11/06/2021
Continuing with "Total Architecture" I wrote about last week I want discuss some of endemic problems that happen in companies between Cyber Security and IT Audit teams.
CISOs should be leveraging their IT Audit/Risk team to support decision making on risk management. The IT Audit team should do their job, assess risk and provide priorities, probability impact costs and mitigations for the cyber security team to consider. The reality is CISOs are forced to take risk. CISOs are making their own decisions as to what and why should be protected.
There a many reason's with the CISO is out on a limb. Having seen that many IT Audit teams solid lack technical skills, they are unable to argue a case or understand cyber security and infrastructure team, this creates a massive communication problem. Their recommendations are inadequate or simply pass the responsbility / blame to Cyber security. As a result Infra and Cyber Security dismiss their advice and only see them as a nuisance.
Things are getting better...
It is only recently I've been hearing head hunters looking for IT Auditors that have strong technical backgrounds. Whether the reason for this is to be able to argue the politics or provide better risk assessment and mitigations is yet to be seen.
Having a tech savvy IT Audit team makes sense but it still doesn't resolve the lack of cooperation and the blame between the three practices. In what I call "Total Architecture", I propose the integration of Infrastructure, Cyber Security and IT Audit into a single team which support each other where everyone is responsible for breaches.
