Second in a series on IT security audits
CHIEF executive officers put their trust in IT three years ago, but the flop that was Y2K burned that bridge.
"Y2K killed a lot of IT credibility because you had managers running around screaming about the sky falling in," said Andrew Moffat, CEO of Ottawa, Canada-based Educom TS, a software developer specializing in e-mail management. "You had to have the Secretary of Transportation fly on New Year's Eve to prove that planes would not fall out of the sky because the date changed."
Slowly, that bridge between the executive level and IT is being rebuilt with several factors driving the renewed trust: the economy and September 11 principal among those.
CEOs are no longer loose with a company's money. Millions are no longer allocated for projects without a solid business plan behind it. And securing a company's data and assets is readily on an executive's radar screen.
From a CEO's perspective, an IT security audit serves as that bridge between the upper level and IT. Audits confirm for an executive that what is being proposed and carried out is indeed working.
"Audits are confirmation that what they talk about at the executive table is what happens and that money is being spent correctly," Moffat said.
A recent SearchSecurity poll asked companies to divulge when the last time an IT security audit was conducted. Thirty-two percent said in the last six months and another 32% said never. Fifteen percent said annual audits were conducted, 12% said more than a year ago and 8% did not know.
"In reality, audits are expensive and CEOs avoid them like the plague," Moffat said. "Only when they understand the benefit of best practices can they get a grip on total-cost-of-ownership (TCO) and implement best practices. An audit is confirmation they are doing things right. Audits give a warm feeling to executives that what they are having demonstrated to them is in fact factual."
Audits, however, are expensive to conduct, point out glaring weaknesses that need fixing and at times demonstrate how removed the executive level is from their company's information technology happenings.
"We've found CEOs to be detached, confused and embarrassed," said Michael Monroe, CEO of Enabl-R Networked Systems, a consulting company that works with small and medium size enterprises and Fortune 1000 companies. "Audits are after the fact and that's often where the embarrassment comes in. CEOs are getting their information typically after the data has been compiled and corrective measures cannot be done. There's little that's proactive that can be done.
"Audits are a necessary evil today," Monroe said. "They are a burden because CEOs will have to do something if an audit does not come back fine. Money will need to be spent and things will need correcting. Typically, it's a bit burdensome."
Economic concerns and September 11 have also increased the visibility of chief information officers and chief security officers inside the enterprise to sort, prioritize and often translate the volumes of IT data that could cross a CEO's desk.
"The expertise is not there at the executive level," Monroe said. "It requires a steep learning curve. The tendency is to get so much information at that level, that sorting what is critical and actionable is difficult. They rely on the CTO and CIO and that can be troublesome. You can get blindsided by a "gotcha" and depending on your corporate structure, that could mean your job."
Monroe points out that CEOs no longer have the luxury of ignorance, especially considering the realities that September 11 introduced. In fact, his consultancy often recommends that CEOs conduct parallel IT audits as a failsafe against a CTO or CIO who might sanitize an audit before it crosses and executive's desk. The trick is to do so without alienating valuable personnel.
"The CEO is like the king and everyone always comes to the king and tells him how good things are in the kingdom and no one points out how bad things are," Monroe said. "Sometimes, the king has to look around in his empire. And he has to do it so he doesn't alienate his own crew."
SearchSecurity's series on IT security audits concludes tomorrow.