Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm James Bowers, your host, chief security and compliance architect here at Input Output. It took a little bit to remember that. I feel like I haven't been on the show in forever, which it's been like three weeks.
We're on episode 25 now, I think that's right. We might be editing that, but been on the road for the past three weeks, have been doing audits, ISO 27001 certification going from the 2013 standard to 2022, doing some other internal audits against ISO, PCI, and really it's just been audit, audit, audit, and very cool, definitely for business. Always love getting out to see clients going and traveling.
That's kind of neat, but it gets tiring. So very happy to be back. Um, I'm going to put the, we've been talking about the dirty 13 and we've got a lot more of those to get through.
I think we've gotten through six, uh, but I want to put that on hold because I actually want to talk about the audits while, while it's fresh. So we'll dive into that before we get started. Just please, please click that follow button, click that subscribe.
Whether you're listening to us on Apple podcast, Spotify, we're now there, uh, or on YouTube, wherever you're listening to us at, please just go ahead and click that follow and tell any of your friends about us, anybody that would benefit from the risk management business discussion. I know it's a super sexy stuff. Uh, so invite everybody that you can, but with that said, let's go ahead and jump into talking about the audits.
So the first one we did, uh, beautiful Nashville, Tennessee, which if you've never gone there, you definitely need to. And from all the places that I've gone, I could actually spend a lot of time in the Nashville airport. They've got live music everywhere.
Everybody's everybody's looking to make it. They're all really good. So you got whiskey, you got lots of music.
It's a pretty good time, but the first one was up there and technically it was a surveillance audit. So we already helped this client get their ISO 27,001 certification, but we needed to transition them from the 2013 standard over to 2022. And I'm not going to get into all those nuances.
Long story short of that is ISO made a lot of changes to how they structure their controls, moving away from kind of a domain more to a, uh, type like people, uh, technology, administrative, yada, yada, yada, yada is not one of them. Um, so moving them over to that 2022 standard. And it, it added a lot of time.
It actually was basically like another full audit. And if you've never been through an actual certification audit, if you've never helped somebody through those or ran them and been the one, uh, in some cases being audited, it's a lot like a week long enema and not that I would know about that, but I can imagine that it would be a horrible process to go through, but once you're through it, you'd feel a lot better. That's that's the best way I can explain that.
Um, the auditor that we had, I've actually had this auditor a few times around the ISO 27,001 standard. And especially if she's listening big time, love, hate relationship there, much like a personal trainer, much like my personal trainer, uh, they're really, really good. They do a lot of good for you, but man, it sucks going through it.
And with her being such a good auditor, she really knows how to dig. She really knows how to, what to look for, what questions to ask. And she's an incredible auditor.
She's very thorough, but she's also very thorough. So that, that really sucks when sitting there with a client and having to check each control and then back check that to what does your policy say? Okay. Let's look at this line.
All right, let's confirm this over here. And she's been doing this long enough and has enough experience to know if you're doing this control this way, what are the other supporting inputs to that? So let's check those to make sure those are feeding it right. And then let's look at the outputs to that.
Let's make sure that those are, those are operating correctly. So she's a really great auditor and that just makes it really, really difficult. And it's just like having a trainer that pushes you very hard.
They know, they know when you're slacking, they know what to look for. They know when you're moving those muscles a certain way, what that looks like. They've been there themselves.
So they can, they'll call you out on it. Get a few more reps, do that the right way, straighten your back. And in the moment, man, it, it sucks.
And it, it feels like a horrible experience, but getting through it helps you grow, helps you become a lot better, you know, with the personal trainer being in better health, being more physically fit and all the things that that brings with it. And on the audit side, there has never been a time that I came out of any audit, but especially these with her that I don't have like a full legal pad of different things that I'm going to use when I audit or different things that I thought of or things that I saw that we could improve as we're, as we're spending an entire week, just hyper-focused on everything. And it allows you to come out the other end, really making things a lot better, which is the input output slogan, be better, be IO.
Everything's about being better. So big time, love, hate relationship, but very, very good auditor. Few things to point out about that is, and we've talked about it on the, on the show before about setting your information security program up, your risk management program to where it's actually benefiting the business.
It's not just a check the box issue because if you're just doing a check the box issue, a check the box activity, we're just going to file it away. Never think of it again, even, even in the development of it, things aren't going to connect the right way. And when you go through one of these audits with somebody that really digs, they're going to be able to see that you're not really using your risk process to inform your control application.
