Undercover

Audit Agitation

What do you do when your customers want you to do an independent security auditand your CEO doesn't?

Page 4

Under the option column I wrote, "Go back to the CEO at a later time and hope that he is in a more receptive mood." I considered that option for about as long as it took to think it up. Was I taking dumb pills? Given his previous psychotic behavior, I knew that day would never come.

Next I scribbled, "Go around the CEO to the board of directors." The pros were obvious. Surely those people would sympathize with me. After all, hadn't the recent corporate scandals shown that there should be better governance and corporate control? The cons, however, were significant. I might get the board to order the SAS 70, but it would be a public rebuke of the CEO's leadership in his presence and would reflect poorly on me. I don't think the CEO, my boss, would easily forget that episode. I quickly ruled out that option.

The last option was to simply wait and do nothing. If a SAS 70 was truly important, then let the regulators come in and demand it. Or, if it was really important to our clients, then let them require that we do the audit to keep their business. Apparently, those were really the only things that would get the CEO's attention. I was convinced that nothing I said would change his mind. I circled the last option with an air of false bravado.

That's where I am currently. I'm waiting for the proverbial shoe of fate to dropor, perhaps more appropriately, to give me the boot. But, I figure, how is this any different from all of the other job-security risks a CSO faces? Couldn't a hacker break in tonight and ransack our network? That might earn me a trip to the unemployment line. Or what about the ever-present risk of a cable-seeking backhoe severing a major data link and causing us to lose millions of dollars in a single day of trading? I knew a CISO at a major investment bank who had been fired for that unfortunate happenstance.

No, I figure it's best to be philosophical about these kinds of professional risks. You should do the best you can so that you can sleep well at night.

And you should always keep your contacts with the headhunters up-to-date and your relations with them on the best of terms.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors