Today I wish to discuss – again – one of my favorite topics: voluntary audits.
You know the ones. SOC2 and the ISO series, the at-present heavy load carriers of SaaS sales enablement in information security.
If you’ve been reading my writings, or had heard me talk about this in the last couple of decades, you might have heard me say something along the lines of what we all know is true: these audits are sales tools. In the second edition of Why CISOs Fail, I chose to dedicate an entirely new chapter (5.2) to this topic, as it deserved additional focus.
Increasingly, however, industry chatter has turned to audit quality. As many companies have concluded, and automated GRC platforms have capitalized on magnificently (yes, /s), if all that matters is the mere presence of an audit report, then those can be produced rapidly and quite successfully without much, uhh, shall we say…care?
As the recipient of such reports, how does one know which reports can be trusted?
It’s a topic that occupies security leaders’ minds these days, even if their organizations in general couldn’t give a rat’s ass about it. That is a fairly common position for a CISO to occupy, a cynical BOHICA of epic proportions, dwarfing even the CIO’s, and a big impetus behind why I wrote that book in the first place.
People keep trying to find solutions to this problem, but by and large they fall into two buckets:
We Need More/Better Rules!
In this approach, one might suggest that, by tightening the requirements in the mysterious land of government regulations, we can force those who undergo these audits, those who perform them, and those who generate massive profit margins from their existence (hello again, GRC platforms) to do better.
It really is a sweet sentiment. It is also incredibly naive. And I don’t mean naive as in “oh, I didn’t realize the British called fries chips”. I mean a five year-old who truly believes in their little hearts that Santa exists naive.
Without even entering the realm of politics, lobbying, and the calculus of being in elected positions, or even the dubious value and mismatch of slow-moving regulatory action in a fast-moving technology field – I can, for fucks’ sake, happily argue different sides here until you scream and go to lunch – one really must ask the question: why would anyone care?
“But, but…regulations do work! Look at privacy rules! Look at GDPR!”
Yes. Of course. Notice something important about about privacy rules that makes them an entirely different beast? What and/or who are they targeting?
I’ll give you a couple of seconds.
I knew you’d get it.
Privacy rules protect individuals’ rights. People.
Also known as voters.
In the world of security, SOC2 and ISO27001 (and its many offshoots, including the new 42xxx series for AI) are not only voluntary, they are utilized quite specifically between companies. They cover commercial transactions between organizations, aka consenting adults.
This is very much unlike the world of privacy, which deals with interactions between organizations, aka nannies, and people, aka their charges.
Yes, you could try and sway someone like the SEC to promote some penalties for the lying bastards who lie, but that won’t help you where it actually matters, meaning in the realm of those incredibly cool tech startups with awesome value-adds where the problem actually exists.
Anyway, I’ll stop here. More rules ain’t gonna help ya.
Which brings us to the second, less naive but no less dangerous, idea. It’s a simple one, and essentially says that…
The Vendors Should do Better
The amount of ire and ridicule I regularly see (and experience) from enterprise CISOs towards their overworked, under-budgeted, miserable counterparts working for the vendors that those enterprises wish to procure services from, is (sadly) breathtaking. Sure, those security leaders in small companies may not know how to effectively run an eight-figure budget or a department with 100+ employees, but what they are able to achieve with what the enterprise CISO would spend without blinking an eye on a Proof-of-Concept engagement with one of those vendors is frankly mind blowing.
And part of doing that is getting the SaaS sales team the tools they need, like SOC2 audits, at minimum expenditure.
What choice do they have? It’s the reality of their business.
Most of those SaaS CISOs do a fine job at navigating these treacherous waters, while knowing full well that, unlike their enterprise counterparts, they will be directly to blame not only for security failures, but also for things like sales failures when one of those enterprise CISOs has a bone to pick or has woken up on the wrong side of the bed. If you have not seen a SaaS organization fire their security guy/gal because sales couldn’t close a deal due to dynamics entirely unrelated to security but that could regardless be blamed on security, then you haven’t been in the field long enough. It happens. All the time.
These SaaS security leaders often have to fight for every dollar – from zero, not from some multi-million dollar baseline – they spend, and simply cannot get much no matter how good they are at their job. So sure, they do creative things like lower-quality audits, because them are the ones they can pay for (and pass), and it’s mostly good enough for sales.
That, my friends, is reality. You are not going to change it by whining about it. Unfortunately, most of what I hear these days is the whinging.
Anyway, there you go. The two approaches I outlined above are the ones people are generally discussing as solutions to the problem of audit quality. They are both wrong, they both don’t and won’t work, but they do provide an endless platform for entertaining (or depressing) bloviage (bloviation? Is there a noun form for bloviate? Here I go exposing my immigrant roots again.)
But, my dear readers, there is in fact a third way, and it does work, and it is simple, and it will solve every single one of these ills over time. It will feel like magic.
Yes, I’m being hyperbolic because I know exactly why it won’t (the bean counters at the enterprises) but I felt it’s worth writing this article about, because it really is the most targeted solution that is properly aligned with goals and incentives.
Pay For It
No, I’m not suggesting that enterprises directly pay for their vendors’ audits.
What I am suggesting, though, is that the buyers (those enterprise CISOs) make it explicit that they will pay slightly more for service from vendors who provide high quality audits.
Instead of threatening the vendors, offering them an extra point or two on a six- (let alone seven-) figure deal, with the explicit requirement that the vendor engages a reputable, independent auditor for their next audit round, will do wonders to improve audit quality across the entire industry.
The effect would not be immediate, but it would be noticeable.
One could even imagine setting up a centralized, not-for-profit organization to regularly vet independent, reputable auditors, funded by these enterprises. It’s actually not that hard, and it is also properly aligned to incentives, because of the funding source. Spread across many organizations, the cost would be negligible for the enterprises who supposedly care about this.
Doesn’t the AICPA (for SOC2) and ISO do this already? Folks, if you follow me, you know the answer to this one: judge by the outcomes. If this vetting worked, we wouldn’t be facing this problem, now would we? There are plenty of good reasons why they cannot do this well by (essentially) policing themselves, but primarily it’s a structural conflict-of-interest; they are invested in – their very existence depends on – the standards themselves, not the commercial outcomes for the organizations depending on those standards.
And they don’t collaborate.
For the SaaS vendors, it would be compelling. If you can sell your software for a couple of points more, then you can pay for a good control plane – and a quality audit. Those who sign on quickly will see a commercial advantage, and those who don’t will learn it soon enough.
That’s how you motivate people to do the right thing.
As a side note, if enterprise CISOs decided to do this collaboratively (LOL) then it would pay for itself, because they could reduce their reliance on third party hacks who supposedly “audit” vendors’ security posture but are usually nothing more than rigid check-boxers who have no clue about technology or security. Oh yes, I see it all the time. They could instead trust the quality of the audit report provided, and breathe a bit easier.
It can be done. It doesn’t even need to exist for more than about a decade or so, after which is can be peacefully dissolved because the entire process will have been put on rails and the cheap audit world will have been commercially squeezed out of existence. Heck, I’ll even offer to chair such an organization and help guide it away from becoming self-serving…which, since I’m clearly in a cynical mood this morning, just shows you how likely I think it is to ever happen.
Whinging and threatening is (apparently) a lot more fun.
Have a great weekend, y’all!
–b
