CIOs Learn Very Little From Security Audits - ' Finding fault with audit ' (
Page 2 of 2 )
firms">
Are company executives—including CIOs—being fooled into thinking that their security audits are doing more than they're doing? Or are the executives knowingly taking these measures to cynically convince their boards and shareholders that more is being done than really is?
Attorney Rasch argues it's a bit of the second, but it's more apathy then ill intentions.
These audit-purchasing executives "are not buying security. They are buying a piece of paper to wave around to say, 'We've met these standards,'" Rasch said. "A lot of companies are spending money to pass the audit because they have to. They don't want to be secure. They don't care about being secure. You can be incredibly vulnerable and still pass an audit or assessment."
Asked if he agrees with Rasch about the lack of concern about security preparedness, Cohen said that he did. "They don't care and maybe they shouldn't. If you're running a business, the goal is to make the business run right," he said, adding that a lack of security can threaten severe damage to the company, but not necessarily to the executives in charge of security.
"The punishment doesn't come back to the executives. It comes back to the shareholders," Cohen said.
But Rasch stressed that he applauds the efforts that Visa has undertaken because—although certainly not comprehensive—the audit requirements are making companies aware of some issues, which is more than they were before.
"The goal of the Visa standards is to make sure that people are doing something. In the absence of the standards, they didn't have to do anything," Rasch said.
A key CIO who has been aggressive on security auditing procedures is William Morgan, CIO for the Philadelphia Stock Exchange. Morgan says that now may be the time for customers to consider performing—and paying for—their own security audits of contractors' systems.
Had that happened with CardSystems and had Visa paid for its own audit and issued the instructions for that audit, the final outcome might have been avoided, assuming an audit had been performed after CardSystems began retaining data improperly.
"It's a question of corporate independence," Morgan said. "Maybe [the audit] has to come from the customer's side." Morgan added that his exchange routinely conducts security audits on customers and suppliers and that the SEC routinely audits his team's security.
At his exchange, Morgan said that he finds audits of his operations—operating on the instructions from his company's audit committee—quite useful.
"I think it's a good idea to have an independent source. I see it as free consulting, and I'm not really threatened by it," Morgan said.
"A lot of times, we're all so busy, making sure that we're leveraging our technology. Sometimes, you need someone from the outside to look at these security issues more, as long as you get competent people doing it."
But Cohen does find fault with many of the audit firms. For example, when the auditing firms needed to certify that their audits were accurate with the new threat of imprisonment, auditing fees more than doubled, increasing on average $4.5 million, Cohen said. If the new costs are to perform the audits properly, what, he asked, were companies paying for during all of those earlier years?
Cohen also faults auditing firms for often using lower-level COBIT standards and not the more extensive COSO ones. "The auditing firms are auditing to the wrong standards—and they know it—because they have checklists that junior auditors can fill out," Cohen said.
Companies should also create chief security officer positions and make sure that they do not report into the CIO, Cohen said. "Managing the information technology risks is a new area and the CIO is not the person who should be in charge," he said.
Why should the CIO not oversee the security issues? First, part of the role is to perform oversight on how data is being managed, so the overseer can't report to the overseen, Cohen said.
Secondly, there are many areas of security management—such as building security and HR hiring/firing functions—that have little to do with a CIO's jurisdiction. A company's acquisition, for example, brings in tons of new people who will be given varying levels of access to confidential company data. Who is running the background checks on these hires?
Also, Cohen said, some of the security decisions will be based on corporate priorities that would also typically be outside the scope of the traditional CIO.
Privacy pioneer promises secure VOIP. Click here to read more.
Experts also point to constantly growing extranets and intranets as an area often ignored by audits and assessments. With the soaring number of contractors, suppliers, distributors and key customers with varying levels of network access, the internal threat is truly towering over external break-ins as an area of concern.
Wright adds that extranets are even more frightening as consolidation makes many of those contractors and subcontractors also the contractors for a company's competition. Add to that the coopertition projects—where a rival works with a company on one project while competing against it on another—and there are lot of ways internal data isn't looking that internal anymore.
And an audit that focuses solely on known external threats is looking less and less helpful.
Editor's Note: This story was updated to include comments from William Morgan, CIO for the Philadelphia Stock Exchange.
Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com.
Check out eWEEK.com's for the latest news, views and analysis on technology's impact on retail.
