Audit Agitation

What do you do when your customers want you to do an independent security auditand your CEO doesn't?

My CEO is a psychopath. No, really he is. He's a lying, manipulating, amoral, selfish, screaming-like-a-madman, intellectually challenged, dysfunctional excuse for a human being. And those are his good qualities. But, surprisingly, I read recently that I am not alone in enjoying such a CEO. It's actually quite common for psychopaths to become CEOs. So much so that a company in the United Kingdom now specializes in employee testing to try to identify and hopefully retrain those exhibiting psychopathic tendencies before it's too late, and they are taking the express train to the top of the corporate ladder. Too bad this company didn't exist while my piece of work was in his formative corporate years.

I tell you all this not for sympathy, but so that you can imagine my discomfort when I had to approach my CEO and explain what a SAS 70 was and why we needed it.

For those who don't know, a SAS 70, or Statement on Auditing Standards No. 70, is an internationally recognized standard developed by the American Institute of Certified Public Accountants. A SAS 70 audit represents that an IT services provider (for example, a financial services organization) has been through an in-depth audit of its control activities, which generally include information technology, security and related processes. The Sarbanes-Oxley Act of 2002 makes SAS 70 audits even more important to the process of reporting on effective internal controls at IT services organizations. That's because the reports signify that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm, as Section 404 of Sarbanes-Oxley requires.

And I had to explain all this to a man who has the patience and temper of a 2-year-old with a diaper rash. Right.It Wasn't Exactly a Tea PartyI approached the CEO's office with a queasy feeling of resignation and trepidation.

"Mr. Blowhard is running late," his attractive, blond administrative assistant informed me. "He's very busy these days, you know," she continued, with a slightly irritated frown.

Great, I thought, I can enjoy my misery stew a little while longer. I sat in an overstuffed leather chair in the waiting area outside his office. Inside, I could hear Blowhard screaming at his latest victim, his voice rising steadily in a paroxysm of hysteria. Suddenly the door banged open and out the CEO sprang. His bald head sported beads of sweat.

He thrust out his arm, directing the way out. "And don't f***ing come back here until you get it right!" he shouted. His unfortunate victim slithered past him.

Let me interrupt for a moment and tell you that I'm not making this up. My CEO is really this bad. Only a few identifying details in this story have been altered, and the names of the ignorant and incompetent have been changed to protect their privileged status.

"Who's next?" he demanded. His assistant pointed at me. Maybe I should have worn barbeque sauce to this meeting, I thought.

"Get in here!" he yelled, and stomped back into his office. I followed him at a safe distance.

He turned suddenly and thrust his face an inch from mine. "What do you want?"

And a good morning to you too, sir, I thought.

"Well, Mr. Blowhard, we've been getting a lot of requests from our clients recently to provide SAS 70 documentation on our information security controls and practices."

"I don't care about that. I want to know what you're going to do about passwords."

I thought for a moment. What did he mean? Do away with them? Implement single sign on? I decided to bite.

"Is there a problem with passwords?" I asked.

"I couldn't remember my password this morning! I had to wait until my secretary logged me on. I don't like waiting. Waiting is money. I want you to do away with passwords." With a dismissive wave of his hand, he headed back to his desk.

I decided to ignore the obvious violation of policy prohibiting the sharing of passwords and to pick my battles. I cleared my throat. "That's actually not a good idea, sir."

He stopped and wheeled to face me. "Why not?" he said. I could have counted the number of veins sticking out on his forehead. "Don't you ever disagree with me!"

"Without passwords," I continued, "anyone could get into your computer. That means they could read all of your files, your e-mails, even send e-mails under your name. That could put the company at risk."

"There's nothing on my computer that's sensitive! We're an open company." The irony did not escape me. But then again, only poets get paid for pointing out irony.

"Someone could send an embarrassing e-mail from your computer. Say they wrote to The New York Times or a major client."

