The business school always seemed more hip to me, though I never missed the chance to poke fun at what I thought was a far worse major -- accounting. No matter how many weekends I spent in a lab cluttered with hardware and empty pizza boxes, I was always grateful I'd never be a bean counter. How times change.
Now I look at bean counters with envy. Yes, even in a world where Enron dominates the headlines and shredders are referred to as Andersenizers, facets of the accounting industry appeal to me. The infosec arena can't hold a candle to the accounting industry's acceptance and maturity.
As a security practitioner, it's hard not to be jaded. Ask any information security veteran about his or her efforts, and you'll likely get your ear chewed off on topics like "lack of upper management buy-in," "ignorance among IT staff," "refusal to admit problems," "vendor stupidity," "having your hands tied behind your back" and, dare I say it, "information anarchy." Truth be told, it's hard to succeed when you're working the information security beat in a large enterprise environment. The system and networking folks view security as a timely but annoying task. Helpdesk folks hate hurdles and users don't like restrictions. Then you have internal legal teams. If you're lucky, there's a technology-savvy lawyer in-house, but a lawyer who can keep up with our rapidly evolving cyber laws is rare.
Unfortunately, the real PITA (pain in the ass) is usually upper-level management. That's where the accounting industry has security beat hands-down. Both business executives and board members understand financial audits. They understand the need for outside reviews. They understand separation of duties, checks and balances, and control -- when they concern accounting. But they approach information security with a different attitude -- if they approach it at all.
Somehow information security efforts are supposed to succeed with limited outside help. Information security efforts are supposed to be effective though they're often implemented within only one organizational unit. And information security efforts are supposed to be executed efficiently with no involvement from upper management. There are no controls, no separation of duties and no budgets to ensure that the risks surrounding the company's electronic assets are being managed. Nobody questions IT's value in modern business, but the concept of audit is magically exempt from the model.
As a consultant, I've seen the organizational models of many information security efforts -- and I've been shaken. Few information security efforts exist outside of IT and fewer still have an IT component along with a technical audit component outside of IT. Information security is still seen as an IT issue, much like Unix or network administration.
In Ernst & Young's 2002 information security survey, you'll find a list of questions regarding information "security governance." Perhaps the most noteworthy part of this list is not its content but its designated audience: the board of directors. These questions should be answered at the "boardroom level." No surprise that an accounting firm sees a parallel between financial audit and security audit.
It took President Franklin D. Roosevelt and the Great Depression to get the SEC and strong financial audit controls jump-started. What will it take to get our industry going? Maybe a renewed interest in strong audit practices and controls in the accounting world will spill over into information security. Or maybe tactical security efforts will finally receive the strategic reinforcements they need. Until then, practitioners should keep their heads up and their minds limber, continue doing their best with the ridiculously limited tools they have ...and keep hoping.
Send your comments on this column to Greg Shipley at gshipley@neohapsis.com.
RSS
