The Security Auditing Manifesto

There is a better way for auditing and security functions to operate together. Here's the manifesto.

Mike P
Mike P

Table of Contents

A way with less friction and one that values reducing real risks to the business.

This will not happen by relying on audit or security frameworks alone. This cannot be successful by making either side play guessing games.

This can only work by striving to be better partners to each side, playing to your strengths, and sharing values.

I propose the following core shared values:

  • Complete transparency over playing things close to the vest
  • Asking questions over being prescriptive
  • Shared understanding of risks over telling the other side what the risks should be
  • Establishing expectations upfront over making teams guess what's important
  • Allowing operational flexibility on risk over decision by committee
  • Functioning security controls over documentation and RACI charts
  • Security outcomes and risk mitigation over strictly adhering to compliance frameworks
  • Continuous security validation over point-in-time audits.

These values should be universal values across industries and scale with company size. The more reactionary, the more oversight, and the more regulated an industry is, like financial services, the more important this becomes.

I'd love to hear from you if you think anything is missing from this list or is worth challenging. Feel free to drop me a note.