"They could do that now by creating a Hotmail account with my name on it," he thundered.

"Yes, but the e-mail wouldn't be from our company's domain and...."

"Domain? You come in here and waste my time by talking security technobabble! This isn't the CIA!"

"Actually, I came in here to discuss what our clients have been asking fora SAS 70. It's a third-party assessment of our security."

"We have you to do our security! Are you telling me you're not doing your job?" He was turning crimson. Maybe I should have updated my résumé and put more money in that rainy-day fund.

"Let me explain," I said. "There are regulatory requirementslike Sarbanes-Oxleythat require companies to check the security of their information services providers. To our clients, we are an information services provider. Our clients are asking us for an independent, third-party assessment of our information security practices so that they can be assured that we aren't endangering their computing environment."

"What does it cost?" he demanded. Now we were getting down to business.

"Because of the size of the company and the services we provide, it will probably cost us around a quarter of a million."

"What?! You want to spend a quarter of a million dollars for a piece of paper?"

"Our clients...."

"If they don't have anything better to do, then tell them to go f*** themselves! Now get out of here!"


"I said get out!" he shouted. The door slammed behind me.Great. Now What?I trudged back to my desk and contemplated my options. Not only had I not gotten approval for the audit, but I had actually been given an order to get rid of passwords, which would have been crazy. I got out a legal pad, drew three columns and labeled them "Option," "Pros" and "Cons."

In the first column, I put the password order. We could implement a biometric sign-in, which would allow us to drop the password and go with just the biometric identifier. But that would involve a lot of effort and money, and no one else in the company was complaining about passwords. I also had a obligation as a security professional not to weaken security by doing away with passwords. What doctor would knowingly put the lives of his patients in danger? By the same reasoning, what security professional would knowingly put the security of his network at risk? Chances are the CEO would never bring it up again. The first decision was made: Ignore the password order.

Next came the decision on the SAS 70. This was a different matter altogether. I wasn't exactly putting the security of the company at risk by not doing the audit, but it was clearly important. My first option: Order the SAS 70 on my own. I couldn't do this for two reasons. One: If the CEO ever found out, then he actually would have a good reason to fire me. Two: Because of the price tag, I would never be able to get it by the purchasing department without his permission.

Under the option column I wrote, "Go back to the CEO at a later time and hope that he is in a more receptive mood." I considered that option for about as long as it took to think it up. Was I taking dumb pills? Given his previous psychotic behavior, I knew that day would never come.

Next I scribbled, "Go around the CEO to the board of directors." The pros were obvious. Surely those people would sympathize with me. After all, hadn't the recent corporate scandals shown that there should be better governance and corporate control? The cons, however, were significant. I might get the board to order the SAS 70, but it would be a public rebuke of the CEO's leadership in his presence and would reflect poorly on me. I don't think the CEO, my boss, would easily forget that episode. I quickly ruled out that option.

The last option was to simply wait and do nothing. If a SAS 70 was truly important, then let the regulators come in and demand it. Or, if it was really important to our clients, then let them require that we do the audit to keep their business. Apparently, those were really the only things that would get the CEO's attention. I was convinced that nothing I said would change his mind. I circled the last option with an air of false bravado.

That's where I am currently. I'm waiting for the proverbial shoe of fate to dropor, perhaps more appropriately, to give me the boot. But, I figure, how is this any different from all of the other job-security risks a CSO faces? Couldn't a hacker break in tonight and ransack our network? That might earn me a trip to the unemployment line. Or what about the ever-present risk of a cable-seeking backhoe severing a major data link and causing us to lose millions of dollars in a single day of trading? I knew a CISO at a major investment bank who had been fired for that unfortunate happenstance.

No, I figure it's best to be philosophical about these kinds of professional risks. You should do the best you can so that you can sleep well at night.

And you should always keep your contacts with the headhunters up-to-date and your relations with them on the best of terms.

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)