Are you the security specialist for any organization or are you the owner of an I.T. organization that faces continuous security audits? I guess such security audits must be a nightmare for you considering the fact that they can bring your work to halt if they find serious security issues in your network.

Failing security audits

If somehow, you aren’t failing security audits then there are two reasons:

  • Your security is actually perfect.
  • The security audit team did not try hard enough in order to breach into your network.

Audits are a friendly exercise that helps you understand the security loopholes in your system and they must be taken seriously. Frankly speaking, you should partially fail such audits as there is nothing like a perfectly secure network. It just doesn’t exist!

Are security audits useful?

A study has found that 36 % of companies that faced security audits had actually real-time security breaches while only 15 % failed the so-called friendly security audits. Now you know how important a proper security audit is?

As per the security report (of 2010) from Government Accountability Office, a 650 % increase in security issues has been recorded since the year 2006. That is simply very alarming.

Reported attacks and unintentional incidents involving federal systems and critical infrastructure systems demonstrate that a serious attack could be devastating. Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices,” the GAO stated.

Yes, it is good to fail security audits

Companies should be failing audits, whether internal or external, far more often than they suffer breaches. The fact that few companies are failing any audits should be cause for concern, not celebration. I would celebrate if there were no companies suffering from actual security breaches because then we could assume that the audits were working: uncovering problems to fix them before they became breaches. But unfortunately, it seems that audits are not thorough enough, consistent enough or “hard” enough.

To summarize – security audits are a friendly way of finding issues in your network and it is good if you fail some of such audits. At least you will come to know the leftover or overlooked issues in your network. what is the point of withstanding a security audit if you later on fall prey to a network attack?

My point is – failing and then learning from your failure is a better option than losing important data to the hands of bad guys! True? Is it good to fail security audits?