What do security auditors really think?

What do auditors involved in making sure companies meet compliance requirements really think? For starters, companies don’t care much about privacy and security, while encryption gets applied at a minimum to meet rules, according to a study of 505 security auditors by Ponemon Institute.

“It was sometimes a jaundiced view,” acknowledges Dr. Larry Ponemon about some of the more cynical responses that came in answer to questions posed in the Ponemon Institute’s research survey “What Auditors Think about Crypto Technologies” that was published today.

SECURITY ISSUES: DHS chief Napolitano: Algorithms a big key in solving security, Big Data puzzle

Just over half of the security auditors — working across numerous industries including banking, retail, the credit-card industry, insurance, technology, energy, pharmaceuticals, healthcare and automotive — indicated that “business unit leaders” owned the budget for audits and assessments. And slightly more than half said more than 50% of the audits they had conducted “had serious deficiencies or failed data security compliance requirements.”

The top three areas listed as security failures were applications, laptops or desktops, and “external service providers.” In this regard, cloud computing, especially software-as-a-service, topped the list as “the greatest threats or risk to your organization.”

Some answers to the survey, which was sponsored by security firm Thales, reveal deep cynicism about what are believed to be corporate management’s attitudes towards security. Only 32% of the auditors said the organizations they audit are “proactive in managing privacy and data-protection risks,” while 60% also said the organizations they audit don’t believe compliance improves their data security effectiveness. More than half said crypto security tools were only used to achieve compliance and that in any case, the organizations they audit do not have sufficient resources to achieve data compliance requirements.

Some 71% of the auditors also said the organization’s information assets could not be fully protected within the corporate boundary without the use of crypto solutions and 81% said a “best practice” is to encrypt sensitive or confidential information whenever possible. More than half said end-user convenience should not be considered in deciding what sensitive information needs to be encrypted.

But at the same time, more than half of these auditors expressed uncertainty about whether encryption applied in certain ways, such as databases or storage, can reduce the scope of audits under rules for compliance.

“The auditors are unclear about it,” said Ponemon, adding that this indicates that it would be beneficial if influential standards bodies, such as the PCI Security Standards Council, provide more guidance on the benefits of encryption in taking networks “out of scope” for purposes of a security compliance audit. “There’s a hunger for more guidance,” he concluded.

Read more about data center in Network World’s Data Center section.