Security Pros Cheating During Audits?

from the oops dept

We were just discussing if a security auditor should be liable for giving a company a passing grade if there's later a security breach. Considering that it's pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there's evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading -- by saying that "they did or they know someone who did" it could (in theory) just be one guy who cheated... who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It's also not clear how many times the cheating occurred. If it's every audit, that's one thing. If it just happened once and the issue was fixed, that's quite different. Still, it's more evidence that you can't just blame the auditors -- especially when the security pros at the company may not be completely truthful in providing info to the auditors.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: auditor, cheating, data breach, liability, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Griff (profile), 9 Jun 2009 @ 1:18am

    Regulators & Auditors

    Would this be the same situation as when a financial auditor or regulator paid 1/2 what the auditee is paid fails to discover financial shenanigans ?

    If so, are we surprised ?

    reply to this | link to this | view in chronology ]

  • identicon
    Henry M, 9 Jun 2009 @ 3:26am

    Rating the Raters

    The companies that rate stocks, bonds, and financial institutions and whose inflated ratings, largely due to the fees paid for ratings by those entities, led to the current financial crisis, claim that their ratings are merely "reporting," and "expressions of opinions," even though they are taken as authoritative, and so are protected by the first amendmentment.

    If auditors are not financially independent, then their audits aren't valid and should not be taken as authoritative and creditable, in which case they should not be liable. But if they make claims that suggest authority, then perhaps liability is appropriate!

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 9 Jun 2009 @ 6:13am

    Well duh!

    As an IT auditor for 12 years, I can say with absolute certainty that I've been lied to, manipulated, and fed half-truths.

    Many IT departments are corrupt. Those playing nice with the auditors are often shunned, assigned less desirable positions, or outright fired. Banks tend to be the worst, because they always have "legacy" apps running on ancient hardware that they just can't secure properly.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2009 @ 6:59am

    In other news...

    water is wet.

    reply to this | link to this | view in chronology ]

  • identicon
    Peeper, 10 Jun 2009 @ 4:50am

    sand is sick? :)

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Advertisment

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.