An Audit Focus
This book is framed to walk you through building a security program for an organization about to be audited.
Even if you don’t think you’re going to be audited, this is still a useful way to approach a security program.
If you think you’re not going to be audited, think again.
Even if you aren’t being audited, it’s useful to act as if you will. The threat of outside scrutiny focuses
your attention and keeps you from getting sloppy. For some, the fear of an audit is greater than a fear of
hackers. Audits force you to be thorough and organized in your work.
What Technological Knowledge Should You Pursue?
Where do you begin with all of this? IT security requires practitioners to have a strong working knowledge
of the fundamental mechanisms of a wide area of technology. This includes experience with the
implementation and management of those systems. IT operations such as help desk support, asset
inventory, patching, and system configuration are all key components of an organization’s defense. Since
a majority of attacks come in via the Internet, a good understanding of Internet protocols and network
technology is essential.
As you will be risk analyzing systems of software components and strapping controls onto them, IT
security professionals should at least have a fundamental grasp of programming. A good measure of this is
being able create something simple but useful in a basic scripting language like PERL, Bash, or PowerShell.
Bonus points for doing something in Ruby/Python/Java.
IT security professionals also benefit from a basic knowledge of databases. Since most large IT systems
are built upon a database of some sort, it’s helpful to know a little SQL. You should at least be able to write
queries and understand how tables and indices work. You don’t need to become a DBA, but tinker with
something like SQLite or MySQL.
As you can see, IT security professionals need to keep up with technology. Keeping up is part of the
job. Since you’re reading this book, it’s likely that you already don’t mind doing homework to improve your
skillset. That’s first lesson of IT security: never ever be complacent.
What Other Knowledge Should You Pursue?
One of the most interesting things about IT security is the requirement to study a diverse range of
related disciplines. To be effective, IT security professionals need to branch out of technology. Within an
organization, IT security works with many different departments at an operational level, including human
resources, physical security, accounting, legal, business development, software development, and sales.
This means helping these departments modify and redesign business processes to accommodate security
and audit requirements. IT security professionals need to have knowledge of key organizational financial
processes, such as budgeting, revenue flows (sales), disbursements, and the related business cycles. This
book gets into how this happens.
Knowing the organization’s sector and competitive space is also important, as you may be sharing and
comparing information on common risks and regulations amongst your industry peers. Nearly every major
organizational sector has peer groups dedicated to security that you should consider joining and subscribing
to information feeds. Just plug ISAC (Information Sharing and Analysis Center) and your industry name into
a search engine and see what you get.
Since many of the things that IT security does are projects, it’s helpful to have project management
skills. I’ve been managing projects for decades and I’m still not satisfied on how well I run a project. Many
organizations get hacked because they’ve skipped a few simple but tedious details somewhere in the
implementation or routine process.
IT Security Risk Control Management
An Audit Focus