8 Questions to Ask Your Security Auditor

Here at Redspin, Inc. we get asked all sorts of questions, most of which can be answered with, Down the hall, take a left, second door on the right. After that, here are the eight most important questions we think you should be asking your independent security auditor.

1. Are you an independent security auditor?

This is the most important question you can ask your security auditor. Are they a pure, independent auditor, or are they a company with something else to sell who also happens to do audits? You dont want a company that sells solutions to do your security audit, because the odds that they find a problem that their solution fixes just went way up.

2. Do you do real analysis, and provide useful reports?

Beware the security auditor that gives you a 100-page report. Quantity in no way signifies quality in a security audit. What you want from a security auditor is a thorough report that focuses on issues that are relevant to you. Any security audit can find 100 trivial problems. You want an audit that tells you which 5 issues are important.

3. Do you have a quality team?

Consulting firm guys straight out of college are useful for some things, but understanding complicated computer networks and the vulnerabilities associated with them is best left to dedicated security engineers.

4. Hey, arent you the guys who sell us our IT?

Dont hire the same guys who set up your system to audit your system. As much fun as it would be for them to grade their own work, you probably wont get the most honest results from them. Be especially wary if they say that a separate branch of their company does the security audit, and yet another separate branch of their company offers solutions. This is what we like to call a perfect storm of subjectivity.

5. Do regulators like you?

Mostly this matters if the answer is no. Otherwise, its a nice thing if the company doing your security audit is recognized by regulators as one that does excellent work, because theyre much more likely to give you the quick okay.

6. How much do you cost, and why is that more/less than other firms?

You can pay a little, and have a guy run an automated tool that looks at everything indiscriminately and checks off some boxes. You can pay a huge amount, and get a few guys in suits from a consulting firm where this isnt really their focus again, theyre just there to complete a checklist. What you want is an independent security auditor who takes your business seriously, understands it completely, and can help you prioritize security risk and vulnerabilities in the context of your business.

7. Why do I need a security audit?

The easy answer is because a regulator is making you. The harder question to answer is Why do I need a good security audit? The answer to that depends on what industry youre in. Its obvious that industries like banking, casinos and e-commerce are especially attractive to mischief, and would want to make sure that their networks are completely secure. If youre running an on-line palm reading business, maybe its not as big a concern.

8. Have you ever done a security audit before?

Experience counts. Make sure that your security auditor has done a number of audits, and check with some of the companies theyve done audits for to make sure that they do good work.

John AbrahamAlessandra Blog27530
Arlette Blog52457