As seasons change, so do the priorities for IT and security leaders. And now, audit season is upon us.
For many, this year’s audit will be the first since the world has somewhat settled into a fragile post-COVID rhythm. Over the past two years, your organization has likely scrambled to enable digital, remote business in any way possible — by over-permissioning users and devices, adopting a host of new tools, and creating policies on the fly (or, if not policies, loose ground rules).
Now, as the time comes for official documentation, you may find yourself asking, “Wait a second… what have we done?!”
As a CISO for 15+ years, I know the challenge of a security audit. While they often feel daunting, audits provide the perfect jumping-off point to take stock and correct the decisions made during the survival-mode period from which we are all emerging.
This is especially true if you’re able and willing to address the issues in your infrastructure that aren’t always easy (or compliant) to talk about.
First, let’s recognize that there are plenty of bad ways to perform an audit.
If the audit is simply a box-checking exercise, it will ultimately waste your precious resources.
If the audit is performed to give false confidence about the business’s security posture, it will not capture the most pressing vulnerabilities, nor will it provide a full, realistic picture by which to make broader strategic decisions.
Recently, a CISO I know conducted their first internal audit. When the findings were presented to the rest of the C-Suite, they were aghast at the amount of red in the report.
“What happened?” they understandably asked.
The previous report had been much more green and yellow. But it turns out the previous CISO had been massaging the data to create a more favorable impression. Which do you think is worse?
Red isn’t always bad. Red is real.
At least, that’s how a smart CISO perceives and conducts an audit. For the CISO in this particular situation, the audit became a baseline for the progress the team would make. Over several months, the red gradually gave way to yellow and green. The audit provided a trail of improvement that demonstrated the CISO’s effectiveness and value – and, of course, genuinely upgraded the security posture of the organization.
No matter how bad the situation is, reality is never the enemy. Without it, you can’t create or implement a plan to actualize the future state of your organization.
The popular, and unrealistic, digital transformation narrative doesn’t help. There are those out there who would lead you to believe that an S/4HANA migration can take place overnight or that a complete rip-and-replace of your security controls takes no more work than turning a printer off, then back on.
But a good audit sees it all.
As you conduct your audit, here are a few areas of risk that you’re likely to find.
Nearly all organizations use one or (many) legacy or homegrown applications – and they’re often critical to business operations. These systems are either too complicated, too disruptive, or too expensive to modernize or replace. Doing so would be like changing a punctured tire while driving down the freeway. Sure, stopping to change the tire feels like an obvious move. But an enterprise organization isn’t a car.
Simply pressing pause on your business in order to conduct upgrades simply isn’t possible. In some cases, suspending operations would affect the entire economy. Can you imagine if a large national bank just stopped for three months to upgrade their mainframe?
Huge organizations don’t become giants overnight. It takes years — decades — to reach enterprise proportions. The situation they find themselves in (re: dependence on legacy systems) isn’t a mistake. That’s just how it goes.
Think of the most innovative new company making waves in today’s environment. In 20 years, they’re bound to have some legacy systems of their own, and they will likely be the very systems that feel cutting edge today.
While the security and success of the business is everyone’s responsibility, security teams are overly eager to gripe about the carelessness of users in other departments. But here’s the reality:
While security may be business-critical, it is not market-critical. That is, for most companies, security is an assumption rather than a benefit. A smartwatch company doesn’t sell its products on the basis of being unhackable. They sell based on cool features and the benefits those features enable.
Users are not lazy — they are busy. Just like you and your team, they have projects to complete, deadlines to meet, and results to answer for. Taking extra security steps costs them time, clicks, and context switching. That’s why they resort to bad security hygiene like account-sharing and weak passwords.
Instead of taking an adversarial view of users, remember that you’re all on the same team. In today’s innovative era, forward-thinking security teams support and enable business users to work at a higher level rather than just put bumpers around their unsecure habits.
If your team is creating security processes that depend on users without understanding those users, your efforts won’t deliver as much value — speed and security — as they could. From an audit perspective, understanding your users will help you turn red items to yellow and yellow items to green with greater efficiency and impact.
Because let’s be real: The best way to secure user behavior is to take security out of their hands as much as possible. No matter how tight your controls may be, if their processes are too complicated or diminish the user experience, users won’t think twice about circumventing them. Then, you’re back to security square one.
It’s unfortunate but true. Virtually all security vendors require organizations to trust one entity: themselves. Completely contrary to the principles of zero-trust, these vendors risk becoming a universal point of failure for your entire zero-trust framework.
For example, many Zero-Trust Network Access (ZTNA) vendors decrypt customer traffic in their cloud. If the vendor is compromised, the impact will be felt by thousands of their users. In a related security space, Okta, the biggest name in identity management, recently suffered a breach because they required customers to trust them.
Even if they could implement true zero-trust, these vendors couldn’t solve the problems that come along with it.
Their model of zero-trust comes with a lot of friction.
Zero-trust verifies identity at every transaction, rather than at the network level. For a user, working in a zero-trust environment is like living in a house where every door, window, drawer, and closet has its own key, and they have to use that key every time they want to open one.
They can’t extend zero-trust to legacy applications.
When it comes to those impossible-to-modernize apps we talked about earlier, many vendors tend to throw up their hands and say, “Upgrade it, then we’ll secure it for you.”
Zero-trust means zero exceptions. If a vendor can’t secure everyone, everything, everywhere without violating the mantra “never trust, always verify,”then they are not providing zero-trust security.
This is precisely why I teamed up with two ethical hackers to form Cyolo, the only identity-based platform on the market that customers don’t have to trust. We don’t even know our customers’ passwords.
Cyolo meets customers where they are, laying over existing processes and tools to enable real zero-trust without disrupting the business.
Cyolo lets you tailor access by role or individual.
Users log into Cyolo through multi-factor authentication (MFA). After their identity is verified, they can work securely, from anywhere, without having to log in every five seconds.
Cyolo easily retrofits legacy systems to enable modern security best practices and protocols, including MFA and single sign-on (SSO).
With Cyolo, you can secure everything, everyone, everywhere and achieve true, usable zero-trust.
In the wake of the 2020 SolarWinds attack, U.S. President Joe Biden signed an executive order requiring federal agencies and contractors to adopt multi-factor authentication and data encryption for data at rest and in transit. The White House gave these organizations six months or so to extend these practices agency-wide.
Non-federal agencies should still take note. Often, sweeping federal regulations ultimately become the bare minimum for the private sector. The regulatory environment will only intensify in the coming years.
Meanwhile, cybersecurity insurance requirements are coming into a more granular focus. Organizations without MFA and other basic best practices face much higher premiums, if not outright denial of coverage.
So this year, embrace your security audit as a starting point for a more secure future. At Cyolo, we’re here to help. Watch this short video of my top audit tips or read our ebook on the top 5 overlooked areas to cover in your next security audit.
Author
Almog Apirion is CEO and co-founder of Cyolo. He is an experienced technology executive, a "recovering CISO," and the founder of the Israeli Navy Cyber Unit. Almog has a long history of leading the cybersecurity and IT technologies domain, with a background that includes building and securing critical infrastructures at large organizations, and leading teams to success.