Paul Simmonds, on the board of management at the Jericho Forum and formerly a CISO at Astra Zeneca, argued that external auditors caused problems to CISO's when it came to delivering a good security strategy for their businesses.
He said that as well as charging exorbitant fees, external auditors' motivations wasn't to validate well aligned strategies, but was more about making as much money as possible for the partner they worked for.
"That's how they get bonuses. It's for billable hours," stated Simmonds. "And it's a pyramid scheme. Every drone doing the audit makes money for their next level of manager, who makes their manager money.
"Ultimately the partner is up there making big bucks. That's how audit firms work. They make more money by charging you an exorbitant day rate for their audit fee, and send you fresh faced kids out of college with a pen and a checklist."
He said that auditors wouldn't understand a CISO's business strategy, because it wasn't in their interests.Â
"The auditor's interest is to train the fresh behind the ears drone, out of university, in how they do audits. It's a standard checklist that has no relevance whatsoever to your business."It's what flavour in the month in the press, or what has actually been around since the 90's, simply regurgitated every time they do an audit."
He went on to say that auditors 'are incentivised to find as many issues as possible with your company, irrespective of what the risk behind those issues is'. "They want you to sell you more expensive consultancy, and upwell you to fix these problems which have magically came up," he said.
He went on to say auditors were not incentivised to give praise to businesses that were doing a good job, leading to irrelevant audits and job losses of despondent staff angry with the company.
