Security and Audit – BFFLs? Maybe not, but…

…we may have lots of reasons to work together more closely.

Maybe it is just the luck of the draw that at almost every employer for the last 15 years, I have been the one to manage our audit relationships, but I am certainly suspicious my good fortune is other than divinely inspired.  Likely, my managers listen to me prattle on about the benefits of working closely with auditors for enhancing security controls and operational processes and for having an advocate that can potentially bypass recalcitrant management to promote change, and decide that if I am such a big fan of auditors, I should be glad to take a strong dose of my own medicine.

My security and compliance colleagues do not need to worry (or celebrate) that I have decided to pursue a new career path mastering the COBIT framework and bringing famine and pestilence to security administrators.  Rather, my appreciation for our audit comrades was reinforced by my attendance at the IT Audit and Controls Conference in Cambridge, MA last week.  I presented a case study about an access control and review solution I had designed and implemented at a previous employer.  Realizing that auditors are rarely solutions implementers, I positioned my solution as a proposal that I hoped would pass muster for effective controls once subject to their collective steely gaze.


  1. Darian Dunn CISA, CI Nov 21, 2008 at 1:58 pm | Permalink

    I have been on both sides of the equation. I have a CISA and a CISSP. I started life on the IT Security side and then went to work for the big4.

    I always thought that this was a well understood principal, but as I look for a new position, I find that this idea of Auditor and IT Security being friendly is not well understood.

    Organizations that worked with me when I was auditing them, benefitted from the relationship. I was able to point out the areas that they knew needed fixed and didn’t have the budget to fix.

    The groups that tried to keep me at arms length were looked at with a magnifying glass because we assumed that they MUST be hiding something large or they don’t know their environment or sometimes both.

    Auditor being Auditor and IT Security/Engineer being what they are, I suggest finding someone with both skills to sit in between and manage the relationship, find data and get the auditors what they need and on their way. It saves money and can turn a bad audit finding into something more useful.

  2. Pat Foley Nov 25, 2008 at 1:54 pm | Permalink

    Thanks for your comments, Darian. I actually do play that “sit in between” role now, and the collaboration has paid huge dividends, though I’m not sure the detente will survive the current economic upheaval as our company cuts costs.

Post a Comment

Your email is never published nor shared. Required fields are marked *