Last week, I was invited to participate in a Big Debate Keynote Panel at InfoSecurity Europe. Prior to the event, the Information Security community was given the opportunity to vote for the topic of debate and unanimously chose the topic, “The auditor is a bigger challenge to information security than the cybercriminal”.
Paul Simmonds was my opposing panelist on this big debate, speaking for the motion “Is the auditor a bigger threat to information security than the cybercriminal”, whilst I was speaking against this motion as personally I do not believe in this point of view. I did not always hold this point of view from the beginning of my career and it has changed based on my personal interactions with auditors during my career.
My first encounter with auditors was during the initial years of my career when the department I worked in was chosen for an audit. That was at a time in my career that I used to look up to my seniors to learn about management style and leadership. I followed the lead of management team members who, unfortunately, were panicking. I was invited to planning meeting where key discussion points were:
- How should we plan for this audit,
- Defining guidance for team members (script or cheat sheet), basically, explaining what they can and cannot discuss,
- What process and procedures documents need to be created and assigning ownership of writing those documents to team members
Have you ever had that discomfort feeling when you are doing something wrong like telling your wife that you are stuck in a very important meeting when you are having beer in the pub with your mates? I had the same uncomfortable feeling but I simply got on with it, trusting the lead of my seniors. My initial experiences build a negative image of auditors in my mind. I used to think of them as group of people making us do more work and derailing us from our normal course. When I reflect back and think about standard practices followed by departments when it comes to audit, it builds a picture of brushing things under the carpet in order to create a false sense of compliance. Note; I am not talking about false sense of security but false sense of compliance.
When I had my first leadership role, I was drawing up key stakeholder map and 2 obvious boxes were Director: Internal Audit and Partner: External Audit. Once I met with both Director: IT Audit and Partner: External Audit, I realised that they were easy individuals and we got along well in our first meetings. But I had my guards on and I did not open up much as I was in a new organisation, in a new role and had pre-conceived notions about auditors from my past experiences.
However, one thing that became very clear after those conversations was that they had similar thoughts like me:
- How to add value to organisation’s strategic business objectives,
- How to safeguard company’s interest,
- How to deliver maximum benefit to the organisation
My increased interaction with audit made me realise that my function and audit functions are on the same side i.e. organisation side. Both functions are about protecting shareholder’s interest, employee’s interest and customer’s interest. In a nutshell, safeguarding and protecting our organisation.
WE ARE ON THE SAME SIDE.
Whereas, when I look at Cybercriminal and Adversaries, we are on completely opposite sides. Their only objective is to negate my objectives, they are about undermining what we are trying to protect. I would rather have an auditor coming and telling me that we have issues and deficiencies in our environment than cybercriminal breaching my environment and learning that way.
MY CHILD AND HIS TEACHER
As a parent, I keep in regular touch with my sons form teacher to track his progress and performance. Imagine that you are speaking to the form teacher of your child at school discussing progress of your child and he/she is raising concerns regarding progress of your child. What will you do in that situation?
- Will you become defensive about your child and disagree with the comments?
- Will you take that feedback on board?
- Will you have a candid conversation discussing similar issues you might be observing?
- Will you challenge feedback and ask more information if you don’t believe in those comments?
Is it going to help me and my child if I am going to ignore that feedback? Definitely not! Most parents including myself listen to such feedback patiently, take it on-board and discuss options to improve child’s performance. You know, why, because we TRUST them and work in partnership with them in the interest of our child. I apply the same analogy when it comes to relationship between Security and Audit functions.
IT’S ALL ABOUT PERCEPTION AND MANAGING RELATIONSHIPS
Our child is nothing but Information Security Program and Security Posture of the organisation. We need to build TRUST with auditors and work in PARTNERSHIP (just like teachers of our child) with them to improve security posture of the organisation. The problem is not The Auditor but the perception about the auditor and the way relationships are managed between Security and Audit. During later parts of my career, I have managed various audits and had great interactions with Internal Audit, External Audit, Regulators and also Customer Audit team. My honest opinion is that continuous monitoring of controls is an integral component of effective management oversight to manage risks and safeguarding organisation’s interest. Effective monitoring of information security controls can improve effectiveness of an organization’s information security program and audit function plays a key supplementary role in achieving that objective and provides an independent assurance.
Working in partnership with auditors can go long way and if managed effectively, can help in improving security posture of the organisation.
Last week, InfoSecurity Magazine published an article InfoSecurity Europe 2013: Is the auditor friend of foe? covering this big debate.