What is a good security audit, and what is not?

1. Oughta Audit Good
Roger G. Johnston, Ph.D., CPP
Right Brain Sekurity
https://rbsekurity.com
In my experience, auditing employees for mindless compliance with security rules, policies,
regulations, guidelines, and standards is often more wasteful Security Theater than it is an
effective security tool. But it is worse than that. When auditors strive to nitpick, “catch”, and
slam employees who are accused of not fully enacting security requirements mandated by high-
level bureaucrats with no understanding of the local conditions or culture, and when there is no
local sanity check on these requirements, security becomes the enemy of productivity and of
employees. Auditors and the bureaucratic secret police then come to be viewed as the enemy;
focus is taken away from worrying about the true adversaries.
What should good security auditing look like? In my view, employees should be asked to
demonstrate to auditors that they have good security. If employees wish to invoke the security
rules as part of that, so be it. But if employees have different/alternative/
additional ideas and practices that permit good local security, they should be encouraged to
point those out. Auditors should ask employees how they think their security could be
attacked, and how it can be made better, but also ways to make it less intrusive, cheaper, and
less of a hassle.
Auditing should not be about bashing heads, but be more about
praising employees when there is good security, and having cooperative
discussions about local security. This, however, requires auditors,
security managers, and organizational leaders who aren’t uninformed
authoritarian knuckleheads. And it requires recognizing that security is
always about the details and the local conditions, not about threating
employees or one-size-fits-all thinking.
For more information, see https://rbsekurity.com/papers-and-talks.html