28 Hoosier Banker July 2015 In community banking today, the universes of information technology security and audit are anything but congruent. Much like Felix and Oscar from the stage play and television series, “The Odd Couple,” security and audit tend to fight like cats and dogs. It is as if they come from two distinct worlds, operating with completely different mindsets, often with “silo” mentalities. Typically the security team is focused on structural and operational activities, such as patching systems, keeping anti-malware up-to-date and protecting the perimeter of the operations. Audit focuses on monitoring compliance, using regulatory guidance and internal policy as guidelines for conducting activities and measuring effectiveness. Somewhere, the two disconnect, forgetting that the ultimate goal of all activities is to strengthen the organization and provide value in meeting strategic objectives. In working on a project recently, I overheard a banking chief information security officer (CISO) and chief risk officer (CRO) all but shout at each other. They claimed that neither understood the other’s job, and belittled what the other did as a waste of company resources. One of the major problems causing these sorts of rifts is that the two teams often lack a full understanding of the other’s purpose, methods and means. Security personnel tend to have little or no background in audit, and vice versa. Security personnel generally focus on technology and operational solutions, while ignoring or minimizing the importance of compliance issues. Auditor training for the most part focuses on regulations and guidance, rather than on technical operational issues. Unfortunately both IT security and audit often are mistrusted by other employees, as both functions tend to make work more difficult. Security makes others’ jobs harder, since the sky is always falling. And audit gets in the way by “shooting the wounded.” Instead of conflicting with each other, both teams should be operating with the strategic goals of the business as their primary drivers. Rather than work feverishly to keep hackers at bay, security should be reviewing practices to ensure that resources are being applied and utilized where they are most needed. Audit should be looking at how and whether these activities are effective and, if not, should provide sound answers as to how to effect change, rather than criticize operations. One way to bridge this everwidening gap is to cross-train security and audit professionals. ISACA, for instance, is now providing technical credentials, such as the cybersecurity professional, as part of a primarily audit-focused association. Other organizations have made similar inroads, such as the American Institute of CPAs with its certified information technology professional (CITP) certification. These efforts, combined with top-down management buy-in, can have a significant impact on getting the two departments to work constructively. Much like Felix and Oscar, they do need each other and, despite often being at loggerheads, they ultimately work toward the same goals. t About the Author Brian T. O’Hara, CISA, CISM, CRISC, CISSP, is senior security consultant for Rook Security, Indianapolis. He has been practicing information security for more than 20 years; specializes in virtual ISO services, financial audit and risk management; and is a frequent speaker on audit and risk management at national events, including SecureWorld Expo and Indy Big Data. O’Hara is president of the Central Indiana Chapter of ISACA (previously known as Information Systems Audit and Control Association), is an Information Systems Security Association fellow and serves on several boards, including InfoSec community and Infragard. He earned a bachelor’s degree from Indiana University and a master’s degree from the University of North Dakota. The author can be reached at 888-712-9531, email: brian.ohara@ rooksecurity.com. Rook Security is an associate member of the Indiana Bankers Association. The Odd Couple ‒ IT Security and Audit SECURITY / FRAUD
RkJQdWJsaXNoZXIy MTg3NDExNQ==