Comment: Avoid 'Friend or Foe' Syndrome with your IT Auditor

Do you need a GP or a cardiologist?
Do you need a GP or a cardiologist?

Finding a good IT auditor can be as important to your company as choosing the right attorney or insurance agent. Auditors can safeguard your business against potentially fatal errors – guiding you to adopt processes and technologies that can deliver long-term benefits in areas of security and compliance. By maintaining the right relationship with your auditor you’ll help rid the organization of behaviors that raise the ire of corporate boards.

Auditors can suggest best practices for remediation. This is where a pitfall lies. Many of the standards auditors apply are vague, and their application to technology can be just as hazy, insufficiently heavy-handed, or just plain wrong. Many auditors are not technical enough or do not have enough experience with the IT system they are working on to know whether a threat is really a threat. They also expect voluntary compliance from an industry that is not used to complying.

In general, auditors are in a very peculiar position because companies often choose their own auditors. A negative finding can be the end of the auditor’s contract, which could mean losing out on a lot of money. So exactly how might this impact the independence of your auditor, and the value of the information s/he provides?

In an ideal world, your organization’s relationship with its IT auditor looks a lot like a doctor’s relationship with a patient. Your IT staff needs to be honest with the auditor about its practices and risks, and the auditor has to come to the job with the skills required to perform a thorough assessment. Not only does your auditor need sufficient knowledge, but s/he should also be assertive enough to follow every lead and communicate every diagnosis – good or bad.

Remember that client and auditor interaction must be ongoing – not just a once-per-year checkup to make management feel safe. Continuous compliance means engaging with your auditor every 30 days to re-test and evaluate if the organization is progressing toward its goals. Just like a doctor’s follow up call after a diagnosis, expect to engage with your auditor on a recurring basis. The auditor has to be capable of guiding your organization toward its security and compliance goals, and the company has to agree to accept the principles of continuous compliance.

The other element that needs to be clarified is that most IT administrators have limited knowledge of their infrastructure, credentials, and the use of those credentials. When the IT auditor asks about credential assets and their management, the IT administrator may well be creating a scenario of the ‘blind leading the blind’. This is because the IT auditor has incomplete or non-existent tools to ‘mine’ the information; therefore, the auditor cannot do their job. Hackers, on the other hand, have wonderful and comprehensive tools to discover networks, systems and credentials, and there are tools available to report on and manage those privileged credentials.

Audit Trouble Spots

Auditors expect their clients to openly relate the organization’s issues and concerns. However, if an organization lacks the tools and processes to deliver the necessary information – or if IT staff feel that they are part of a “blame” culture and that honesty will rebound on them – this dependency can look like a fox guarding the hen house.

Remember, too, that IT auditors have none of the powers of financial auditors. Financial auditors have the right to see any of the client firm’s financial records, and if a ledger says that there are 100 widgets in a particular warehouse, then the financial auditor can demand to see them.

The IT auditor’s role is almost the opposite. They are dependent on the client organization to chart the IT landscape and produce all the necessary information – good and bad.

It is often the case that in a large enterprise – a bank for example – there are tens of thousands of IT assets, and no one individual with knowledge of them all. If an IT administrator says, ‘We only have 100 operating business systems’, how would the auditor know any better? In general, the auditor lacks the privileged login access that would give visibility to perform a proper audit independent of IT staff. And, in today’s heterogeneous IT environments, no single individual can be expected to have the technical qualifications needed to audit the entire IT infrastructure.

It’s also imperative that IT executives not confuse passing a routine checkbox compliance audit with achieving a real standard of security. In essence, compliance is not security. Too many IT auditors – supposedly the trusted experts charged with understanding security best practices and providing guidance – take the easy route and accept any information given to them by an IT department. A dangerous ‘point in time’ mindset ensues, rather than the optimal status of continuous compliance and security.

As I have said, finding a good auditor and building a relationship can be critical to whether your business grows or withers. Your IT auditor can find you the technology to provide a permanent solution to your IT security and compliance problems in many areas – especially if it is automated. This will get rid of the behavioral problems the board worries about. And, the right auditor can steer your organization away from those security solutions that might tick all the boxes yet still not keep you safe.

As an example, one of my particular niches of the security industry is privileged identity management. So I know that when properly implemented and automated a privileged identity management solution can prevent secret password knowledge from being shared among elite groups, verify that privileged account passwords are frequently updated, and ensure that no one retains personal knowledge of these powerful passwords. These benefits are all strict requirements of most major regulatory compliance mandates. An auditor who is not aware of these issues and cannot recommend the proper technology is not one whom I would want to deal with.

Remember, just like you wouldn’t go to plastic surgeon to treat a heart condition, you shouldn’t work with an auditor who is not knowledgeable about processes and technologies that can improve your IT security and productivity.

Choosing an auditor is like choosing your doctor – it’s all about selecting the right person for the right job. Choose wisely.


Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry. In addition to his proficiency as a software engineer, Lieberman is an astute entrepreneur able to perceive shortcomings in existing products on the market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions to resolve the security threat of privileged account credentials. Lieberman has published numerous books and articles on computer science, has taught at UCLA, and has authored many computer science courses for Learning Tree International. He has a BA from San Francisco State University.

What’s hot on Infosecurity Magazine?