S3 E39: How to Complete InfoSec Audits Faster

Audio version

How to Complete InfoSec Audits Faster

Transcript

Jordan Eisner  
Welcome to another episode of I should, I should call it the Brandon Breslin podcast. Should I even call it the Compliance Pointers?

Brandon Breslin  
Oh yeah, no, it’s the Jordan. It’s the Jordan Eisner podcast. You are the hero of this.

Jordan Eisner  
I’m just a mouthpiece. Yeah, I had a client tell me that one time. I was asking them at a dinner, hey, what made you select compliance more for this project? And he goes, well, Jordan, you were a great mouthpiece, but really it was the experts that you introduced. So since then, I’ve just owned it. I know it. That’s who I am. I’m a mouthpiece.
Create the platform for you guys so.

Brandon Breslin  
There you go. Well, I appreciate you having me on again.

Jordan Eisner  
Yeah, absolutely. So for those of you unaware, our viewers and our listeners, Brandon Breslin is the Director of our Security Assurance or Assurance for short here at CompliancePoint, one of our three main focus areas and within assurance.
We’re helping organizations prepare for, you know, remediate perhaps where they’ve got gaps and ultimately validate a test certify against frameworks such as PCI, SOC 2, ISO 27001, 27701, 42001.
HITRUST E1I1R2, the list goes on and on and on. So high familiarity with information security frameworks and control practices and governance and how you know ultimately to demonstrate to external parties.
That organizations have good controls in place. Now the topic today is you know you did a blog post recently Brandon about five ways to save time your Infosec audit. So that our topic really is how to do faster Infosec audits while.

Brandon Breslin  
Yeah.

Jordan Eisner  
Not losing quality, right? Consistency and not missing the force for the trees in terms of just trying to do a check-the-box exercise that we’re rushing through, but still, you know, evaluating security.

Brandon Breslin  
Right.

Jordan Eisner  
And management programs for governance, right, but.

Brandon Breslin  
It’s a key component, no doubt. Yep, key component.

Jordan Eisner  
On the same side with emerging technologies, AI automation, other, you know, advanced advances and evolvement of these frameworks and how we’re working with each other and systems and technologies.

Brandon Breslin  
Right.

Jordan Eisner  
There’s room to get better, and so that’s what your post was about, and that’s what we really want to dive into today from this podcast standpoint, so.

Brandon Breslin  
No doubt.

Jordan Eisner  
Put you on the spot here a little bit. You’ve already written it, but can you just say what the what the five ways were first and then let’s break them down.

Brandon
Sure.
Yeah, you know, I well, you’re pulling them from verbatim would be tough. I’d probably need to pull the blog back up. But the gist of. Yeah, no, you’re totally good. The gist of it is that, you know, you really what you just hit on, right? You want to, you want to centralize your evidence. You want to have a tool or some.

Jordan Eisner  
Yeah, a roundabout paraphrase.

Brandon Breslin  
CRC function to be able to organize your evidence. You want to prepare having your teams in advance. You don’t want to be surprised by an audit, right? You don’t want it to be ever something that your team is blindsided by. You wanna have kind of that continuous readiness mindset, if you will.
Promoting security is a continuous process, right? So that you’re not, it’s not a one time compliance effort, it’s integrated into your processes as an organization, right? I mean, we’ve talked about it on this podcast many times that.
Security should never be, you know, kind of the afterthought, right? It needs to be the forefront. It needs to be part of the organization to its core competency. And then I believe the last one was around collaborating with the auditors, right? So having, you know, conversations, right? Being proactive, not reactive when it comes to assessments, right?
Think of.
Especially, you know, as CompliancePoint, for example, our methodology, our mentality is to be an audit partner with you, an assessment partner. We’re not a true, you know, audit firm that comes in and just checks the box, right, and says, oh, compliant or not compliant. That’s not our mentality. We want to work with you hand in hand and evaluate your program, understand your compliance methodology so that we can get you into more robust and secure position in the organization, right? Have a more mature model in the organization. So I think that’s kind of the gist of the five areas, but I would say the one big take away from that blog post is what.
You hit on earlier is the emerging technologies is we are now in an age to where you cannot continue to do manual methods. You need to embrace technology if you have not already and that and I’m not saying go out and buy a GRC tool immediately, but you do need to have some type of technological capability.
When it comes to managing your compliance program, managing your controls, managing the frameworks that you’re that you’re going to be evaluated against later in the year, right? Understanding where all your evidence is, are they on different? You know, what’s your architecture? What are the diagrams, inventories, where, where is all the evidence that you’re going to need to pull for the audit?
That that’s in a central repository or easily accessible. And then the last piece is having communication collaboration with your own team, not just the auditors, right?

Jordan Eisner  
Well done. We can wrap.

Brandon Breslin  
Perfect. Sounds good. Y’all have a good rest of the day now, yeah.

Jordan Eisner  
All right. Thank you. Now the audience knows what we’re about to get into. So let’s get into a little bit, make sure I do these in order. So correct me if not. So the first thing you said was centralization, standardization of your evidence, so.

