Cyber Audits – Failing Open Book Tests

For my 20+ year career, I have been involved in some way with audits. Either as an executive commissioning an audit, an assessor who conducted the audit, a practicioner who defended the company in the audit, or the consultant called in to help clean up when an audit goes poorly. These audits take up a bunch of time, money, and resources. They are typically, but not always, known well in advance which gives organizations time to prepare and put their best foot forward. However, I am constantly amazed by how many organizations either fail audits or struggle to perform well during them. If you think about it logically, this should not be the case. The dates are known well in advance, the criteria are known well in advance (typically aligned to some regulation), and usually the lines of inquiry are also published and well known. With time to prepare and little to nothing unknown, why is this so hard? We as an industry are basically struggling to pass an open book test. If these were always the easiest tests in school, why are they now so hard as a cyber security professional?

I am going to postulate that this difficulty comes down to two fundamental problems in how we do work:

• We can’t find the book
• The book is out of date

At school, you are given a set of school books that are specific to that course. However, at work, we create the book ourselves and then can’t find it. What I mean by that is the test consists of meeting some set of controls in a regulation such as NIST 800-53, ISO 27000, etc. and then we “build a book” of manual Word and Excel files that demonstrate our policies and procedures while providing evidence of compliance. We then store these books literally all over the place. Printed paper in a filing cabinet, buried deep in the inpenetrable labrynth of SharePoint, 11 levels deep in our OneDrive folder, or any myriad of locations in a large corporate environment. To make matters worse, everyone often stores it somewhere different. Bob likes SharePoint, Maria uses OneDrive, Chris put his in SAP, and Wanda put hers in the records management system. The result is evidence is everywhere and nowhere at the same time. When the audit is scheduled, nobody can find their books and it is a huge manual effort to locate them while seldom resulting in a complete set of books for the test. This is half the reason why we fail the open book test.

The other reason is just as difficult. Let’s assume you get lucky and find all your books and are ready to take the test. The next problem is that these books are horribly out of date. Imagine taking a Python Data Science course in college and being given a 1970’s COBOL book to assist you on the open book test. It isn’t going to help a whole lot. We have the same thing in cyber security at work. Compliance documents are a lot of work to create and generally an unpleasant experience. Therefore, as soon as systems are authorized or an audit is passed, they go back on the shelf to collect dust. Meanwhile, the real-world moves on, changes happen across the environment, and systems are upgraded, patched, or otherwise modified along the way. The result is during the time of the test that books are no longer current or relevant to the exam. When you combine these two problems together, it is a recipe for disaster and why we as an industry fail so often to pass our open book tests.

At RegScale, we know there is a better way to move the industry forward and that was the genesis for our RegOps movement. Auditors serve a valuable function. They help drive assurance, find opportunities for improvement, and help organization’s reduce risk. However, the data collection needs to support an audit are often a distraction to the business, pull people off their engineering work, and make audits take longer and cost more than they should. Our goal at RegScale is to bring the principles of DevOps to compliance to be always audit ready. Our API-centric approach allows systems to help certify themselves, keep their assessment evidence up to date with automation, and make it always available and real-time in a modern and intuitive user experience. Auditors have all of the data they need to do their job right at their fingertips and engineers are no longer distracted by data calls and evidence collection tasks.

As more organizations move to the cloud, CI/CD factories are more commonly deployed, and security tooling increases the breadth of its coverage for continuous monitoring of applications and infrastructure, the IT world is becoming more homogenous and data rich. As a consequence, compliance automation is becoming increasingly feasible and cost effective. We are excited to be the first next-generation GRC tool with an API and automation-centric approach to bring DevOps to compliance. Our customers can deploy faster, reduce risk in real-time, and lower the manual labor costs of audits using our platform. With over 7000 global downloads of our free Community Edition, we are excited to see the community embrace our vision for a RegOps movement and we are excited to work with all of our customers on new compliance automation use cases every day.

If you are interested in Compliance Automation and want to join the RegOps movement, contact us today to schedule a demo and see our Continuous Compliance Automation platform in action. With 19 tightly integrated modules, we have built a modern and open ERP for Compliance that is helping our customers deliver continuous compliance automation within their organization so they are always audit ready.