Have you ever wondered why I selected the picture above to represent my blog?
This picture illustrates so many aspects and nuances of this blog’s theme.
Here’s your chance to put on your thinking cap, and based on what skyyler and I have written about over the years, tell me what YOU think it represents.
As the comments roll in, we’ll comment on them.
Then, after a few weeks, I’ll peel back my brain and give you a peek inside as to what my reasons were.
Not sure how many of you will take me up on the challenge, but here goes…
ITauditSecurity 
There are a few different things that jump out to me.
– The adversarial nature of audit. Though in the big picture we are on the same team, things we find can make the business look bad, or create what they see as extra work for them. Especially in the IT realm, there is also the adversarial element of the business vs risks/hackers/etc. that audit seeks to help evaluate.
– Auditing is a skill you can improve through practice and training.
– There are common patterns you can look for and apply, especially in regards to data analysis and how you perform it. In chess there are a number of well known openings or other patterns.
– In resolving an issue or opining on an area, you need to build your foundation of proof and evidence and address objections, like capturing pieces leading up to checkmate.
– There are a variety of tools and techniques you can apply separately or together, with different functions and uses; similar to the different pieces and how they move.
– You have an objective you are trying to achieve, and not all work might contribute to that goal; you are going for checkmate, you don’t need to focus on capturing all the other pieces first.
– You need to think several moves ahead and anticipate how the business might respond.
LikeLike
William,
Kudos to being the first reader to respond (you may also be the last)!
Several of your points I had not considered:
– Improving yourself through practice and training.
– Common patterns (I wasn’t do much analytics 10 years ago)
– Looking for checkmate
You are a much deeper thinker than I am.
The adversarial nature of audit to the business is definitely true, and you’re right, you really are on the same team, but it sure doesn’t seem that way. Too often, auditors overstep and take adversarial positions.
The one big difference between chess (and games in general) and auditing is that games have a winner and a loser (sometimes several losers). As you noted in your first point, we should always go for win-win.
Thanks for your comments! I thought this might be an interesting topic. I hope others dive in.
LikeLike
Just saw this again today and notice I never left a final comment.
When William posted above, he hit most of the reasons. Amazing.
A couple more reasons why I picked this pic to represent the blog…
-While William mentioned different openings and patterns can be used in chess, I was thinking a little deeper than that. Sometimes in chess, as in audit, you want to move slowly (move a pawn one square and maybe a rook, bishop or queen one square), sometimes you want to move faster (a couple squares), and sometimes you want to go all the way across the board.
-Sometimes your moves are attack and conquer, sometimes your moves are warnings, sometimes they are threats, and others outright bluffs.* Sometimes you just want to signal that YOU are watching and encourage others to stay on the straight path.
-No one mentioned the security aspect, only the audit aspect. While most of the points made about audit can be made about security, chess has direct security implications as pieces are protected by other pieces. One of the most interesting aspects about chess is that security can be accomplished by a simple pawn or one of the stronger pieces. A knight can protect in a way that is often overlooked by amateurs since the way isn’t as direct as others. Also, breaking through one defense can lead to a quick disaster by the attacker, since a second defensive piece isn’t always obvious.
-Another parallel is how a simple pawn or lesser piece can take a queen down or initiate checkmate if the player isn’t diligent, which is so true in audit and security.
-The game can turn instantly; one move by a player who is being solidly beaten can change the game, similar to how a simple email can cause a mass penetration of an entire company. Some of the other strong defenses can’t help at that point, unless you have a segregated network, a swift and fast security response, and so on.
-Finally, the picture shows only the top of most of the pieces, and you can’t tell where the game is at and who is winning. Work is a lot like that. You have to stay in the game and continue diligently on.
*I know some of you are going to insist that bluffing has no place in audit or security (or chess for that matter), but I am going to strongly disagree. The business bluffs all the time (e.g., “the fix will cost more than the risk it represents” when they haven’t even done the research, and often after they have–I’ve caught management bluffing in both situations). I think the key to bluffing is to do it only when it helps the company and don’t stick your neck out too far.
LikeLike
Pingback: Couple of Favorite Posts | ITauditSecurity