Brandon Breslin  
Yeah.

Jordan Eisner  
Tell us about that.

Brandon Breslin  
Yeah, I would say the biggest time spend is manual pulling of of evidence, right? So and manual searching for evidence, right? You want to have like what I was starting to talk about is the architecture piece. If you know, if you’ve got your evidence or if you’ve got your architecture, your environment in a WS, right?
Right. That’s a great starting point cut then you have at least one location or even if you have multiple VPCS, right? You want to have a central repository where you can pull a lot of the configurations for systems that may be selected for sampling for example, or more on the audit and process side, having an intranet or a central repository.
For all of your policies and procedures, right? Easy locations or at least known locations to pull evidence from. Again, a GRC tool will increase the capability and improve efficiency in all of these areas. So we can add that lens onto each of these. So let’s say for centralizing and standardizing evidence.
And so if you have a GRC tool, right, a DRA, an anecdote is one of the, you know, capabilities out there, you can have all of that evidence already pre-stored based in the control that it needs to be in so that when you come time for the audit, you can just present that evidence very easily.
For the control that’s been asked about, right? The most of these frameworks are not unknown, right? You can search, you know, the PCI Standards Council on Google and find the requirements. So it’s not like it’s not like it’s unknown, right? Sure, with SOC 2 or HITRUST you may have custom controls.
However, for most of these frameworks, you already know going into the audit what you will be asked. You may not know the sample selections, but you know at least what will be asked from a, you know, regulatory standpoint.

Jordan Eisner  
Gotcha. OK. And then you were touching on leveraging AI. It’s got to come up every podcast for evidence collection in particular. And I think that’s pretty straightforward and the audience probably gets that any, you know, what sort of specificity or or examples or particulars could you give on that?

Brandon Breslin  
Yeah, no doubt you can leverage AI. Yeah, absolutely.
Sure.
With regards to AI, yeah, I would say first evaluate the risks. Similar to one of the other podcasts that we did on AI is evaluate the risks of the organization. Understand first if there’s an appropriate tool that the organization feels comfortable with, the executive management, senior management feels comfortable with once you’ve established a tool or multiple sets of tools they’re comfortable using. Then the next step is, OK, how do we apply this to our control set? How do we apply it to our architecture, our organization as a whole? Where do we want to plug AI into, right? Looking at every single facet of the organization holistically and saying, OK, where can we leverage AI for this? Where can we incorporate AI?
Into this to start saving time, improving collaboration, you know, you know, improving efficiencies, right? Kind of going hand in hand with saving time there and then also having better audit prep because if you already are leveraging AI to pull a lot of this evidence for you, that also saves you time and.
Allows you to sleep better at night, knowing that you’re ready to have that audit right.

Jordan Eisner  
Gotcha. OK. How can businesses prepare their teams in advance in touching on some of the ways to speed it up?

Brandon Breslin  
Sure. I don’t know if you saw the the Gartner skill sets needed for 20-30. I I believe it’s every five years they publish a new version. Maybe it’s more often now, but it used to be every five years and the skill set for 20-30, of course there was a I related ones out there and use you know Gentec AI.
Skills and things like that. Modeling, predictive modeling. However, a core element that’s still on there that if you go back multiple decades is always on there is communication comes down to communication with your team. Effective communication, not just communication, right? Ability to really get your point across to the team. Hey, this is not just an audit, it’s an integral part of our organization. It’s a it’s a way for us to improve our security posture. You know, allow us to, you know, move, move the needle forward in the organization, right from a security standpoint, from a compliance perspective.
So getting them on board, I think you have to have your team bought into the process. If you have the mentality as an organization of all the auditors coming in, you’re already setting yourself up for a negative experience no matter who you work with. And you’re also creating friction with your team, right? So you want to have that mentality of.
The assessors, the auditors coming in are going to improve the process for us, improve the posture of our security program, right. So having that mentality allows you to come in and say we want, we’re open ears, we’re open eyes. We want to hear what you have to say and give us guidance, give us, you know, give us new perspectives that maybe we haven’t seen in our.
An internal audit program, for example, right? That’s kind of the beauty of an external audit where you can see a different perspectives, right? So having that mindset, I think that’s the core fundamental piece from the beginning. You’ve got to have the right mindset before you go into an audit. And then if you’re a leader on your team or a strategist or somebody on your team that maybe has some influence in the organization, you know, rally the troops, if you will, right? Make sure everybody’s on the same page before the audit starts. Make sure everybody’s aware of the objectives, what to share, and maybe what’s more confidential for the company that’s not relevant for the auditor that could result in scope creep, right? Of course, don’t hold anything back that would be.
Relevant to the audit, but keep the focus on what the audit is, the task is at hand for that specific framework.

Jordan Eisner  
And this next one goes hand in hand a little bit because communication will be very important as part of this, but also just acceptance of I would say.
Status quo, but in a good way like hey status quo is that we are audit ready. We are you know continuous readiness mindset and you got to communicate and train on that and that has to be part of the culture but.

