IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.
The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.
I noticed this statement in Derek Melber’s WindowsSecurity.com article:
“The admin’s goal is not to secure, rather to ensure things are available. The auditors are not designed to ensure things are available, rather they are ensuring that the settings are secure, in case of an attack.”
While I agree that admins tend to lean toward availability rather than security, admins DO care about security; likewise, auditors like to see things as tight as possible, but no decent auditor recommends overly tight security at the expense of the business (I said decent auditor).
Think about this way:
- An IT admin can’t have availability without security. If an unauthorized user is accidentally granted admin access to a system, that user can alter the data, which would make the original data unavailable. Also, if security vulnerabilities exist, a hacker can take the system down.
I think most admins simply have too much to do, so they put the must-do tasks for the business ahead of the should-do tasks of security, which is understandable, but short-sighted.
- An IT auditor can’t have security without availability. If the security is so tight that it hampers the business, the auditor is shooting holes in his own feet and all the other wingtips and high heels in the company.
I think many auditors are overzealous, and too many are also too lazy to determine the real risk, impact, and likelihood of issues they find. And they also have managers breathing down their necks to wrap up the audit and move on.
Melber also says that
“The moral to the analogy above is that everyone should be doing their own job well, plus understanding the role of the other teammates.”
I agree with that, but I would phrase it this way: everyone needs to understand that they all have the same job: to allow the business to create its products and services in the most efficient manner and meet its goals. To do that, among other things, you have to have availability and security.
And as Melber notes, IT admins and IT auditors should NOT give each other a hard time, but help the other do their job, even when the other makes mistakes or lacks the knowledge to ask for what they need with precision.
If they waste each each other’s time, they are wasting company and customer money, as well as their own.