In part 3 of this series, I discussed the value of involving the Enterprise Architect (or equivalent) in your scheme … er … plans… to communicate the value of Information Security to the rest of the business. This week, I’d like to talk about an ally that many people resist, and tell you why you should embrace them.
That person is the Internal Auditor. I’ve been certified as an IT auditor (I’m a CISA), and I can tell you: Internal Audit is on your side. Sure, they may make you feel uncomfortable, but they are doing it for good reasons. You see, Internal Auditors exist to ensure that you are doing “responsible” things to protect the business from harm. If you take a step back out of the emotional reactions to Internal Audit, it’s easy to see that Information Security managers have a lot in common with Internal Audit.
One of the biggest “superpowers” that is driven into auditors during their training is to start from the perspective of risk to the business. This “risk bias” makes internal auditors another useful ally in your battle for relevance. You see, internal auditors really understand the value of IT security controls and how they relate to control objectives.
Much like last week’s discussion about Enterprise Architects, you can rely on auditors to test your assumptions and insist that you prove how your activities connect and add value to the concerns they have.
A lot of times, as information security practitioners, we focus on the “ideal” security controls and get frustrated when people go around our processes. Internal audit understands this, and can help you vet your processes and controls and implement measures to ensure that they are not only in-place, but they are also efficient and effective (those last two terms are very important to auditors, by the way).
Another thing internal audit can help you with is air cover – also known as “Tone at the Top” by helping create some accountability through other executives in the company. They can get executives to agree to the importance of specific controls and metrics, so engage with them to get your vital controls on the list they are championing. Closely related to that, if they agree with you that certain controls are ineffective and require additional investment to better protect the business from specific risks, they can help you make your case and get the funding you need.
What about you – have you successfully engaged with Internal Audit and come out better because of it? If so, I’d like to know. And, if your experience wasn’t a good one, I’d like to know that, too.
And stay tuned for more in this series – I will probably fall out of the weekly installments on this topic, but I’m not done yet.