In-Depth

Auditors, Employers at Odds Over Security

A new survey shows a disconnect between the security-first mentalities of auditors and the compliance-driven concerns of their employers.

• By Stephen Swoyer
• 03/29/2011

Security auditors have a reputation for being hard to please. According to a new survey from security The Ponemon Institute, most auditors believe the companies or clients that employ them don't take security seriously enough.

Ponemon's survey of 505 security auditors reveals a disconnect between the security-first mentalities of auditors and the compliance-driven concerns of their employers.

"Organizations' data security strategies seem to be focused mostly on compliance. Based on their experience auditing organizations, the majority of auditors agree that data security is not a priority and [that] resources are insufficient to achieve data compliance requirements," says the Ponemon report, What Auditors Think About Crypto Technologies.

According to security auditors, most companies don't even believe that focusing on compliance helps significantly improve their information security effectiveness: "60 percent of auditors surveyed agree that the organizations they audit do not believe compliance improves their data security effectiveness," the report indicates. "Moreover, 54 percent agree the organizations they audit use crypto security tools only as required to achieve compliance."

The complete study reads like an alarmist wake-up call.

For example, less than a third of internal auditors describe their clients or employers as "proactive" about managing the risks associated with privacy or data protection. In addition, just 42 percent believe their clients or employers treat information security as a "strategic priority."

External auditors, on the other hand, tend to form more positive impressions of their employers: almost 40 percent described their client companies as "proactive" with respect to managing privacy or data protection issues. That's a swing of about 7 percentage points. More than half (51 percent) say their clients treat information security as a "strategic priority." That's a swing of about 9 percent.

Auditors don't seem to be crying wolf, either. A majority (51 percent) say at least half the audits they perform reveal "serious deficiencies" or otherwise fail to meet compliance requirements.

Why is security an afterthought in so many shops? Auditors tend to blame the line of business.

"Business units continue to own compliance audit or assessment budgets … [and] 54 percent of auditors say business unit leaders own the compliance budget," the report indicates. Fifteen percent of auditors say compliance is handled by the legal department or by IT.