Security Pros Cheating During Audits?

from the oops dept

We were just discussing if a security auditor should be liable for giving a company a passing grade if there’s later a security breach. Considering that it’s pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there’s evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading — by saying that “they did or they know someone who did” it could (in theory) just be one guy who cheated… who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It’s also not clear how many times the cheating occurred. If it’s every audit, that’s one thing. If it just happened once and the issue was fixed, that’s quite different. Still, it’s more evidence that you can’t just blame the auditors — especially when the security pros at the company may not be completely truthful in providing info to the auditors.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Pros Cheating During Audits?”

Subscribe: RSS Leave a comment
Henry M (user link) says:

Rating the Raters

The companies that rate stocks, bonds, and financial institutions and whose inflated ratings, largely due to the fees paid for ratings by those entities, led to the current financial crisis, claim that their ratings are merely “reporting,” and “expressions of opinions,” even though they are taken as authoritative, and so are protected by the first amendmentment.

If auditors are not financially independent, then their audits aren’t valid and should not be taken as authoritative and creditable, in which case they should not be liable. But if they make claims that suggest authority, then perhaps liability is appropriate!

pegr (profile) says:

Well duh!

As an IT auditor for 12 years, I can say with absolute certainty that I’ve been lied to, manipulated, and fed half-truths.

Many IT departments are corrupt. Those playing nice with the auditors are often shunned, assigned less desirable positions, or outright fired. Banks tend to be the worst, because they always have “legacy” apps running on ancient hardware that they just can’t secure properly.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...