Look at this picture. It’s a depiction of an auditor and every time I use it in a presentation the audience laugh; they get the joke. The auditor is grey, dull, miserable-looking and fully focused on his clipboard. Oh yes, they say, that’s a good auditor, one who doesn’t let emotion or opinion get in the way of their work.
The mirror is there to show that he has no reflection which, my children assure me, means he has no soul. So an auditor is essentially dull and hardly human. But wait, I know quite a few auditors and, for the most part, they are great fun and are more likely to be fighting their way to the bar before last orders, than sitting at home reading text books and drinking caffeine-free tea.
When I first took on the task of writing the latest BCS role book, Information Security Auditor, I didn’t know quite how I was going to tackle the subject - but I did know I wanted to draw out the importance of the humanity of an auditor.
So, one evening at a conference, I sat in a bar with a bunch of information security and assurance auditors and asked them to explain the qualities they would regard as necessary, or at least desirable, for someone coming into the IS audit profession. Very few of the qualities they discussed were about being a pedantic ‘jobs worth’. Instead they talked about the importance of communication skills, both in talking and listening; they need to hear what is being said as well as what is not being said.
Another factor they suggested was that they needed to be up to date with standards and changes in the workplace, technical as well as the way people work. We’ve seen the significant change in the ability to work on the move. This is a challenge to security because people may potentially work on sensitive material, or discuss sensitive commercial issues, in public. Of course you can tell them not to, but I wouldn’t give much for your chances of such a policy being strictly followed.
The expectation of work is already built around being able to reach staff during most of their waking hours. A good auditor will help organisations find ways to reduce or mitigate new risks to the business, by drawing on their own experience or that of others they meet or read about.
The fact that the auditor is a sociable person with good communication skills might interfere with the caricature, but my auditor friends assure me these are necessary skills for anyone who wants to include information security or assurance auditor in their CV.
This challenge to the general perception became the core of my book, which probably means that it’s my round... so is that a pint for you?
(Special thanks to illustrator Jim Barker)
Information Security Auditor
Wendy’s book offers a practical introduction to the IS auditor - a role vital in identifying and addressing security gaps in information systems. If you’re considering a move into IS auditing, this book will help you gain a full understanding of the personal and professional requirements of the role and the career rewards. It’s also essential reading if you are preparing for audit (the auditee) - giving you an insight into the process and enabling you to truly benefit from the auditor’s visit through the development of more secure operations.
Available from the BCS bookshop and other online bookshops.
About the author
Wendy Goucher is a security consultant specialising in the communication of information security to non-technical people both in training and policy creation, working with organisations who are preparing for external audit or conducting internal audits. Wendy’s background is in social science and her early career was as a management lecturer before she developed her interest in the human aspect of IS.