Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Audit and security partnership produces big business gains

Audit and security teams may not always see eye to eye, but expert Ed Moyle reveals how they can benefit from a partnership.

Information security and audit professionals have historically had a complex relationship. The authors of the "The Relationship between Internal Audit and Information Security: An Exploratory Investigation" suggest that the relationship should be "synergistic," and that " … the information security staff designs, implements and operates various procedures and technologies … and [an] internal audit provides periodic feedback concerning [the] effectiveness of those activities along with suggestions for improvement."

This may work in theory, but most of us know that this is an idealized scenario. Audit and security are very different disciplines, so it goes without saying that their focus and priorities are different.

For example, sometimes security professionals get frustrated when it feels like regulatory compliance's focus comes at the detriment of technical concerns, such as when a compliance-driven budgetary request trumps one with significant risk-mitigation value. Likewise, technology auditors and compliance professionals can get frustrated with the seemingly endless technical issues du jour. It's particularly frustrating for them when these concerns take precedence over the blocking and tackling that comes with mitigating regulatory noncompliance.

More on compliance and security

CIOs: Proactive, top down security strategy vital in digital age
Striking the right compliance and security balance

Information security and technology audit concerns do intersect, but this doesn't mean the two departments will always see eye to eye. Like other business areas, their relationship needs to be cultivated to ensure that these two stakeholder groups are working together.

Recent changes to the way that security is discussed throughout the enterprise provide potential avenues to a better partnership. Security has become integral to business processes, and the trend is an opportunity for technology audit and technical security teams to more closely align.

A business problem, not a tech one

One of the changes in the security space is businesses' increased cybersecurity awareness and associated technology spending. Gartner has predicted, for example, that by 2017 the average firm's chief marketing officer in will outspend the CIO on technology investment. This means that organizational leaders outside of the IT department have an increased stake in technology-related decisions and technology use.

Cybersecurity can affect an organization's brand, reputation and customer confidence, and is no longer solely an IT issue. Security teams are becoming more business-aware and business teams are becoming more security-aware. Internal auditors now need to be technically savvy, and pay attention to mobile technology, cloud computing and social media use throughout the company.

As these trends continue, it's a great time for technology audit teams and security to better align. In many cases, security teams have less visibility into what the business teams actually do than their audit counterparts. The audit teams' role requires members to understand the detailed nuances of a business’ activities, in some cases better than the business teams in question.

From a security point of view, leveraging the business knowledge of their audit counterparts can have immediate value.

From a security point of view, leveraging the business knowledge of their audit counterparts can have immediate value. Conversely, it can be challenging for the technology audit teams to maintain a skill base in every new technology that comes down the pike. By using the technical domain expertise of specialized security resources to their advantage, auditors can not only better evaluate specific risk areas, but also be seen as problem solvers by the business. It's a win-win for auditors and security.

Framework alignment

In addition to the business' increased role in technology decisions, another opportunity for better partnership between security and audit teams relates to newly published cybersecurity frameworks and guidance. This includes the NIST Cybersecurity Framework, and in particular the recently published Framework for Improving Critical Infrastructure Cybersecurity.

This document provides an actionable framework to assist organizations as they develop and implement their security programs. The guidance itself has a number of useful elements, but one area of note is within the "Informative References" section of the "Framework Core" (found in Appendix A). These "informative references" include ISO/IEC 27001:2013 and ISACA's COBIT 5 -- two documents that are used often by the audit community.

From a practical point of view, using the NIST Cybersecurity Framework as part of your security program brings with it references to two of the technology audit community's foundational documents. This means that organizations leveraging that NIST guidance are already having audit and security stakeholders speaking the same language. This potentially forms the foundation for a better, or at least more collaborative, relationship between these two groups.

There's no shortage of possible ways that audit and security teams can work together for mutual benefit. But with information security in a period of transition in many organizations, now might be a good time to start cementing relationships between these two departments to benefit both their missions.

About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis and a senior manager at CTG. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Regulatory compliance training

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization align audit and security processes to provide strategic gains for both departments and the business as a whole?
Once the audit & security teams sets their objective consciously in the best interest of the organisation; they fall in the same line. Traditional security is anarchic in today’s context unless carefully designed & managed with every major technological change. In corporate, the changes go in cycles. Once heavily invested systems, have to be run for a decade, to surpass its calculated ROI.Hence managing the legacies & spotting issues has become more of an auditors job where the security consultant engagements is a rare equation. My organisation does a balancing act focusing, synergizing the security & audit efforts as a maker /checker on the business critical & compliance critical systems.