What do I think of security audits?

September 13, 2023

What do I think of security audits?

Mmmmm going to make myself kind of unpopular here. I have paid for, commissioned, sold, and even done basic security audits over my decades of being in the IT industry.

Do they hold value…. of course, they do.

Are they worth the money? depends how much you pay and what you get?

Would I recommend you having one? Only if you know what to ask for.

I think the question is, what are you trying to achieve? Most security audits end in the same thing. A set of recommendations based on several risks,

  • Critical,
  • Urgent,
  • Medium,
  • Don’t waste your cash.
  • We needed to show you got your money’s worth.

What happens next? The senior management team ask the following – put a dollar figure next to each and tell us what will happen if we don’t do it? Reading between the lines “Do we fire the IT guy, change provider, or just sweep it under the carpet. We need to spend the money elsewhere in the business”.

So here is the missing thing in security audits from my point of view. I don’t want to see if update 564654 of 2018 makes me vulnerable. I have the view that we are always vulnerable. I don’t care if I am updated, anti virused, monitored up to the hilt. I am getting attacked. What I want to see is, what happens when I do get attacked. What’s the response and how long does it take.

Quite frankly I want to see the ambulance at the bottom of the cliff. I will give the ambulance driver training and air bags, traction control and everything else, but I have no control over a random wasp that flies in the window, stings him on the nose and makes him career off the road at 70kmh.

It could happen. What I want to see is, if that happens, what happens next. Is there another ambulance behind it? Is there a cushion at the bottom of the cliff?

We spend zillions on the top of the cliff (and don’t get me wrong, we should), but a security audit should start with worst case scenario.

It’s all about recovery. I hear shouts of “prevention first”. I am not talking about getting rid of prevention. We can protect against the known. It’s the unknown that we need to plan for.

Not only do I sell IT stuff, but I also own a business. If we were attached my first question will be – “how long until we are back up and running? …. not what caused that?”

Security audits should be called Recovery audits.

And you have just witnessed a change in what Rocket IT offer…. we don’t offer Security audits. We offer Recovery audits. It just came to the end of my fingers as I was typing.

Thanks for reading and helping me to create a new product! Now please give me a call and book one.