You just, you just did a risk assessment and check that box, but it doesn't actually match up to how you're doing your controls, your, the outputs from that aren't supporting the inputs on, on your controls over here and how you're doing your supplier assessments that actually doesn't match up to your risk process. So that's completely disconnected. And as you start peeling these layers of the onion back, you see that, well, you just, you just put some policies on the side.
You just, you did some controls, but you don't really have an information security program. You have some things to check a box and some things to show potential clients, maybe other suppliers, maybe other people that just don't know really what to look for and kind of skating by. And that sucks on the skating by side, but also it's, you're putting in any effort into an information security program, into a risk management program.
And if it's not really supporting the business, just wasted time and money. So that's a good, bad thing about having a really good auditor is you can't bullshit, not at all, but you're really going to come out the other side being very, very tight and also knowing that it's, it's coming in the future, you can't slack on anything. So definitely good things there.
If you're listening, it's a great and horrible experience all at the same time. Uh, but always happy to have you as an auditor, some things I want to talk about though, uh, with the, with the other few minutes here in our succinct, uh, podcast is some really good audit tips. And these aren't all from just these previous audits that we just did.
This is over all the years of experience, but some things that can really help set you up for success in your audits, definitely aside from actually putting together an information security program and actually following it, but, uh, some things that you really want to do getting right into an audit or right before. So number one is review this with your team. The audits definitely going to include talking to people in the office, asking them different questions.
What did they know about security? How are they being trained? Where can they find the policies and procedures where their safety manuals, yada, yada, they're going to get asked a lot of questions and it's very intimidating being on the other side of an auditor. So make sure that you talk to all of your personnel, all of your employees about this. You can do like an all hands.
Hey, we're going through an audit. Here's what it's going to look like. And then especially with any certification audits, you're going to have a schedule.
They're going to know when they want to talk to HR, when they want to talk to these departments so that you can coordinate around everybody's time. Talk to those people about what they can expect and also just reassure them. Just answer honestly, whatever you answer is perfectly okay.
I don't want you to stress out. Just be yourself. It also helps to have one central location that they can reference anything.
But what I would also review with everybody is just like if you were walking into court, keep your mouth shut, answer the questions, be respectful, be polite. Don't hold anything back. Don't definitely don't try to hide anything, but answer the question and shut your mouth.
We get nervous and we want to fill that, fill that empty space, that silence with something and, or we want to show the auditor that we're really involved with this and we're really trying to do the best we can. And I've got that control set up. And the reason I did that is to make sure that we keep everything protected because sometimes our security system actually just stops working and, and I want to make sure that that's, that's not an issue, you know, we're being proactive with it and in all that rambling, all that nervous energy, you just, you just build a whole other area, a whole other Avenue that now the auditor's going to want to go down so you can create this rabbit hole situation.
In most audits, you're going to have those situations anyway, so don't add to them. So act like you're in court, answer the question, shut your mouth. The next thing is a lot of audits are now remote or a lot of the people that we're connecting with are remote.
So talk about good sharing, screen sharing and teams and zoom etiquette. One thing, don't share your whole screen. Make sure you talk to everybody.
Make sure that you're doing this, only share the window that you need to show. What you don't want to happen is notifications popping up during the audit. You definitely don't want to have a situation where somebody's sending you a team's message about something regarding the audit or something that they messed up and now it's right there front and center for everybody to see.
You also don't want to have any teams messages pop up where somebody's letting off some steam, bitching about an auditor, bitching about something else. And right now that's there for everybody to see. So share, share windows, not the whole system.
Another really good thing to do during your audits is when you're sharing a screen, stop the share while you look something up, once you find the evidence you're looking for, share the screen. Then when they're done, again, you're not talking a lot here, you're shutting your mouth, when they're done, stop sharing the screen, then go to your next piece of evidence. If you leave your screen open and you're, you're navigating to all of your different areas, one, that probably means you're sharing your entire screen or two, you could, you could find other issues or you could open up a whole can of worms.
So share your screen, show what needs to be shown, stop sharing, go to the next thing, something else. And it's really easy to say this outside of an audit and everybody agrees outside of an audit, but when you're in it and perhaps you feel like your job's on the line or like everybody's looking at you, uh, like your reputation's on the line. That, that nervousness in that, that stress in that, that stress, that stress and that pressure can cause you to do things that you, you, that you normally wouldn't do.
