• United States



There’s no smiling in audit

Jun 07, 20083 mins
Business ContinuityCareersData and Information Security

I doubt that there has ever been a job considered as dull, boring, or monotonous as that of the auditor. There is no mystery, excitement, or wonder in auditing. Most of all, there is no smiling in audit. …or is there…

Under the subtle blue suit and understated tie, the stodgy fellow in the corner fervently clicks away on his keyboard. Barely looking up as he sips his lukewarm coffee, this auditor, we’ll call him Oliver, appears to be as much fun as a root canal. As far as we know, Oliver has sold his soul to the gods of Excel, and is buried 600 rows deep in some sort of spreadsheet.

As far as we know…

Just like Clark Kent and Bruce Wayne, Oliver has a secret. No, Oliver doesn’t wear tights and a cape. Or at least if he does, we really don’t want to know about it. I don’t proclaim that Oliver has some super power. I mean seriously what would it be, able to memorize the NIST 800 series in a single reading? Imagine the motto, “Accurate to 5 decimal places, creates a pivot table in one click. It’s a nerd, it’s a plane, it’s Audit Man!” No, Oliver has a different kind of secret. He loves his job.

He doesn’t love it in that creepy, brown nosing, Lumberg sort of way. Oliver likes his job in that Keanu Reeves – Matrix – super geek kind of way. You see Oliver is a very …special… kind of auditor. He doesn’t care if your balance sheet has more holes than OJ’s alibi. Oliver is an information system auditor, he cares about encrypted protocols, access controls, and …dare I say it… hacking. Yes Oliver, is a hacker, a white hat hacker, but a hacker none the less. I realize that there is a stigma associated with the word, “hacker”, so in polite circles we use the term, “penetration tester”.

In Oliver’s mind, auditing is like a game of chess. It’s him against you. Who has the best skills? Oliver or the guy securing the system. For Oliver, there are two critical questions; questions that drive his every keystroke. First, what do you have that I (as a bad guy) would want? Second, how can I get it from you? Granted, Oliver’s process is standards based, but after you boil away the bureaucracy, the various standards, and other clutter, these questions are at the heart of what drives Oliver.

There’s no smiling in audit? I guess that really depends if you are Oliver or the guy or gal on the other side of the table.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.