While we must never allow ourselves to fall into the habit of thinking that security is somebody else's problem, the time has come to accept that external help is required. We accept the necessity of outside help in many other areas of business. Yet even when IT security audits are offered at no cost, companies are still …
The problem with free external security audits...
...Is that someone ends up paying for them.
Usually, the auditor in question is employed by a company that is trying to sell you something. Guess what said auditor's recommendations will entail...
Whilst your point about no-one being a master of all skills is well made, it is important to get an objective and unbiased view from any audit. I've yet to see that from a free audit.
you're right of course
But the advantage is, if the audit is comprehensive (big IF), you can take the recommendations to your favorite vendor (beware if this vendor is responsible for the holes found).
The free audits in question were from the ICO in the UK. My understanding is that these were paid for essentially by the taxpayer and were not "free audits" from some security company.
I believe there is a significant difference there. The ICO has some stake in ensuring that companies are indeed compliant. There isn't a conflict of interest to be worried about there; the more companies can prove compliance, the less work the ICO has to do, and the more likely consumers are to be protected. Win/win/win. Unless the business has something (shoddy security/accounting/whatever practices?) that they don't particularly want examined.
> The free audits in question were from the ICO in the UK.
That'll be the ICO which has *such* a great reputation for safeguarding our data and privacy for these past few years...
"Yet even when IT security audits are offered at no cost..."
In my experience, "at no cost" usually means "for an ulterior motive", such as a government agency offering "free" audits to companies they have or want regulatory power over or a security firm offering "free" audits to companies they want to sell security products to.
So I would be less likely to accept a "free" audit than one I pay for -- and can hold accountable for using certified seasoned professionals to do the work, as you mentioned.
I met a security auditor once...
A few years back we had a shiny third party network security firm in to do an audit, reviewing all our IOS configs and whilst they found a few interesting things the main conclusion was that we should immediately and very specifically hire **them** to take over all our network management forever more.
Funnily enough, we declined to pay for the audit...
Third party auditing
The people who audit your systems should be just that - auditors. They should have no interest in what particular tools you use to improve the situation, just that you do fix things.
What do you think would happen if you asked a builder to look over your house and give his opinion as to whether anything needs fixing?
And the best audits will be against clear standards. And the auditors come back and check again later.
Disclaimer - had no trouble with people offering free audits, but lots of experience of UKAS checking us against ISO 17025 and seeing the sums charged.
no such thing
As a free lunch or free audit and what about the weenie problem of Internal Security problems ( 80% isnt it ) duh