After the report, “The Secret World of Compliance Auditors”, was released by Dark Reading and included input from members of the auditing team here at Coalfire, we delved into a discussion around the water cooler about the most effective and successful relationships we have with our clients.
Our clients that don’t see us as ‘the enemy’, but as a knowledgeable resource, are the ones who benefit the most from our consultative services. We view our compliance projects as not only a way to help clients become compliant and maintain compliance, but we take it a step further. We help them look at the ‘bigger picture’ when it comes to their IT infrastructure and how it fits into their business processes as a whole in order to increase efficiencies – resulting in time and cost savings.
The article highlights the importance of compliance as it pertains to how it leads to a more secure posture and can even help organizations gain a competitive edge. It also brings up the importance of using an independent auditor; simply stated – independence matters. Ideally, your auditor partner should not sell security solutions, nor get paid by those who do. Recommendations should be vendor-neutral and, most importantly, 100% focused on your best interests. Your auditor should help you understand the IT risks you face, provide alternative ways to manage those risks, and help you demonstrate compliance with the standards and regulations that affect your organization.
The report also points to the benefits of using highly-credentialed auditors. There are several general
IT security certifications that the individual auditor should have, but it’s also important to consider the industry-specific credentials of the auditor and their company. Examples are: HITRUST for healthcare, 3PAO for federal government entities (and organizations who do business with these entities), and the PCI DSS for any organization that stores, processes or transmits credit card data.
The required technical expertise coupled with highly-developed people skills and industry experience, PLUS patience and thoroughness makes for an outstanding auditor. Overall, we think the article is spot-on when it comes to the relationship between auditors and their clients. It clearly explains the important issues of who compliance auditors are, what they are looking for, and how you can work together with your auditor to complete a successful audit.
If you missed the article, click here to access the full report.