Industry View
Sue the Auditor and Shut Down the Firm
Irresponsible auditors deserve a harsh fate, and irresponsible auditees deserve a legal injunction, say Ben Rothke and David Mundhenk
By Ben Rothke and David Mundhenk
By way of analogy, there are cases where obese smokers have sued their physicians for a variety of concocted reasons. No one wakes up one morning surprised that they are suddenly diabetic and weighing 450 pounds with a blood pressure of 190/125; but that has not stopped the lawsuits. Obese smokers are made, not born, and insecure networks are also made, not born. Those who made such networks should be held liable for their years of security neglect.
The problem could be that management has spent years relegating information security to the doldrums through minimal funding and limited resources, and then are astounded when they have massive data breaches. The same organization that has reams of negative security reports is often the first in line to lay the blame; be it on their own CISO, or the outside auditors and consultants.
We are all in favor of throwing incompetent auditors to the dogs. Any company that is the victim of an incompetent auditor should be able to get back all audit fees paid, in addition to all expenses incurred, including punitive damages.
Conversely, any organization that refuses to remediate security gap findings should be given an injunction. Give them 90 days to fix the problem or their license to conduct business should be suspended. It really is that simple. For the lawyers, there is certainly a lot more money to be made suing incompetent management than incompetent auditors. And for such a class-action lawsuit, these auditors would love to sign on.
The bottom line is that companies that are serious about security will be serious when they select their auditors. The majority of auditors are competent and bring significant value to the clients they serve. Imprudent organizations will sue their auditors to solve their problem. But smart organizations will leverage the experience of their auditors to see what other companies are doing right and how they can do the same. In the long run, that is a much smarter and cheaper approach, and no lawyers needed. ##
Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know
David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.
audit failure
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