Brandon Breslin  
It does.

Jordan Eisner  
Aside from again that on the surface level, what what beyond that do you mean when you’re talking about a company adopting A continuous readiness mindset?

Brandon Breslin  
Yeah, I would say it’s shifting away from the, oh, it’s quarter three of the year, the auditors are coming in, it’s audit season, right. Moving away from that mentality to oh, this is our controls from not just security, but every department have to be, you know, compliant with and they follow and they know it and they are.
It’s part of their daily life when they’re at work, right? Like, you know, take anti phishing for example. You can put as many anti phishing controls as you want in the organization, but humans are always going to be the weakest element of security. If they’re going to, if they still click that link, your control may fail, right?

Or if they still divulge information via social engineering, your control may fail from a technical standpoint. So you have to look at it from a technical and operational perspective. So people are always going to be the weakest element of security. So you have to start with the mindset of shifting the mindset of getting people on board with this is our program. This is how we’re going to improve the program. And these are the steps that we’re going to do to get there before you go into the audit so that there’s not a mentality of, oh, it’s the auditors here again. They just want to check my work and see if I did a good job or not, right. But it’s a completely different mindset.

Jordan Eisner  
Yeah, OK.

Brandon Breslin  
And I guess I could add on more too as I’m talking out loud, kind of thinking about it. If you have the mentality of, OK, this is our integral part of our culture and our program, then when you have the assessor auditor come in again, you think about them as an opportunity to learn and grow and here because they have a lot of industry.
They see different assessments in different environments, so they have the opportunity to give you some better guidance around your program, especially if you’re the security professional or if you’re a one person IT shop, right? Or a two person IT shop and you want to gain some more knowledge. It’s a great opportunity to gain knowledge.
I also think it’s just having it as the forefront, right? Like what we talked about in the beginning is when it comes to security, right? The small things when you walk away from your desk, blocking your workstation, having a clean desk, right? Don’t click on the links that are unknown to you, right? Having that immediate second guess of yourself before you do anything.
Right. Is this action, you know, impactful to somebody else or to the organization in a negative way? If so, then it’s probably not the best security practice.

Jordan Eisner  
Yeah. And you know, as you go through these.
Each of them kind of bridges to the other which which is which is interesting in the way you put it together. So job well done on you. So the bridge to the last one you talk about when the auditor comes in, if I’m the constant readiness model, continuous audits if I’ve been communicated to.

Brandon Breslin  
Thank you.

Jordan Eisner  
You’re right. You can look at it as an opportunity to learn and get better and grow and improve your organization. So you talk about collaboration with auditors. Perhaps that’s part of the importance, but perhaps also at the same time, it’s also greasing the track.

Brandon Breslin  
Yep.

Jordan Eisner  
To make communication easier, to make constant, you know, continuous readiness easier if you’re just that lockstep with your auditor too and looking at more as a partner than lowest cost provider that’s going to come in and just check the box and can’t really be bothered outside of.
The the frame of the audit, so.

Brandon Breslin  
Yeah, perfectly set.

Jordan Eisner  
Yeah, I was about to say, you know, play that back for me and say, hey, yeah, Jordan, that’s it, but I’d add this or consider this a part of that too.

Brandon Breslin  
You hit the nail on the head. It’s it’s having that if you have that partner mentality, which again I know we’re biased because we’re we’re we’re at CompliancePoint here. That’s the mentality that we take, right. We take the approach of we are a partner, we’re hand in hand. We want to to grow with you. We want to establish what where your security busher is now and where you’re trying to get to in one year, five years, 10.
10 years right down the road that it just allows you to have a more forward-looking mentality, allows you to have more of a partnership approach instead of the traditional. I’m going to check over your work as I’m an auditor, right? Of course we still do that on paper. However, that’s not the approach that we want to take.

Jordan Eisner  
Yeah, OK. I think that puts a bow on it. Appreciate your time and and for our audience, I would say you you you probably guessed it based on the way we talk about CompliancePoint, but you know we are the sponsor of Compliance Pointers, this podcast or also known as the Brandon Breslin podcast.

Of course we’re fans of ourselves and of course we’re going to promote our brand and and our services here. And so if any of these five areas we’ve talked about on this podcast or in the blog are are areas that you feel that your program could use some enhancement or that you’re lacking in or or maybe it’s more than one.
And you want that unified approach to your audit cycle to get it done quicker, to learn and grow from the audits as opposed to it being a nightmare, you know, hamster wheel cycle. Reach out, you know, come through many of our channels. You can call in phone numbers on the website. You can e-mail us at connected@compliancepoint.com.

Brandon Breslin  
There are.

Jordan Eisner  
Lots of articles and materials to check out and learn from. So we hope to hear from you and we hope that you continue to subscribe and listen. Until next time, everybody be well.

Brandon Breslin  
Thanks everybody.