Do you like to hear from your auditor?
Let’s be honest: few managers look forward to receiving IT security audit findings. If you feel bad for avoiding these audit reports, you’re not alone. These reports not only require work to address, but they sometimes make you look bad. That’s the traditional mindset when it comes to viewing IT security findings. If you look at audit reports like that, you’re merely going to make life more difficult.
Better Than a Hack: The New Way To Look at IT Security Audit Findings
No organization has perfect IT security. Every month, there are new application updates. There are also new hacking tools continually being developed. Keeping pace with all of these developments is difficult, even if you have a well resourced IT department. Once you admit your company has IT security gaps, you realize that there are two ways to discover those shortcomings.
You can discover IT security problems internally or have them pointed out to you by an external event. Let’s consider both of those options. When you find an IT security failing through an external event, you will face painful questions from management, the news media and customers. The only upside to this highly public way of discovering problems is that it is easy to get more resources and budget to fix the problem. The downsides are considerable: you have to spend time and effort on damage control, your reputation will take a hit, and you will probably lose customers.
In contrast, finding IT security weakness internally gives you the opportunity to discover problems before they become a public embarrassment. From a management perspective, you have the luxury of carefully thinking through the IT security problem before you decide on a plan of attack. That’s valuable because you can act in a comprehensive way rather than racing to close a gap.
From Audit Report To Improved Security: The Step By Step Plan
Now that you see increased value in your IT security audit findings, let’s guide you through the process of putting them into action. For this guide, we will assume you are the manager or accountable executive (AE) receiving IT security audit findings.
1) Verify The Evidence For Gaps
IT security auditors do not know your business as well as you do. Therefore, they might miss some of the IT security controls and systems you have in place. Consequently, we recommend discussing a draft version of the IT security report and see if there is any missing evidence. You may be able to eliminate some audit recommendations by providing additional evidence. This step is also important even if you fully agree with the audit findings because it helps you understand the nature and severity of the audit findings. In this step, clarify the audit’s expectations to close the issue.
2) Accept The IT Security Gaps
In this step, you need to take responsibility for the IT security audit findings. The only exception to consider is whether some of the findings may fall into another executive’s area of responsibility. Taking this step shows your department that you take IT security audit findings seriously.
3) Consult Your Stakeholders For Support
In many cases, resolving an IT security audit finding takes a team approach. Therefore, we recommend that you reach out to other stakeholders to address findings. For example, resolving an identity and access management finding may involve IT and HR. With HR’s support, you can develop training for managers so they know how to supervise access issues.
Tip: Need help winning HR support for your project? Check out the tips in our previous article: Win HR Support for Your User Provisioning Project in 5 Steps.
4) Appoint a Project Manager To Lead The Resolution
As a department manager or executive, some IT security audit findings may be too time-consuming or complicated for you to resolve on your own. That’s why we suggest you engage a project manager to focus on leading the remediation effort. For example, if you have an audit finding that requires you to overhaul your single sign-on (SSO) solution, assigning a project manager makes sense. For small and less complex issues, ask one of your leads or managers to lead the resolution process.
5) Report Back With Your Management Action Plan
Working on your IT security audit findings quietly is not enough. You need to demonstrate to the audit group and your executives that you are acting on the audit findings. In cooperation with the project manager, develop a management action plan to resolve the IT findings. In many cases, a one-page overview of your planned approach and deadline to resolve the matter is adequate. Keep in mind that open audit findings, especially severe problems, will be reported to your company’s Board of Directors.
6) Monitor The Action Plan As A Project
As the plan is put into action, your work is not yet done. If the action plan takes more than 30 days to implement, you need to review the progress made regularly. Depending on the severity of the IT security audit finding, choose a weekly or monthly progress report frequency. If you detect delays on the remediation project, take the time to understand those delays and communicate them to the audit group.
How To Avoid Future IT Security Audit Findings
The process we have outlined will help you respond quickly and effectively to IT audits. What if there was a way to avoid encountering them completely? Alas, we cannot promise that. However, there are two strategies you can use to proactively manage IT security better, which makes IT audit findings much less likely. First, regularly meet with your organization’s auditors and ask them about trends they are seeing. This will help you discover emerging risks and problems in the organization. Second, free up capacity in your IT department by using an IT security chatbot. With just a few hours freed up each week, you will be able to take a more proactive approach to IT security.
