Information security and audit professionals have historically had a complex relationship. The authors of the "The Relationship between Internal Audit and Information Security: An Exploratory Investigation" suggest that the relationship should be "synergistic," and that " … the information security staff designs, implements and operates various procedures and technologies … and [an] internal audit provides periodic feedback concerning [the] effectiveness of those activities along with suggestions for improvement."
This may work in theory, but most of us know that this is an idealized scenario. Audit and security are very different disciplines, so it goes without saying that their focus and priorities are different.
For example, sometimes security professionals get frustrated when it feels like regulatory compliance's focus comes at the detriment of technical concerns, such as when a compliance-driven budgetary request trumps one with significant risk-mitigation value. Likewise, technology auditors and compliance professionals can get frustrated with the seemingly endless technical issues du jour. It's particularly frustrating for them when these concerns take precedence over the blocking and tackling that comes with mitigating regulatory noncompliance.
More on compliance and security
Information security and technology audit concerns do intersect, but this doesn't mean the two departments will always see eye to eye. Like other business areas, their relationship needs to be cultivated to ensure that these two stakeholder groups are working together.
Recent changes to the way that security is discussed throughout the enterprise provide potential avenues to a better partnership. Security has become integral to business processes, and the trend is an opportunity for technology audit and technical security teams to more closely align.
A business problem, not a tech one
One of the changes in the security space is businesses' increased cybersecurity awareness and associated technology spending. Gartner has predicted, for example, that by 2017 the average firm's chief marketing officer in will outspend the CIO on technology investment. This means that organizational leaders outside of the IT department have an increased stake in technology-related decisions and technology use.
Cybersecurity can affect an organization's brand, reputation and customer confidence, and is no longer solely an IT issue. Security teams are becoming more business-aware and business teams are becoming more security-aware. Internal auditors now need to be technically savvy, and pay attention to mobile technology, cloud computing and social media use throughout the company.
As these trends continue, it's a great time for technology audit teams and security to better align. In many cases, security teams have less visibility into what the business teams actually do than their audit counterparts. The audit teams' role requires members to understand the detailed nuances of a business’ activities, in some cases better than the business teams in question.
From a security point of view, leveraging the business knowledge of their audit counterparts can have immediate value.
From a security point of view, leveraging the business knowledge of their audit counterparts can have immediate value. Conversely, it can be challenging for the technology audit teams to maintain a skill base in every new technology that comes down the pike. By using the technical domain expertise of specialized security resources to their advantage, auditors can not only better evaluate specific risk areas, but also be seen as problem solvers by the business. It's a win-win for auditors and security.
In addition to the business' increased role in technology decisions, another opportunity for better partnership between security and audit teams relates to newly published cybersecurity frameworks and guidance. This includes the NIST Cybersecurity Framework, and in particular the recently published Framework for Improving Critical Infrastructure Cybersecurity.
This document provides an actionable framework to assist organizations as they develop and implement their security programs. The guidance itself has a number of useful elements, but one area of note is within the "Informative References" section of the "Framework Core" (found in Appendix A). These "informative references" include ISO/IEC 27001:2013 and ISACA's COBIT 5 -- two documents that are used often by the audit community.
From a practical point of view, using the NIST Cybersecurity Framework as part of your security program brings with it references to two of the technology audit community's foundational documents. This means that organizations leveraging that NIST guidance are already having audit and security stakeholders speaking the same language. This potentially forms the foundation for a better, or at least more collaborative, relationship between these two groups.
There's no shortage of possible ways that audit and security teams can work together for mutual benefit. But with information security in a period of transition in many organizations, now might be a good time to start cementing relationships between these two departments to benefit both their missions.
About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis and a senior manager at CTG. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.