Subscribe
RSS news feed
Add to Technorati FavoritesRecent Posts
- Something to think about while watching the British GP this weekend...
- The You Experience demands more of online Business
- Cloud Computing; the Invisible Infostructure
- Innovation Brief
- Intel CEO Summit sets some technology directions
- Breed a better dinosaur?
- W3C proposes new working group for the mobile internet
- Why Google may not win the Social war - Guest piece by Vinesh Kurup, Managing Consultant, Capgemini
- Innovation Brief
- Enterprise Widgets join Enterprise MashUps
Navigate
Search the blog
« Winning Ideas and R&D are now Outsourced | Main | MashUp to get the USA election debate you wanted »
R is P times I
IT Auditors. I used to have an image of them. Not particularly a romantic image. More like a well-defined image, really. I sort of associated them with IT Security Experts: slightly more serious than average, a bit of the worrying type and with an insistent urge to analyse and structure.
All of these are important, crucial capabilities that I sadly do not possess.
Nevertheless, in the past few months I was asked several times to engage with IT Auditors. First as a keynote speaker on a national event and just a few days ago as the chair of the annual networking event of governmental IT Auditors.
And then, as a relative outsider, you learn quickly.
You find out that – just like in IT Security – there are different ideas about how to achieve the best results. Indeed, there is a procedural, analytical side that aims to help the IT Auditor in assessing the correctness of a system. We encounter methods, frameworks and reference models, all firmly rooted in science. Also, many formulas are in use to articulate risks in the most unambiguous way, the best known being - of course –
R = P * I
Risk is simply the probability that a disturbance will occur times the impact of the effects. That is a pretty straightforward way of calculating and the temptation is strong – whether or not supported by checklists – to express all the risk aspects of the system in numbers. It gives that confident illusion of being completely in control, a state of mind that is ostenatiously in the conform zone of most IT Auditors.
On the other side of the spectrum, we find a much more pragmatic approach. Forget all the procedures and frameworks. Instead, gather a group of battle-hardened experts from actual practice (look for scars and raw, cynical laughter) and just let that intuition flow in finding the flaws of the system. Again, there is a parallel with IT Security, in which – next to methodologists – we gladly assign ethical hackers: unpredictable didgeridoo players that, in all their unfocused creativity, know exactly where it hurts.
The Control Freak and The Fool, both can be seen during a cosy day of networking with IT Auditors. And on one topic they are of the same mind: it is becoming increasingly difficult to assess risk when everything is connected to everything and complexity levels explode. Maybe, just maybe it is a better idea to be a trusted partner to business management in a continuous dialogue about risk than to produce one-off audit reports that can only really suggest control and accuracy.
Life-changing stuff indeed. Before you know it, you find yourself discussing with IT Auditors about the impossibility of being objective, Gödels incompleteness theorem and the agonies of doubt in general.
Formulas, they just don’t seem to work any longer.
Probably.
Posted by Ron Tolido on October 5, 2007 in
Security
::
Strategy
| 
Digg this | 
Seed Newsvine
TrackBacks
TrackBack URL for this entry: http://www.capgemini.com/cgi-bin/blog/mt-tb.cgi/220
Listed below are links to weblogs that reference R is P times I:
» Security Hangman from CTO Blog
In the past week, in which I met several of our clients that are planning for this year, I only found more confirmation for the proposition in my previous blog item. Although CIO’s have been struggling for years with immovable,... [Read More]
Comments
# on October 6, 2007 8:06 PM, Jesper Kråkhede said:
IT Auditors is a very interesting spiecies indeed. I try not to be recognized as one of them even if I spend a lot of time in their company in my line of work as a security architect. ;-)
The top most interesting with a IT Auditor is starting to discuss the current compliance scheme they are working with. There are always some area in it that are open for debate.
During the last months I have had several discussions regarding the definition of "System Components" within PCI DSS. It is a joy to swap Powerpoints and hear The Control Freak and The Fool argue about risks and possibilities. The more creative the ethical hacker is the longer the risk calculating formulas tends to be.
It could be that the formulas do not work anymore. But that could also be due to that security should not be seen as only a cost but also as a way to incorporate new business functions. That way "Compliance per default" could be achieved at last.
# on October 7, 2007 6:45 PM, Ron Tolido said:
@Jesper: yes, security could even be an enabler to creating new business functions that we did not even think of before. Compliance could be a built-in, architectural capability and we could leverage on new business opportunities quicker than ever. Indeed, buth security experts and IT auditors might become partners to business, the true 'IT Auditors heaven' as several auditors confirmed to me last week.