I recently participated in an executive meeting at a bank where we discussed the real value of “checking the box” also known as the bare minimum, just to satisfy an auditor or examiner.
Financial institutions are under constant pressure from auditors, examiners, and internal security staff to implement or enhance controls. As an IT/IS leader, there are a few ways to approach these expectations, and our level of success can largely be linked to our mindset and attitude.
- Keep an open mind. Auditors and Examiners are not our enemies! I would much rather see a finding or recommendation on Examiner letterhead than the front page of the news because of a network breach. They are here to help, and we should leverage their expertise and unique perspective to strengthen our cyber security posture.
- Have a conversation. More now than ever, audits and exams are being facilitated remotely which can lead to miscommunication and undue frustration. If the finding doesn’t make sense, schedule additional time for clarification. Either party could be missing important information that might bring clarification to the situation.
- Understand your inherent risk profile. Not all solutions are created equal, and they certainly can vary in cost. Oftentimes, audit and exam findings will not reference specific solutions, but rather common controls. It’s important to consider controls commensurate with the risk of the organization.
Finally, as you work to remediate findings, I challenge you to do so with the intent to add the most value to the organization versus simply checking the box. If you’re going to spend time doing something, make the most of it. With limited resources and ever-growing expectations, we owe it to ourselves and the company to make the most effective use of our time.
If you need assistance prioritizing findings, and adding value to your program and organization reach out to us any time at support@bedelsecurity.com.
Additional Resources:
5 Tips for Technical People to Successfully Communicate with Management
https://www.bedelsecurity.com/blog/5-tips-for-technical-people-to-successfully-communicate-with-management
5 Tips for Management to Successfully Communicate with Technical Staff
https://www.bedelsecurity.com/blog/5-tips-for-management-to-successfully-communicate-with-technical-staff
Culture of Security: Critical Conversations
https://www.bedelsecurity.com/blog/culture-of-security-critical-conversations
Managing Cybersecurity: Get Away From “No”
https://www.bedelsecurity.com/blog/managing-cybersecurity-get-away-from-no