Comment by aviditas
3 years ago
In my opinion, most audits for security are the same as having an accountability buddy. The company goes I'm doing x, y, and z then the auditor collects and organizes the proof for or against those assertions. Like a good project manager, a good auditor doesn't have to be a domain expert. Security professionals tend to have strong opinions on what the right way to do a thing is, so an auditor with years of security experience can be a toss up whether it will be a help or hindrance. There are security consultants that provide significant value in reviewing and providing recommendations, but they can be difficult to find among the chaff. And even if the company hires an amazing consultant or security service, the company still has to adopt and implement. Information security at organizations is highly dependent on the executives and how they view security measures.
A good auditor will do exactly that: audit the evidence to certify compliance with the documented controls. It is not their job to specify controls, unless the controls are specifically called out in the standard against which they are auditing. They can flag controls that do not meet the standard, but they cannot specify what those controls must be.
However, a good auditor should also make recommendations on how to improve controls without holding the threat of a qualified report over your head if you don't comply.
So while I agree that they do not have to be a domain expert to do the bare minimum, such audits that they can provide are not especially useful in the long run. I want the value add of recommendations from a domain expert. This, however, is not that common.
Worse are the guys that think they have a badge. Their position has gone to their heads, and they are a nightmare to work with. I hate having to school these guys that it is not their job to demand specific controls (in the case of SOC2 for example), but to compare the controls in place to the standard, and verify that they are indeed in place. Unfortunately, all these guys work for accounting firms, and their bosses are generally clueless, so the "cyber guy" runs rampant. Some auditors need an audit.