Listen, Trust and Verify


David Mantock, Chief Information Security Officer

One of the many benefits of working as a cybersecurity specialist is the diversity of people that you can engage with. This is so important if you want an effective security program that sits alongside the business to ensure that business objectives are met in a secure manner. So, the reality is that there needs to be a strong foundation of trust between the various stakeholders so that collaboration can flourish. Trust is built when there is transparency and when expectations are clearly defined. A necessary tool in business is the audit process, in cybersecurity even more so in these pressing times. Sadly, there is often resistance to the audit process and just like a visit to the dentist the apprehension and fear often obscure and even completely hide the benefits. So, my question is what do we believe in? Is prevention better than the cure or would we rather pull teeth than save them? If you like having teeth pulled with no anesthetic please stop reading, this article is not for you. If on the other hand, you like to avoid pain and inconvenience please read on. Everyone knows how audits work, but often forget that some pre-audit ground rules can really smooth the process. Specifically, we are talking about managing expectations. So, in the context of audits, it is most important to LISTEN, TRUST and VERIFY.

 "When you speak, you only repeat what you already know, but when you listen, you can learn something new." Dalai Lama

The clarity and transparency that are so vital to building trust must be established early in the process. Here is what experience and Professor Google have taught me:

- Be clear about communicating the audit benefits, e.g. "This audit will show what a good job department x is doing and with your cooperation will make you even better!"

- 5 things you should not do:

o    Shoot the messenger. Overcome the natural temptation to see the auditors and authors of the report as enemies to be fought and disproven.
o    Ignore the audit findings or delay in acting upon them.
o    Minimize the security findings.
o    Simply accept all findings and move on without truly understanding or  properly addressing the weaknesses.
o    Give cybersecurity audit finding action items a low priority

- 5 things you should do:

o    See the positive side of audits as a health check. See audit findings as a part of a healthy cyber ecosystem.
o    Work closely with the auditors.
o    Build long-term, positive relationships with internal and external  auditors to improve on weaknesses.
o    Build an audit action plan
o    Learn from others audit experience

I promise you that these guidelines diligently applied, turn audit pain into audit gain. It is good to trust and even better to listen, trust and verify.

back to panels