There's no smiling in audit
by Chad McDonald, Security In the (Apple) Core
Sat, 2008-06-07 20:33
Topic(s): | | | |

I doubt that there has ever been a job considered as dull, boring, or monotonous as that of the auditor. There is no mystery, excitement, or wonder in auditing. Most of all, there is no smiling in audit. …or is there…

Under the subtle blue suit and understated tie, the stodgy fellow in the corner fervently clicks away on his keyboard. Barely looking up as he sips his lukewarm coffee, this auditor, we’ll call him Oliver, appears to be as much fun as a root canal. As far as we know, Oliver has sold his soul to the gods of Excel, and is buried 600 rows deep in some sort of spreadsheet.

As far as we know…

Just like Clark Kent and Bruce Wayne, Oliver has a secret. No, Oliver doesn’t wear tights and a cape. Or at least if he does, we really don’t want to know about it. I don’t proclaim that Oliver has some super power. I mean seriously what would it be, able to memorize the NIST 800 series in a single reading? Imagine the motto, “Accurate to 5 decimal places, creates a pivot table in one click. It’s a nerd, it’s a plane, it’s Audit Man!” No, Oliver has a different kind of secret. He loves his job.

He doesn’t love it in that creepy, brown nosing, Lumberg sort of way. Oliver likes his job in that Keanu Reeves – Matrix – super geek kind of way. You see Oliver is a very …special… kind of auditor. He doesn’t care if your balance sheet has more holes than OJ’s alibi. Oliver is an information system auditor, he cares about encrypted protocols, access controls, and …dare I say it… hacking. Yes Oliver, is a hacker, a white hat hacker, but a hacker none the less. I realize that there is a stigma associated with the word, “hacker”, so in polite circles we use the term, “penetration tester”.

In Oliver’s mind, auditing is like a game of chess. It’s him against you. Who has the best skills? Oliver or the guy securing the system. For Oliver, there are two critical questions; questions that drive his every keystroke. First, what do you have that I (as a bad guy) would want? Second, how can I get it from you? Granted, Oliver’s process is standards based, but after you boil away the bureaucracy, the various standards, and other clutter, these questions are at the heart of what drives Oliver.

There’s no smiling in audit? I guess that really depends if you are Oliver or the guy or gal on the other side of the table.

» read more from Chad McDonald | post a comment
Reader Feedback
Mon, 2008-06-09 13:56
Yes, but
By Derek Slater

Isn't this exactly what most employees are thinking about the security guy?! Boring, rule-driven? And yet we insiders know security is an endlessly rich and fascinating field....

» Reply | Report as spam
Wed, 2008-06-11 19:37
Very Good
By Duane

I worked for an orgnization that once a year hired an auditor to come in and review system processes. One part regulatory requirement, one part making sure we were following our own policies and rules.

In the 3 years I chaired the annual audit we made corrections as the business changed and found ways to PREVENT errors and implement industry best practices.

The process was not very penalizing and was very enlightening. I do miss that regular review, but I guess it's how you look at things.

» Reply | Report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast