Security is a peculiar thing. There never seems to be any problem with it. You hardly ever hear of big companies being hacked or of specific cases of industrial espionage through spearfishing, of organisations losing confidential data or of consumer services being halted by malware. The same thing happens if you ask your own IT team how things are going. Everything is always under complete control, judging by the smiles on their faces. But how can you be sure?

Guess what, you have probably already been hacked.

Break the taboo

One of the things you can do to break this taboo is to arrange a security audit. An audit will do three things: assess the effectiveness of your Information Security Management System (ISMS), provide focused advice on the security aspects of critical information and make suggestions for future initiatives.

Generally, customers call us for a security audit to solve three types of problems: there is no helicopter view of their security status (What’s happening?), and it is difficult to identify a global roadmap (What should we do?) and set priorities in security projects (When should we do things?).

Even before providing any specific advice, a security audit will already bring you the following benefits:

• a neutral opinion on the state of security and the way forward
• reinforcement of the alignment between security and the critical business processes, via shared security governance with the business
• increased awareness and security maturity among management and users.

The audit results in an action report that explains technical issues in plain business terminology, so that it is easy to understand for everyone involved. It includes recommendations that will improve security status and maturity. Also featured is a so-called Maturity Spider Web, which shows the As-Is and To-Be situation in terms of security controls. Finally, a risk matrix and a roadmap add practical advice for a medium-term strategy and a tactical plan.

Customer pressure

Many companies go for such an audit after coming under double pressure. On one hand, customers are asking businesses for reassurance and proof of a reasonable security status. On the other hand, businesses themselves are becoming more and more wary of the risk of hitting the headlines due to a malicious attack, which could damage their reputation as well as their financial forecast.

A security audit will not guarantee you a future free of all risks, but at least you will know how to improve your security health and where your security quick wins lie.