So don't try to hide things. That's different than don't volunteer additional information. You don't want to do that.
You want to keep your mouth shut, but don't try to hide things, show how things really are and definitely whatever you do, don't try and alter any documents. If you know you're getting into a supplier assessment review, you're going to review how you manage your suppliers and you notice that you forgot to do a few of them. It's okay as you're going into the audit to complete those supplier assessments, but don't try to backdate.
Make sure that you have the accurate dates, the accurate information. You don't, definitely don't try and alter any logs or any previous information. Number one, it's completely unethical.
Number two, it could, one, it could have you fail your entire audit. If it's with a regulator, it could get you into some serious legal trouble. So even if you're going to take a hit on something, take the hit.
It's okay. You'll live. You can come battle another day, but don't try and alter anything.
This should be different. I said that really bad. Let me start with this.
The next thing is check everything before you go into the audit. Typically when we're engaged with a client, when we're supporting an organization, we always do what we call a health check right before the audit. Then I say right before it's typically the quarter prior.
So like two or three months prior to the audit is when we're doing the health check and we're looking at everything. We're looking at every single control they're going to look at. We're buzzing through all the policies.
We're trying to connect all the dots, seeing if we can find anything and where we find things, we're getting them resolved or we're documenting them in our internal corrective action system. Uh, if it's on the ISO side, like a CAPA, a corrective action, preventative action, we're documenting all those things that we find and while it may seem counterintuitive going into an audit to directly document those. Typically what that will show is that we have an internal audit process, things are never perfect.
Our internal audit process caught this, we're already working to resolve it. You may get a little ding, but that also fully supports your internal audit and internal improvement processes. So if you can catch things before and get them corrected, again, don't backdate, but get them corrected going into the audit, that'll go a long way.
Also create yourself a cheat sheet. If you know that you're, what controls you're going to be reviewing, which you should in most audits, list all of those out and then list what policy has that information and then maybe a little synopsis, a little, a little blurb about how you manage that. And even better is create a folder that has snippets, evidence, or links to all of the different evidence and proof that you're actually doing these things correctly.
If you can show evidence quickly, you can actually show your auditor that you had things well put together. And that one will make things a lot less stressful. Two, I've noticed that a lot of auditors will stop digging as deeply everywhere because if you've got it this well put together, most likely you have it put together over here.
I don't really need to check that. So that can save your bacon. Again, not saying to hide anything, but keep your mouth shut.
If you notice things during the audit, make a note of it internally. And then get it corrected. Finally, and I wish this didn't need to be said, but it's happened and we still got the client certified, but make sure you wear pants, shirts, that you, that you're fully clothed during every audit.
We've had cases during, during audits to where the, the person on the other end thought that they were muting their system, but they actually were turning on their camera. And in the case that I'm thinking about, they were, they were completely in their birthday suit. So not the best impression for an auditor.
I do want to say that we still got them to pass their audit. So that's creating some really clever marketing material, but I mean, with any, any, any zoom call, any teams call, make sure you're wearing clothes, proper etiquette, go through these things. You never know when you're going to, when you're going to hit the camera by accident.
You never know when it's just going to pop on. And I'll also say related to that, before we close everything out here is it's, it's okay to vent. It's definitely okay to talk about things as much as you can.
I would prevent doing that through any teams channels, through any other type of Slack or any other messaging app that the auditor would have any access to. What you don't want to happen is accidentally send it to the wrong person. I've seen that happen where somebody complaining about the auditor accidentally put that in the chat with the auditor.
So lots of egg on the face there. I've also seen it happen with text where they accidentally go out to the wrong person. So don't, don't stare down that 10 mile wide, elongating a hallway as Brian would say.
Um, don't put yourself in that bad spot. Keep, keep the conversations verbal in places where the auditor isn't, um, to let off the steam, let off steam other ways, but don't dig a hole for yourself. So there's, there's definitely, definitely a lot of other really great tidbits.
We'll put them together, um, here and there, but those are some of the big ones. So hopefully that would help you through your next upcoming audit and more than happy to connect with you and give you some direct tidbits, uh, even help support you through any audits because as great as they are and they're stressful. And if you have a good auditor, they know that too.
They're working with you on your side. They're working to help you be better. Keep that in mind and they'll help you get through it, help you survive. So thank you very much for listening to this week's episode of cash in the cyber sheets. And I can't wait to talk to you next week.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
