SAN FRANCISCO -- Compliance can complicate the job of protecting information, and security professionals often
pin much of that difficulty on compliance auditors. However, according to an analyst at last week's Burton Group Catalyst Conference, security pros need to acknowledge that they too contribute to some of that pain.
Trent Henry, senior analyst at Midvale, Utah-based Burton Group, told attendees that both teams tend to have different opinions on compliance and often have an adversarial relationship.
For example, an auditor may ask a security team if passwords are eight characters long. But a company may have deployed strong authentication; a simplistic question like that, Henry said, shows the auditor hasn't properly assessed risk in the individual environment.
On the other hand, a security team may use compliance to justify pet projects, such as encryption. Holes in a company's infrastructure may not match up with regulatory requirements.
Henry advised security professionals to see the auditor as a friend, not a foe. Spend time talking with the internal audit team, and if possible, the external audit team too.
"Let's move towards partnership," he said.
Security professionals should try to understand the auditor's perspective, Henry advised. Auditors will look for coverage of fundamentals, such as segregation of duties, change control, authorized access, and records retention, especially when it comes to Sarbanes-Oxley. They'll also ask for a security policy. While it's essential that an organization have updated policies, Henry said many are lax on that front.
Additionally, security teams should take the time to understand the regulations, relate technology to controls and objectives and avoid vendor promises, such as those that claim to offer Sarbanes-Oxley compliance "in a box."
At the same time, auditors need to meet security teams halfway. "It's not just about their [auditors'] methodology," Henry said.
"We can't eliminate the pain here but there are a few tablets we can take," he added.
In another session, David Drossman, CISO of Investment Technology Group Inc. a New York-based brokerage agency and technology firm, advised security professionals to understand the business of their organization.
"Don't just read the Web site to learn about your company," he said. "That's not going to make you a leader."
Rather, learn about the business by spending a week shadowing the sales or other staff. "There's no better way to learn than riding shotgun," Drossman said.
Another way to learn is by attending seminars on subjects outside your expertise; an example might be accounting. Understand the other technology functions in your company such as development and support.
"Even though your job is security, the main goal is to keep the business running," Drossman said.
This year's Catalyst Conference also included a variety of sessions on identity management, network strategies, and application issues. The event drew some 1,800 attendees.
This article orginally appeared on SearchSecurity.com.