So why does this happen, and how can you prevent it?
Businesspeople understand the business processes that IT supports. But they generally don't understand IT products and architecture. They aren't equipped to estimate the relative level of control that certain IT products, configurations and methods provide.
For their part, IT people obviously understand architecture and products, but they're not well equipped to estimate the affect that failed IT controls or exploited vulnerabilities could have on the business.
Thus, neither side understands the full picture. So when their auditor comes in, reports on the full complement of controls in place -- people, process and technology -- and makes recommendations, neither side alone can decide how to proceed. If they try, they might order up fixes that don't reduce risk enough to justify their costs.
Let's look at an example.
Assume for a moment that your auditor points out that your company doesn't have the ability to quickly detect and disable unauthorized wireless access points ("rogue access points"). This may or may not be an issue for your company, depending on a number of factors:
- how easily or likely it is that a rogue access point could be installed;
- which of your business systems might be exposed;
- which business processes those systems support;
- how specific business processes could be affected if a curious or nefarious individual accessed your network from outside the building or the company.
Only a combination of business and IT professionals can assess those factors and determine the extent to which this inability to detect access points is a concern. However, if a company policy or a regulation stipulates that all unauthorized network devices will be expediently detected and disabled, then there's no question that it's an issue. Your auditor will note that you must implement a detection program to bring your environment in line with the stated mandate.
Another scenario is how lack of access point detection holds up to generally accepted (e.g., vendor recommended) best practice controls. If it doesn't measure up, the auditor will point that out, though action is not required. Business management ultimately decides if anything is to be done.
Once the auditor's report is in hand, business and IT management must work together to address the auditor's findings. They figure out how much it would cost to implement rogue access point detection tools and techniques. They also estimate by how much these steps would reduce risk -- that is, if installed, how much the tools and techniques would reduce the likelihood that a nefarious person could access the network. This cost/benefit analysis and risk calculation guide their decision about corrective action.
The team can also decide not to implement new controls. In this case, the businesspeople who own relevant processes and the IT people responsible for maintaining controls over supporting IT infrastructure and services simply document that that the current level of risk is acceptable.
When we all understand each other's roles more clearly in estimating, analyzing and making decisions about IT risks, we contribute to better calculated risk decisions that are integral to the business. And our businesses don't end up diverting resources to fix controls that don't need to be fixed.
Matt Zerega is a West Coast IT auditor who has worked in energy, electronics and other fields. Write to him at AuditTrail@ciodecisions.com. Note: This column originally appeared in the May 2005 issue of CIO Decisions magazine.