I've been with the company a little over a month and a half. I've run numerous gap analysis, and I know where we are deficient. And some of it is not good. I've compared ourselves to the SANS Top 20, and again, it's not good. Management wanted an internal pentest, to get a feel for the security posture. We in IT wanted a good boutique pentesting company, but we were told to use the company that already audits the finance department. Fortunately, these guys were good.
We failed the pentest, miserable. Most of my guesses as to how it would happen came to pass. And I'm ok with that. Heck, they had domain admin in about a day. There were some good surprises, and there were some good wins. I'm good with it; as it confirmed most of what I have been raising to management for the past year. The hope is that management will open their eyes and start making changes.
So mentally, I've put a stake in the ground. I want to see how long it takes for any real change to take place. I'm waiting to see when management starts mandating change in the form of implementation of controls in order to raise the security posture of the company. Or, is management just checking a box that an audit was performed.
I'll update as controls start being implemented.
P.S.: I have to say, as a former auditor, it was interesting to experience the audit from the other side of the fence. I was able to understand what the auditors were looking for and better able to answer their questions since I had been in their shoes.