Befriend Your Auditors
Through my 20+ years I've learned a ton from the various auditors that I've had in my various shops. Early on in my learning they were a major inspiration for how to not only make a program compliant (to meet specs like PCI, SOC1, SOC2, etc) but to implement or plan for the implementation of security controls that would further reduce risk.
Here are a couple (of the many) tips that I've used to build and maintain strong relationships with my auditors.
- Communicate frequently. I would reach out before the audit, make sure I was available and following up during the audit, and communicate with them after the audit until we had the report or other deliverable items.
- Make their job easy. I remember the first SOC1 audit I sat in on. The auditor and I both showed up on a cold November Monday (it was my first day). She asked people a bunch of questions and then we build the discussion schedule with the various control owners. After that point in time I always had the meetings pre-setup, documentation ready to go (and quality controlled), and anything else that made their visit easier.
There is one auditor friend that I talk to from time to time and he still brings up that they wish they could audit my environment, since it would be pretty easy for them. I guess some companies just don't understand what is needed or are too busy to do it.
Reach out if you'd like to discuss how to reduce your audit overhead.