Security Audit – Are you a ‘Quiddler’?
Are you a Quiddler? No, this is not some fanboi reference to Harry Potter (I’ll be honest I haven’t read one of the series, I’m a proper muggle!). Quiddling, however, is a very real problem in the world of Security Audit. If you want to know more, keep on reading. You could be one of the quiddlers – and knowing you are might just keep your organisation that little bit more secure!
For the international audience, you may or may not be aware of a Channel 4 Programme on British Television called Countdown. It’s not a programme I have watched for a long time as I’m, well, working during the day! But when I was a student I did catch the odd episode. Anyway, the longest-serving member of the Countdown team is Susie Dent. Susie is a master of all things words and language. A Goddess amongst us mere mortals and I am definitely a fanboi! I would encourage those of you on Twitter to follow her @susie_dent if you want to learn all about obscure words. One she posted about today was “Quiddling” which is a word from the 1700s that means:
“Busying oneself with trivial tasks in order to avoid the important ones.”
What has this got to do with Cyber Security Audit?
Quiddling is essentially synonymous with the concept many technology management professionals are guilty. Especially when in the aftermath of a savage cyber security audit. The audit has multiple findings and a couple the Quiddler know are going to be expensive, resource-hungry or divert efforts away from their flagship projects. The Quiddler knows they have underinvested in cybersecurity but also knows they need to show they are taking the audit issues seriously. The Quiddler really doesn’t want to have to divert significant time and resources away from what they were doing…and then it comes… If you have been at an audit remediation planning meeting, ever, you could easily add the following phrase to your buzzword bingo sheet:
“Let’s tackle the low hanging fruit first”
Tackling the low hanging fruit is meant to demonstrate something is being done. It’s not necessarily a bad thing to tackle these items. A lot of the time, though, it’s so something can be reported to the senior management team as being closed off. On a lot of occasions, however, these juicy pieces of fruit, ripe for the harvesting, are often the trivial tasks chosen to avoid concentrating on the important ones. They aren’t necessarily going to give you the best cost-benefit in terms of cybersecurity risk management.
A good example could be cybersecurity incident management. A quiddling CIO might choose to ‘update’ their incident management policy and procedures, ensuring it goes through multiple rounds of review and approval whilst the whole time the audit point about there being no security incident detection controls in place (because that needs a SIEM/SOC implemented) gets kicked into the long grass.
How can Senior Management see through the Quiddler Security Audit strategy?
Essentially, each audit item should be costed and then compared against the risk it is supposed to be mitigating. There should be a clear financial measure showing how much risk would be mitigated and how much risk exposure remains. Security Return on Investment (ROI) should also be calculated to show the longer-term benefits for each action.
Costing each audit point will, in pounds and pence, be a much stronger indicator of which audit items need to be remediated first. Those items that provide the best Security ROI or Risk reduction over those items that are often just nice-to-haves…
…so don’t be a Quiddler. Be a go-getter, be a doer, be a self-starter. But, if you need help with a framework for costing your security audit points or, implementing a meaningful quantitative risk management programme, contact us…Fox Red Risk can help.
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 accountability article 25 article 28 article 35 awareness bcms breach ciso contracts controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Pentest Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso