Top 4 Myths About Cybersecurity Compliance Assessors: How to Build a Successful Auditor Partnership That Enables Your Business
Blog Article Published: 07/17/2023
Originally published by Coalfire.
Written by Kylene Bowman, Director, Coalfire.
Managing change is a challenge in the marketplace and in the information security industry, so it’s no surprise that enterprises are pressured to adjust and innovate their compliance strategy at the same pace. When audit time comes around, product and internal compliance teams often walk on eggshells in fear of what their assessor may uncover. Wouldn’t it be nice if you could consult with your assessor to strategize your compliance approach proactively?Key takeaways:
- Your assessor is your partner; leverage your assessor as an asset to your organization to enable better strategic planning and efficiency.
- Communication and transparency with your assessors is key to achieving optimal outcomes in your compliance organization.
A common misconception is that external assessors are out to get their clients, but what if I told you that compliance assessors can be your allies, not your adversaries? Many organizations don’t realize that their compliance assessor has their best interest in mind and is looking to partner with them to help solve their security challenges and enable their business objectives.
Unfortunately, many organizations default to the outdated, closed-door approach to working with an assessor/auditor. Why is that? In this blog, we discuss the top four assumptions that hold organizations back and offer perspective on how to re-calibrate an assessor relationship to foster innovation and collaboration.
Top four assumptions about cybersecurity compliance assessments:
Assumption #1 - “We shouldn’t let assessors know about changes in our business until they happen.”
Reality: Trust, transparency, and planning are crucial for success. A lack of trust and communication with assessors is a common reason why assessment engagements go sideways. If there is even a chance that a change in your business is imminent, it’s in your best interest to disclose that information as soon as you can to your assessor. This could be organizational restructuring, layoffs, changes in tech stacks, business re-prioritization, resource constraints, urgent customer contract changes, and delays in assessment readiness. They know how these changes can impact the assessment process, so by keeping them informed, they can accommodate and create a contingency plan to prevent costly delays and issues down the road.
Planning is critical, as assessment fatigue and delays are some of the most common challenges for organizations. Full transparency enables your assessor to plan appropriately and help you reach your compliance objectives.
Helpful Tip: Execute a non-disclosure agreement immediately with your assessor so that you can share this information safely.
Assumption #2 - “If my organization is too open with assessors, it will cause unnecessary findings.”
Reality: Unnecessary findings are avoidable. It all goes back to adequate planning for the assessment. The goal of an organization’s preparedness is to make sure that all documentation is consistent, and that the practice is consistent with documentation. If your organization is prepared to address risks within a concrete scope that has supporting processes and documentation, then the likelihood of unnecessary findings decreases. You can work with your auditor/assessor just as if they were an internal team, the only difference is that they are required to maintain objectivity and remain independent of any control implementation activities in the information security organization subject to the assessment scope.
Helpful Tip: Select an assessor that can demonstrate technical depth in the technologies that exist in your environment. Not all compliance assessors have the same specialties.
Assumption #3 - “We have an internal compliance department to predict assessor judgment, why should we interact with the external assessors outside the assessment timeframe?”
Reality: External and internal assessors exercise judgment that can’t be “predicted.” The purpose of an internal compliance team is to be the first line of defense and an advocate for the organization, not a catch-all function. In compliance management, a certain level of judgement is required. Internal and external compliance assessors have different responsibilities and answer to different governing bodies, which, in turn, affects their level of judgement.
Internal compliance teams are accountable to their organization’s board of directors and other business oversight bodies that focus on business priorities and the bottom line.
Assumption #4 - “Sharing too much information or asking an assessor for guidance may impair independence.”
Reality: Objectivity is the name of the game. An external assessor’s role is to be an objective, independent third party that’s regulated by external oversight bodies like the American Institute of Certified Public Accountants (AICPA) or International Organization by Standardization (ISO) for example. They can have a strategic and tailored approach to the assessment while maintaining objectivity and independence. Planning well does not hinder an assessor’s ability to remain objective while reviewing evidence and evaluating results.
Build a bridge to a successful cybersecurity compliance assessment process
The false assumptions outlined above can hinder the success and efficiency of the compliance assessment. So how can you successfully deploy a program that avoids these common pitfalls? The answer is simple – trust your experts.
On the surface, it may seem like the internal compliance teams and external assessors have competing priorities; however, they share the same goals:
- Maturing the organization's security posture
- Creating new revenue streams
- Building customer trust
Shifting the perspective from a “vendor relationship” to an “assessor partnership” is key to achieving the value and efficiency leadership demands from compliance teams.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.