Keeping a security team from being pulled apart by auditor demands is a tough balancing act. by David Mortman
I've really been feeling the pressure lately. I have an ambitious plan to execute our company security strategy, and on top of that I've got hordes of auditors simultaneously pushing my staff in many directions. If I respond in knee-jerk fashion to all those auditors, my resources will be diverted from the security strategy.
Internal and external auditors, plus staff from the SOX program management, compliance, enterprise continuity and risk management offices all look to my team for support for their respective control efforts. Access controls are a common denominator, and my security folks are instrumental in designing, analyzing, changing and reporting on those controls. But I need to run interference to keep my staff from being pulled in too many directions. They're being torn apart; I need to keep them whole.
At the same time, I need to help all my colleagues who are responsible for the other control functions. The auditors are well-intentioned. They basically have the same goal I have: well-controlled infor-mation systems. The problem tends to be relative to time frames. We can't get it all done at once; we must prioritize. If I wasn't confident that my staff understands the threats and risks, then I'd abdicate and let someone else set the priorities for what we work on. However, I am confident, so I stand my ground.
At first, the flow of control-related activities started as a manageable trickle--internal audits, external audits, GLBA, state market exams, and Securities and Exchange Commission 38a-1 investment firm reporting. Then somewhere along the way, it dawned on some of us that the questions we were being asked were growing eerily similar to the last set of questions we just answered. Around the same time, the specter of SOX began to haunt us. For a while, I naively thought SOX was a positive thing that would help me move the security agenda forward; it was about protecting financial integrity, and that aligned with my mission. Then I woke up and realized the SOX people weren't working on my agenda, but rather I was working on theirs, and they had different time frames in mind. In fact, my entire staff seemed to be getting dragged into everyone else's control-related efforts and the security agenda was beginning to take a back seat.
Right now, I'm desperately trying to find places where the disparate control efforts overlap. If we can avoid doing the same things repeatedly, we should be able to save time and effort.
In addition to looking for overlap among control-related activities, we're assessing related risks and using risk levels to help prioritize our work. Because we can't cure every ill at once, we want to address the biggest risks first and address the rest over time. Our plan is to help our colleagues in their control-related projects as much as we can without totally sacrificing our own agenda and abandoning pursuit of our security strategy. By taking care of the big hitters we should be able to reduce our risk sufficiently and turn down the heat enough to make everyone comfortable.
Most importantly, we need to corral all the work related to controls coming from many areas. We need to organize and prioritize it, then get it done in a reasonable time frame. No longer can we allow all that control work to get so out of control at the expense of our security goals.
Bruce H. Bonsall, CISSP, is CISO at MassMutual Financial Group. Send comments on this column to firstname.lastname@example.org.