TL; DR: UK accounting firms are splitting their audit functions, could this be a structure applied to cyber security firms in the future.
When I was undertaking my CISSP course recently an article was brought up in reference to the requirement in the UK for the large accounting firms to split off their audit functions by 2024. While not having experience in finance related auditing I have been involved in organising cyber security audits both technical and against standards like PCI DSS and ISO. In my experience these auditors have acted independently and free from undue influence from clients and their employees. But to extrapolate this across an entire industry where there could be perverse incentives at play it begs the question - should this same regulation be applied to cyber security auditing within multi-service organisations?
As cyber security is a young industry looking around and seeing what other industries are doing can provide an indication of where things might be headed. The UK’s Financial Reporting Council (FRC) have included in these regulations a provision to protect auditors from influences that could reduce the independence and quality of the audits.1 The initial findings have since been backed up with further recommendations with the intended goal of splitting consulting and auditing. This includes accounting partners not being incentivised for sales to other parts of the business and setting targets for the level of accounting work these firms can provide. 2
In Australia there have been examples of this with PWC and KPMG. In the case of PWC it was accused of using legal privilege to shield clients from tax investigations from the ATO3 . The other high profile case involves KPMG’s work with NSW Treasury and the Transport Asset Holding Entity (TAHE) in which they wrote two different reports for two different departments that reached conflicting conclusions about the same entity4. What these examples show is how large diverse firms become intertwined at multiple layers with customers which can lead to perverse incentives which I will explore further down.
The regulations from the FRC in the UK might be seen as overstepping the mark by some. But with recent high profile financial collapse and questions about transparency they were left with little choice. With security incidents drawing more attention and post-mortem analysis by insurers and regulators it is easy to see how any perception that conflict of interest leads to less than ideal practises could end up in further regulation and perhaps splitting of functions to avoid any potential conflicts.
The cost of conflict
A security issue glazed over, accepted or removed from a security report can have a very real world impact. While there can be well justified reasons for these adjustments (i.e false positives, scope etc) this may not always be the case. The most high profile example of this is Trustwave providing PCI certification of Target in the USA. The subsequent hack and issues with insurers showed this certification proved to be optimistic at best.5 In a form of self regulation following this incident the PCI Council implemented changes to ensure the integrity of PCI audits which have gone a long way to addressing the initial issues that were identified.
In penetration testing services it could be an issue downgraded when it shouldn’t have been or removed due to a last minute scope change which the pen tester may not agree with but is overruled by senior management. This is a situation that most pen testers would have a story about.
It is easy to see how an unhappy client failing an audit over something that they don’t view as critical can put a strain on an auditor and lead to a slow chipping away of independence. The end result could mean an organisation that is less secure than it appears to clients and suppliers. But attackers don’t see this or care - they have one objective and that is to gain access. As the well known 2009 KiwiCon poster proclaimed ‘Hackers don’t give a sh-t’.
Figure 1. Kiwicon poster from 2009 https://kiwicon.org/site_media/poster_shit.pdf.
So what could the cost of these conflicts be? The downgrading of a finding, an audit finding ignored or systems de-scoped without this being made clear in the report. This is just a few of many potential examples and the real world impact if it was to lead to a security incident has real consequences both monetary and non-monetary.
Everyone wants to work with partners they trust and most businesses are fortunate to have this relationship. If we had to summarise this article into one well known phrase it would be - ‘trust, but verify’. To provide a practical example, if an organisation has provided the tools and monitoring via a service then it would be best practice to have a separate organisation come in and assess the effectiveness of those controls. These tests could be via offensive security services like Penetration Testing and Red Teaming or auditing against security standards. The person assessing won’t have any potential conflicts which will lead to the best outcomes for the customer.
How to manage conflicts
Organisations can put in place policies on how to ensure independence and avoid conflicts of interest. For example in the cyber security space many organisations will not do the audit if they have done the remediation work. Although in some cases this isn’t mandated it is a common practice and goes a long way to avoid these issues outlined. To ensure accountability we recommend writing this into your organisation’s policies if it doesn’t already exist.
One way to think about how to manage these conflicts is by recognising the incentives at play. I was recently re-reading the book Freakonomics6 and it provides an in depth look at this topic . Why do people act the way they do and why it isn’t always obvious are questions that are explored in great detail. But most of the time you won’t need to read a book to understand the potential perverse incentives that could lead practitioners to act in a way that could negatively affect the security posture of their clients. Understand what services your partners provide across your entire organisation and ensure that there are appropriate measures in place to verify as needed.
The other recommendation would be to use a pool of trusted partners that are rotated between to ensure different organisations are providing different services. This also allows you to use organisations for particular projects whose skills match up to the requirements and avoid any conflicts.
Should assessment/audit cyber security activities be split from other areas?
The industry has put in measures to self-regulate as evidenced through the codes of professional responsibilities from places like the PCI SSC7 and (ISC)²8. From a buyer point of view it is always critical to understand the incentives at play so you can ask your suppliers the right questions on these topics. This leads to what I believe is the most important factor and that is people should be transparent in what they can and can’t do and call out any potential issues as soon as they are identified.
For now the cyber security market is probably not at the point where these regulations would be required. Most buyers are aware of how to manage the conflicts and the reality is that cyber security is still a relatively small part of most organisations. Given the industry has steps in place to self regulate coupled with most organisations having sufficient policies in place for now it is unlikely that regulation is needed.
There are a number of factors that go into selecting partners and making sure that the outcomes achieved match your expectations. Along with the capability of the team to deliver the work, find organisations that share the same values and that actively demonstrate in their practises. This can be done by reviewing material from the company but should also be validated by asking people in the industry about their experiences and trying to gauge the firm’s reputation and their reputation of those delivering the work.
About the Author
Marco Cantarella is one of the co-founders and Commercial Director at Tanto Security. He has worked in cyber security for over 10 years on the operations and commercial side of penetration tests, compliance, incident response and red teaming. You can connect with him on LinkedIn or get in touch at email@example.com or 1300 182 686.