So why does this happen, and how can you prevent it?
It happens because IT and business management don't understand each other the way they should. And in turn, neither understands the auditor's role in risk management.
Businesspeople understand the business processes that IT supports. But they generally don't understand IT products and architecture. They aren't equipped to estimate the relative level of control that certain IT products, configurations and methods provide.
For their part, IT people obviously understand architecture and products, but they're not well equipped to estimate the impact that failed IT controls or exploited vulnerabilities could have on the business.
Thus, neither side understands the full picture. So when their auditor comes in, reports on the full complement of controls in place -- people, process and technology -- and makes recommendations, neither side alone can decide how to proceed. If they try, they might order up fixes that don't reduce risk enough to justify their costs.
Let's look at an example.
Assume for a moment that your auditor points out that your company doesn't have the ability to quickly detect and disable unauthorized wireless access points ("rogue access points"). This may or may not be an issue for your company, depending on a number of factors:
- how easily or likely it is that a rogue access point could be installed;
- which of your business systems might be exposed;
- which business processes those systems support;
- how specific business processes could be affected if a curious or nefarious individual accessed your network from outside the building or the company.
Another scenario is how lack of access point detection holds up to generally accepted (e.g., vendor recommended) best practice controls. If it doesn't measure up, the auditor will point that out, though action is not required. Business management ultimately decides if anything is to be done.
Once the auditor's report is in hand, business and IT management must work together to address the auditor's findings. They figure out how much it would cost to implement rogue access point detection tools and techniques. They also estimate by how much these steps would reduce risk -- that is, if installed, how much the tools and techniques would reduce the likelihood that a nefarious person could access the network. This cost/benefit analysis and risk calculation guide their decision about corrective action.
The team can also decide not to implement new controls. In this case, the businesspeople who own relevant processes and the IT people responsible for maintaining controls over supporting IT infrastructure and services simply document that that the current level of risk is acceptable.
When we all understand each other's roles more clearly in estimating, analyzing and making decisions about IT risks, we contribute to better calculated risk decisions that are integral to the business. And our businesses don't end up diverting resources to fix controls that don't need to be fixed.
This was first published in April 2005