13 Mar 2007

Temet Nosce and the quest to put auditors where they belong

"γνῶθι σεαυτόν" "Know Thyself". As Neo found out when he went to visit the Oracle.

In an industry where "proactive" is the biggest buzzword it seems to me that we in the Information Security field are not doing so well.

From observations in the industry I have noticed a trend to allow Auditors to dictate what needs to be done (and in turn - point out what is not being done). In some companies what the auditors say should be done is all that gets done.

This is very different to how the Accounting profession works. The books get drawn up, approved by management and then only do the Auditors come through and approve them. Note the difference - here the Accountants decide what and how things should be done and the auditors just see if they are done. And management is involved.

It may be that management sees us as IT "guys". They may not think of us very highly and they may believe that the Auditors are great and all knowing. In my experience the auditors have come across as being very knowledgeable (even though I have had some good laughs at some audit findings). They usually arrive with ties and jackets and shiny shoes. And checklists and boring looking software. And they are backed by international auditing firms that have Ways Of Doing Things.

Us guys are lumped with IT. We are told what the auditors found wrong and told to fix it - that is how IT works. This is what needs to change.

Even many people involved in Information Security over emphasize the importance of Auditors. Here in South Africa and (it seems - abroad). I've noticed a number of American bloggers trying to push Information Security as a goal and compliance as a result. This fits into the same concept.

We need to be proactive and tell Auditors: this is what we do, this why. And slowly change perceptions and become guides to our organisations.

But first, we have to understand who we are and know what we do.

Temet Nosce.

"γνῶθι σεαυτόν" "Know Thyself". As Neo found out when he went to visit the Oracle.

In an industry where "proactive" is the biggest buzzword it seems to me that we in the Information Security field are not doing so well.

From observations in the industry I have noticed a trend to allow Auditors to dictate what needs to be done (and in turn - point out what is not being done). In some companies what the auditors say should be done is all that gets done.

This is very different to how the Accounting profession works. The books get drawn up, approved by management and then only do the Auditors come through and approve them. Note the difference - here the Accountants decide what and how things should be done and the auditors just see if they are done. And management is involved.

It may be that management sees us as IT "guys". They may not think of us very highly and they may believe that the Auditors are great and all knowing. In my experience the auditors have come across as being very knowledgeable (even though I have had some good laughs at some audit findings). They usually arrive with ties and jackets and shiny shoes. And checklists and boring looking software. And they are backed by international auditing firms that have Ways Of Doing Things.

Us guys are lumped with IT. We are told what the auditors found wrong and told to fix it - that is how IT works. This is what needs to change.

Even many people involved in Information Security over emphasize the importance of Auditors. Here in South Africa and (it seems - abroad). I've noticed a number of American bloggers trying to push Information Security as a goal and compliance as a result. This fits into the same concept.

We need to be proactive and tell Auditors: this is what we do, this why. And slowly change perceptions and become guides to our organisations.

But first, we have to understand who we are and know what we do.

Temet Nosce.