost center.  At an organization’s inception, the majority of budget and resources are thrown into operations. Simply said, if revenue is not flowing in the organization will likely cease to exist before its first security incident is detected.

When weighing the cost of security against revenue generation, security often becomes a lower priority. Unfortunately, this choice results in the overall neglect of security.

Often, an organization is completely unaware of its own information security posture until one of two things happens:

  • The organization suffers a data breach
  • The organization is required to undergo a third-party security assessment due to a client or government entity request

If either of these scenarios terrifies you as a key stakeholder in an IT organization – GOOD.  That means you’re ready to do something to reduce the risk of finding yourself in either of the above situations.

Stay tuned for part two of this blog series, where I’ll identify the steps required to get your organization “audit ready” or simply get started implementing a security program.


Bryan Graf

Principal Consultant, Sienna Group LLC