Say the word auditor at any gathering of information security folks, and you can almost feel the hackles rise....
Chief information security officers (CISOs) and internal auditors, by definition of their roles, are typically not the best of friends. The CISO implements the policies and controls that ensure the organization meets its security compliance requirements. The internal audit process validates that the controls are appropriate and perform accordingly. And the reality is, the information security audit will always come up short.
"You can't be 100% good; it defies the purpose of the activities of the auditor," said Charles Kolodgy, research director of Framingham, Mass.-based IDC's security products service.
Yet, the CISO's traditional adversary can be an effective deputy. And the symbiosis has another dimension now: Security and auditing experts reveal that fighting the bad guys is no longer enough for either profession. In a corporate environment where managing risk has supplanted reflexively obeying the latest security or auditing rule, the CISO and the auditor increasingly need each other to understand the full scope of vulnerabilities facing their organizations.
"If I could do a story myself on the five best secrets of security professionals, No. 1 would be how to leverage the audit organization," said Candy Alexander, a CISO at a federal government supplier and former board member and vice president of education of the Information Systems Security Association (ISSA).
"So many times, we in security are pounded down and brushed off when we try to talk with the business and tell them if we don't do something we will get an audit finding. Then when they get the audit finding, they listen," Alexander said. "Leveraging an internal audit is a message that needs to be put out there."
Setting the tone, steering to problem spots
Alexander said that when an audit firm comes in for an engagement, she uses the initial sit-down meeting that defines the scope of the internal audit process "to set the tone." Sometimes direct, at times coy, she steers them to areas where security could use an assist.
The audit findings can be "leveraged back to the business," to get funding or a fix. "At the end of the day, businesses do not throw money at something unless there is a business risk. It is a business risk when you don't reach a satisfactory audit finding," Alexander said.
CISOs vs. auditors
Here are some tips on negotiating the sometimes contentious relationship between security officers and internal auditors, and how both parties can use the other to their advantage:
- Leverage the internal audit process.
- Remember that business always pays attention to an unsatisfactory audit because it is a business risk, leading in turn to a fix or funding.
- Know that auditors and CISOs need to better understand risk management.
- Realize that the days of authoritative information security and audit are numbered.
- Beware of external auditors.
Chief information security officers tend to regard auditors as pencil pushers, armed with a checklist for what is only a small piece of an information security program, management expert Eric Holmquist said. Instead of bristling over the auditor's narrow focus, CISOs should view the auditor as "another set of eyes."
"The CISO cannot be in all places at once," said Holmquist, a former director of operational risk management at Advanta Bank Corp. "When I was CISO at the bank, I looked to the auditor department to be my watchdog, patrolling the hallways and asking the hard questions. 'Are you in fact managing these controls?'"
If the controls are not being managed, it is the auditor's job to lower the boom. "In that sense, I don't have to be the bad guy. And believe me, they love the power, and they love to Tic and tie . Let them focus on the strength of the controls," Holmquist said.
Leverage is a two-way street, Alexander said. Internal auditors are your partners. "When you are going off to a session and seminars, drag them along," she said, plugging an annual joint event put on by her local ISSA chapter in Boston and the Information Systems Audit and Control Association (ISACA) that is intended to get auditors and information security "on the same page."
Learn about risk management
Research analyst Ted Ritter said leveraging the internal audit process may be a CISO's only recourse these days. "In this economy, people are not spending on security, unless there is some kind of compliant fault that they have to fix," said Ritter, who covers security at Mokena, Ill.-based The Nemertes Research Group Inc. He relayed a recent interview with a midmarket CISO whose budget was at the mercy of the compliance and audit function.
"If the auditor didn't sign off on something security wanted to do, it was not going to happen. Basically, what this CISO did was make everything security was doing look like a compliance requirement," Ritter said.
IDC's Kolodgy said that while CISOs may well be able to leverage an audit finding for more funding, it does not make sense to go after each and every compliance finding as a funding issue.
"A deficiency for a specific requirement can be used and is used to get that requirement buttoned up, but the security infrastructure needs to be of a much wider range. My position is that regulatory compliance should be treated as a vulnerability within your risk management program, as something you mitigate with security policy," Kolodgy said.
The fact is, both auditors and information security officers need to better understand risk management, said auditor John P. Pironti, a certified information systems auditor and member of a certification board of ISACA.
"For the past couple of years, auditors have enjoyed a lot of empowerment, based on Sarbanes-Oxley and other financial compliance requirements. They were asked to help solve a number of interesting challenges," said Pironti, president of IP Architects LLC, a management consultancy, and former chief information risk strategist at IT outsourcing firm CompuCom Systems Inc. Many internal audit departments operated in a hybrid model, offering consultative services to the business as well as information security on how to meet new compliance requirements.
As compliance challenges such as the Sarbanes-Oxley Act become more commoditized and take on a more "business-as-usual quality," auditing has been forced back into its more traditional, hands-off and limited role, Pironti said.
"Internal audit was in a mode where we had all this power and now the power is starting to be taken away from us, and we don't like that," Pironti said, adding that while information security has more power than audit in the current threat-riddled environment, "security guys are in the same boat."
"They're not invited to the boardroom. Most are reporting to the CIO or the legal office, not at the level where they are given true knowledge or insight into the business," he said.
Pironti said it behooves both groups to take a business-aligned approach to compliance and security, as the days of "authoritative security and audit" are numbered.
"Both auditors and security are victims of looking at finite details and not focusing on protection of the data. Security guys talk about threats, not risks. And a lot of security organizations do not have a proactive and consistent way to look at threat vulnerability. Audit can help there, because audit is good at applying consistent methodology to findings and activities," Pironti said.
Holmquist said his former bank was able to foster a risk-based approach to compliance and security by forming an information security council and inviting audit to the table, along with representatives from legal, compliance and the business.
Beware fighting fire with fire
A word to the wise CISO: Alexander has leveraged both internal and external auditors to get results. But external auditors must be handled with caution, she said. Internal auditors are partners; they are part of your security lifecycle management. Steering an external auditor to a problem, she said, is like playing Russian roulette or fighting fire with fire.
"When you bring in an external auditor, you really have to understand the whole engagement. You have to do an impact analysis on how dangerous is it for this organization to have a negative audit report. That means you need to know your organization inside out, so if you send that auditor down a rabbit hole they either will only go so far, or if they do go all the way down, it will be OK, because everything else is clean.
"You have to be confident you're not going to burn yourself," she said. "I know a lot of people who thought they were playing that game very wisely and they burnt themselves quite badly."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer.
Strategic risk management includes risk-based approach to compliance
Factor risk management into compliance assessments