Enron's financial auditors and management conspired against their investors.
The system that was supposed to protect against this kind of fraud, instead worked against the people it was supposed to protect.
And there was hell to pay when the organizations collapsed and when the fraud was exposed. The Harvard Business Review today makes the point that just because an auditor approves something, that doesn't always mean its right.
Information security professionals, take a lesson from Enron: auditors aren't the sole authoritative voice, and they can be fooled or coerced just like anyone else. Too often internal and external auditors are trusted as the arbiters of what's right and wrong. But this can fail an organization if the executives don't understand what role the auditors should be playing.
Auditors serve as an important check on the system by assessing against a known framework. But there is always room for interpretation in any standard. That's especially true in areas where standards are evolving quickly or where a new field is opening up. That was the case for Enron with the "mark to market" strategy, and that is true today in Infosec.
How do auditors fail the organizations they serve?
Let's use the Payment Card Industry Data Security Standard (PCI-DSS) as an example. The PCI-DSS has done a lot of good over the years it has been around. But as IT, payment systems and threats have changed, it has had a hard time keeping up. As an instructor famously said in a class I attended, the DSS only changes once every two years; but the Security Standards Council (SSC) can change the meaning of the words they use at any time.
The PCI-DSS has also heavily misinterpreted. The standard is meant to be flexible so organizations can find the right security controls, rather than blindly following what's written. However, many auditors stick staunchly to the standard, verbatim.
That means the company either has to jump through hoops to get their official compliance stamp, or can game the system to fit within the narrow definitions. Other auditors are so easily influenced or coerced by their client that virtually any control is deemed adequate.
And there's room for abuse of the standards, as well. Some audit companies are well-known for providing "clean" or "green" reports to their clients (sometimes those who spend above a certain dollar level), regardless of what the actual security looks like. Breaches have left several organizations wondering why they paid high fees to auditors who didn't find the security flaws.
So it's important to know how much to trust your auditors and what role they serve. You can't give them authority to make your decisions for you, but you can use them as advisers.
In the Enron case, their auditors had huge amounts of business in other areas, meaning there was a conflict. In your organization the auditor may be trying to get a big contract, unseat a competitor, make a name for himself or whatever. In these cases the bad advice is almost always unintentional, but still present.
Probably once every month or two I speak with a high-level executive looking to hire someone to check behind their auditor. It's usually because the executive suspects of one of the failures above. In reviewing the work done by the auditor I usually find that the executive's instinct is right.
How can you help your audit succeed?
Choose your auditors carefully and use the right process. I helped write the SANS whitepaper How to Choose a Qualified Security Assessor (PDF link) and there's other good questions to ask for choosing an auditor elsewhere.
But it goes beyond just choosing the right auditor, you have to have the right audit process in place. Here are some tips to avoid the pitfalls that got Enron into trouble:
- Evaluate Reputation. Not just whether they've done a lot of audits before, or whether all their clients pass, but whether they are perceived to have high integrity, technical capabilities and security knowledge. Don't get this from the auditor or their hand-picked references, ask around. Reputations follow companies and people and are spread quickly.
- Evaluate Skillset. Auditors falling too far toward leniency or rigidity often do so because they are not well-versed in IT and security. That means they don't understand the intent of the standards they're auditing against, which means they can't possible give you good advice that's outside of the letter of the standard.
- Oversight. Make sure there is good oversight of the auditors that are performing the work. This could be done by an internal audit group, a CISO or even a CIO. The point is that someone needs to make sure the work is not just done, but done right - thorough, accurate and independent.
- Use Auditors as Checks. Don't forget that auditors should be checks on what you're doing, they shouldn't be telling you exactly how to do it. They've often got a lot of good advice, but you have to weigh that advice carefully within the context of your business and your ethics.
But even going through a thorough diligence process can get you stuck with a bad auditor. That happens. But when it does, you've always got the option to get a second opinion. And I'll leave you with a great video on some signs you've got a bad auditor.
Cross-posted from Beau's Cybersecurity Blog