Technology Audits and Consulting: Achieving Separation of Duty

by Brad Garland

Do you fear you don't have the talent or funds to be able to keep your business secure? Is your IT person maxed out on projects that adding infosec to her plate might be too much? How can you find the balance between getting the cybersecurity expertise your business requires while not breaking the bank?

The Information Security space has become a multi-billion dollar industry and has a wide range of diverse jobs within it. Whether someone goes down the development path, the testing/forensics path, or even the strategic path there is much opportunity and it's extremely competitive retaining people. Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021.  Additionally, just because you get someone to fill the role also doesn't mean 1) They have the skillset to accomplish everything you need or 2) be a strong culture fit that can get their heads out of the technical weeds and talk to you in the business terms you need.

Often fulfilling those needs can be done in an outsourced way. You have a great Technology audit experience or a great relationship with a fractionalized Information Security Officer that is able to align all the technical projects into the business strategic plans or even better, both! But wait, isn't that a conflict of interest? Having auditors and ISOs from the same company? At quick glance, I could see why one would think that. But, if managed properly, we believe you could have an even better experience by utilizing one company for both. Here are some of things you can plan for to ensure achieving good separation of duty.

1) People can't intermingle into projects - If you have a company doing audits and ongoing consulting make sure you ask who is doing the work behind the scenes and make sure the audit line doesn't get crossed into managing or mitigating audit findings. Bigger organizations quite often have one person or team handle the audit function and another person manage the mitigation. It's simple checks and balances.
2) Create organizational clarity on how any security projects are managed - You can do yourself a favor at the front end of a project or even during annual planning process to discuss as a team on how we will achieve separation of duty. Setting separate responsibilities as a part of the project template can create the consistent clarity your team requires.
3) Conduct an After Action Review / Debriefs - In Michael Hyatt's book, Your Best Year Ever, he shared a tool they use (and it comes out of the military) once a project is complete. It's called an 'After Action Review'. Here's what you go through with your team post-project:
  1. State What You Wanted to Happen
  2. Acknowledge What Actually Happened
  3. Lessons Learned from the Experience
  4. Adjust Your Behavior

We love this tool as it focuses on the right things with the right mindset. Instead of it becoming a blow-out debate on who's right and who's wrong it instead becomes a collaborative, incremental improvement discussion on stating what happened and what can we do next time to improve upon that experience. We highly recommend trying it out!

In summary, in this competitive cybersecurity world strong, outsourced relationships are hard to find. Businesses should look for ways to leverage their strongest relationships and not get stuck with dealing with a 'lesser choice' just because of concerns around separation of duty. You can bring it together and with a little planning (and after action reviews) you can be successful together.

FAQs on How to Achieve Proper Separation of Duty

Why is it better for you to work with one company to do both IT audits and consulting?

Working with an extra vendor adds more conversations, more contractual frustration, and the focus being on vendor relationships instead of where it can be which is making your organization secure.

What would the obstacle be if you want to work with a company who does both?

At Vala Secure there is no obstacle. There is no legal requirement to use separate companies. Our clients understand our processes and have been successful in passing exams and adding regulated clients.

Technology Audits and Consulting - Achieving Separation of Duty - Vala Secure1

Technology Audits and Consulting - Achieving Separation of Duty - Vala Secure2


Download the full infographic: Technology Audits and Consulting - Achieving Separation of Duty