Auditing the Risk Auditor

The cybersecurity profession, like many other professional disciplines requires annual continuing education. Yesterday, working to complete the needed hours for this year, I attended an all-day seminar sponsored by ISACA. The attendees were all security professionals, some operational and most from the auditing side of the business. What I observed amazed me and if my observations are indicative of those in the cybersecurity space, I wonder if there I any hope for user security awareness in the general population. We need to practice what we preach.

While many in the room were guilty of poor practice, there was a particular group of ~ 4 people from a large financial services company that I will decline to name. All were in the risk management and auditing area based upon the overheard conversations. What struck me as a real problem, was that almost every time any of them would get up for a bio break or to get coffee, they left their laptop on the table in front of them, logged into the corporate email network, without locking the laptop. Cell phones were also left on the table unattended, as were various paperwork items which appeared to be audit checklists they were working on. Lastly, none of the laptops had a privacy screen so anyone sitting nearby or behind any of these folks could easily shoulder surf.

Locking one’s system when unattended, keeping a smartphone on our person, and privacy screens are all common sense security practices we try to teach everyone in the workplace. Here, we have a group who work in the security space, are members of the ISACA professional organization, and who audit others engaging in such poor practices. Perhaps there was the belief that everything was safe because they were around other security professionals?

People are the weakest link in our efforts to secure the enterprise as people must operate the technology and follow the processes. As security professionals, we need to set the example and practice what we preach. My takeaway here is that someone needs to audit the risk auditor.

Comments are closed.