IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.
The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.
Goals
I noticed this statement in Derek Melber’s WindowsSecurity.com article:
“The admin’s goal is not to secure, rather to ensure things are available. The auditors are not designed to ensure things are available, rather they are ensuring that the settings are secure, in case of an attack.”
While I agree that admins tend to lean toward availability rather than security, admins DO care about security; likewise, auditors like to see things as tight as possible, but no decent auditor recommends overly tight security at the expense of the business (I said decent auditor).
Think about this way:
- An IT admin can’t have availability without security. If an unauthorized user is accidentally granted admin access to a system, that user can alter the data, which would make the original data unavailable. Also, if security vulnerabilities exist, a hacker can take the system down.
I think most admins simply have too much to do, so they put the must-do tasks for the business ahead of the should-do tasks of security, which is understandable, but short-sighted.
- An IT auditor can’t have security without availability. If the security is so tight that it hampers the business, the auditor is shooting holes in his own feet and all the other wingtips and high heels in the company.
I think many auditors are overzealous, and too many are also too lazy to determine the real risk, impact, and likelihood of issues they find. And they also have managers breathing down their necks to wrap up the audit and move on.
Work Together
Melber also says that
“The moral to the analogy above is that everyone should be doing their own job well, plus understanding the role of the other teammates.”
I agree with that, but I would phrase it this way: everyone needs to understand that they all have the same job: to allow the business to create its products and services in the most efficient manner and meet its goals. To do that, among other things, you have to have availability and security.
And as Melber notes, IT admins and IT auditors should NOT give each other a hard time, but help the other do their job, even when the other makes mistakes or lacks the knowledge to ask for what they need with precision.
If they waste each each other’s time, they are wasting company and customer money, as well as their own.
I wouldn’t say IT Auditor’s job is to keep things secure as much as keep up with compliance. Yes, there is an overlap, but there are areas in which they are vastly different. From an auditor’s perspective, certain risks can never be mitigated except with the use of specific technology that may severely impair the business bottom line.
Hi Alex,
I have never like the word ‘compliance’. It makes me think of auditors who come in with a checklist that may or may not fit your company, department, process, or risk tolerance and demand changes. You might not have been referring to that, but your comment made me wonder.
I don’t think you can talk about risk without addressing security. And the areas the auditor and admin play in are different, but they all roll up to the same purpose: provide service & products and make money for the company.
I would argue that the CFO, janitor, and marketing director have the same responsibility for security and availability that the admin does, but at a different level. The former 3 should not do anything, stupid or otherwise, that would impact security or availability, but they could. They could leave a back door open to allow unauthorized (auditors love that word) physical access to the building or open an infected attachment.
If I missed your point, please expand it. Thanks.