CISO Desk Reference Guide: Chapter 2 - Regulatory Requirements and Audit

The following excerpt is from the book: CISO Desk Reference guide, co-authored by Gary Hayslip, Matt Stamper and myself. This is an excerpt from my essay for chapter 2, in which we discuss the various audit and regulatory requirements for the CISO. This particular section addresses what to do when you inherit a broken relationship with an auditor. Please enjoy.

Regulatory Requirements and Audit – Bonney

Fixing The Relationship with Your Auditor

As I mentioned above, these are trust relationships that are built on timeliness and transparency. I have listened to and overheard a lot of skepticism, distrust, and outright fear from individual contributors to senior executives about how to interact with auditors. Some are worried they will get in trouble for doing something wrong. Some view the time spent with auditors as wasted time and the time that is spent gathering evidence and providing documentation as busy work. This causes behaviors that, purposely or not, obstruct the assessment process. In some cases, the auditors are assigned “handlers” to choreograph activity and process owners are coached to provide guarded answers and escalate every question that they don’t have a coached response for. I have also seen the opposite where inexperienced auditors bring poor time management skills, poorly thought out evidence requests, and negative, accusatory attitudes to audits, putting everyone on guard.

This obstruction causes distrust and adds stress. The distrust comes from the understandable belief that team members are trying to hide something they are uncomfortable exposing or that minor failures will be misinterpreted or used to justify punitive remedies. The stress arises because the audits are scoped for certain resources (on both sides) within a certain timeframe and competing deadlines loom as less progress is made than was expected.

As you can imagine, this distrust and stress often creates a dysfunctional working relationship. Requests for documentation start getting escalated. Escalated or not, documentation is hurriedly assembled and is often incorrect or incomplete. As operational requirements take more time from participants, “just get it done” replaces “do it right.” At some point in this dysfunctional downward spiral, “do whatever the auditor says to get this over” becomes the unspoken (and sometimes spoken) strategy to end the pain. The result is that auditors are put in the position of forsaking their independence and process owners are forced to abandon their duty to perform the process in the way they believe yields the best results. Under these circumstances, management receives much less value from the audit and the Board rarely gets an accurate understanding of the state of the business.

So how do we fix this? Building the required trust starts well before the audit fieldwork begins. Management and the auditors need to invest the time to agree on scope, objectives, roles and responsibilities. It’s important at this stage to surface issues that otherwise will cause problems later. For instance, does the auditor have past experience with the organization that suggests the likelihood that timeliness will be a problem? Has management had experience with the auditor in the past that suggests that numerous poorly targeted requests will be made due to a lack of understanding about the organization’s environment? Both of these problems are quite common and both can be addressed. 

How you ask? Well, I’ll start by referring to a study (Need Speed? Slow Down) by the Harvard Business Review in 2010 (Atkinson 2010) that looked at the results of driving operational versus strategic speed. The article states in part:

"Firms sometimes confuse operational speed (moving quickly) with strategic speed (reducing the time it takes to deliver value)—and the two concepts are quite different. Simply increasing the pace of production, for example, may be one way to try to close the speed gap. But that often leads to decreased value over time, in the form of lower-quality products and services. Likewise, new initiatives that move fast may not deliver any value if time isn’t taken to identify and adjust the true value proposition.

In our study, higher-performing companies with strategic speed made alignment a priority. They became more open to ideas and discussion. They encouraged innovative thinking. And they allowed time to reflect and learn. By contrast, performance suffered at firms that moved fast all the time, focused too much on maximizing efficiency, stuck to tested methods, didn’t foster employee collaboration, and weren’t overly concerned about alignment."

I’ve added the italicized emphasis.

By treating your auditors as partners and putting a priority on building a mutually trusting relationship founded on principles of timeliness and transparency, the audit process can be a valuable tool for helping you keep the organization’s information systems and data secure and focusing management attention where it is most needed.

Chapter 2 Table of Contents

The preceding excerpt is from the book “CISO Desk Reference Guide”, written by myself and my fellow authors Gary Hayslip and Matt Stamper. This book is now available in both electronic and print format on Amazon at https://t.co/Q7ZSdsEX5Z and through our website: https://cisodrg.com.