How often to audit or not to audit – and whether these audits should be conducted using internal staff or outside experts – were topics addressed in a series of questions posed to 350 IT executives and network administrators this month in a survey by Amplitude Research.
The survey respondents, representing a cross-section of all sizes of companies, reported that in 2009, 76% of enterprises have employed outside experts to audit network security procedures, but only 35% conduct outside audits annually. Another 27% undergo such an audit every two years, and 14% undergo such an audit every three years or less often.
Slightly less than one-fourth (24%) reported that their organization has never had a formal security audit by an outside organization. When asked why they have never had one, nearly half (47%) felt they did not need one, and one-fourth (24%) mentioned cost.
Among those reporting outside security audits, nearly three-fourths (72%) indicated that they were a worthwhile investment. Most others were neutral (23%), while a small proportion disagreed (5%).
What motivates an organization to engage outside experts to conduct a security audit? One major reason was the ability to show other parties that the company has been audited (65%).
Separate from outside audits, two-thirds (67%) of the survey respondents reported undergoing an internal security audit at least once a year. Another 17% undergo such an internal audit every two years.
Among those reporting internal security audits, close to half (46%) felt these audits resulted in identification of significant security problems. However, some felt their internal audits “don’t go far enough” (33%) and/or their organization should undergo security audits more frequently (43%).