The Security Auditing Manifesto

A way with less friction and one that values reducing real risks to the business.

This will not happen by relying on audit or security frameworks alone. This cannot be successful by making either side play guessing games.

This can only work by striving to be better partners to each side, playing to your strengths, and sharing values.

I propose the following core shared values:

• Complete transparency over playing things close to the vest
• Asking questions over being prescriptive
• Shared understanding of risks over telling the other side what the risks should be
• Establishing expectations upfront over making teams guess what’s important
• Allowing operational flexibility on risk over decision by committee
• Functioning security controls over documentation and RACI charts
• Security outcomes and risk mitigation over strictly adhering to compliance frameworks
• Continuous security validation over point-in-time audits.

I’d love to hear from you if you think anything is missing from this list or is worth challenging. Feel free to drop me a note. [mike@returnonsecurity.com]