News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Sharky's picture
Sharky

Shark Tank

More posts | Read bio

October 6, 2008 - 6:10 A.M.

The best defense is a make-believe offense

25 comments

This developer pilot fish and his team talk with his company's telecom group about building a defense against network attacks -- a very active defense.

"We discussed developing a program that could do a denial-of-service attack on anybody attacking one of our servers," says fish.

Along the way, fish mentions the project to the audit group, which normally does a test on the servers as part of each audit.

And fish soon realizes that the auditors believe the program has already been written.

For the next eight years, whenever there's an audit and someone on the audit team doesn't follow the rules, fish offers to test the counterstrike program -- and the auditors immediately back down and stop the test.

"Slight problem: We've never developed the program," fish says. "But people don't know that. I suppose one year they may tell us to test it.

"Until they do, it will continue to do its job."

Sharky wants it real. Send me your true tale of IT life at sharky@computerworld.com. You'll get a stylish Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.
Now you can post your own stories of IT ridiculousness at Shark Bait. Join today and vent your IT frustrations to people who've been there, done that.

What People Are Saying

Add new comment

Been there, done that, lots of bull on both sides.

Submitted by External IT Auditor (Retired) on October 6, 2008 - 10:47 P.M.

Ahh, Digital Willie, you have nailed the distinctions in Audit Types.
Before I retired, I had worked for a regional accounting firm. Besides doing management consulting in IT, I also got involved with Auditing, handling the IT audit end of Financial Audits. We also did work with companies to help them with Compliance type audits for ISO and other types of compliance audits.
One of the small pleasures that I often got was when a hot-shot from the client would try to buffalo my team on IT issues. Since I've been in the industry a long time, with a forward looking company, when it came to a "certification showdown", more than half the time it seemed that I had more certifications than the hotshot.
Of course, in the Management Consulting engagements, often as not, the IT folks would have more on the ball than the Accounting folks. So much fun when you could put the Accounting guys in their place with the simple idea that "Have you checked with your IT Department?" "You *do* know that they have tools to go with the XYZ package to give your what you want without paying more staff or other resources. You already own it....."
IT-CPA plus a whole lot of other certs.

Reply | Report this comment

Auditors vs. Bean Counters

Submitted by Digital Willie on October 6, 2008 - 11:08 A.M.

Many of the comments made so far this morning have good content. BUT, I think that there are some subtleties that have been obscured by all of this thrashing over Auditors.

Compliance Audit - when the Govt. Goons come in and want to make sure you aren't scamming an unsuspecting public. These are often no nothings as described. However, I will say that I have met a few bright lights when I was teaching IS Audit to people like the FDIC and Treasury. Trouble is those square pegs are soon sanded smooth into a round hole, if you get my drift.

Certification Audit ALA ISO - a review to prove you are doing what you say you are doing about what you are doing..... Not really designed to search out and promote positive changes.

External Audit - annual tooth extraction by your Financial audit firm. Often there are some decent IS types in these firms. Unfortunately, they are far overstretched and cannot hope to give the individual attention they should to every client.

Internal Audit - company people who come onto the battlefield after the war is lost, to bayonet the wounded! Just when you think that you have everything worked out, all your systems are ticking over, you have no glaring security holes, your audit trail for provisioning users or change management is clean; they come and shoot everything full of holes and tell you that you are not "industry compliant" or that you have no "best practices".

None of these are fun. But if the last group does its job properly, since they work for management, you should have less problems with the first two.

Having worked in Internal Audit, as well as being an external consultant to Audit and Security, I can say that Tone At The Top is what makes the difference.

If Management believes in making changes to bring the organization into compliance and best practice, Auditors serve a very usefull purpose. That is only if they are properly qualified and resourced to provide the degree of oversight that would find the areas of weakness that are always there in any system.

Don't hate them teach them. Make them part of your arsenal to push good governance and best practice. If you don't, it will always be like a visit to the dentist....WITHOUT Novacaine!

Reply | Report this comment

LOL

Submitted by Jam on October 6, 2008 - 11:53 A.M.

"Internal Audit - company people who come onto the battlefield after the war is lost, to bayonet the wounded!"

I'm going to have to remember that one.

Reply | Report this comment

Feel free.....

Submitted by Digital Willie on October 6, 2008 - 12:12 P.M.

to use and abuse as you see fit! :-)

Reply | Report this comment

hatter time warp

Submitted by bear in a box on October 6, 2008 - 11:17 P.M.

DW just gave me a peek into what could've been my future life. gone through the last two creatures and i say, they really can make houles.

Reply | Report this comment

I'm confused. Is there

Submitted by Detroit on October 6, 2008 - 9:40 A.M.

I'm confused. Is there someone who actually believes that all these audits do any real good?

Next thing you know someone will believe that all these tests they give in public schools are actually improving our schools.

Reply | Report this comment

Sometimes

Submitted by Mortimer on October 6, 2008 - 11:51 A.M.

Sometimes having the auditors surface a security or compliance issue finally lets IT make dealing with that issue a priority. Our external financial auditors just realized that we clients have technology. While being grilled about technology procedures that we have never before been asked about definitely feels like a root canal, the upside is that various IT best practices which Sr. Management has never seen fit to push in the past are now high on the radar to clean up before next year's audit.

Reply | Report this comment

See... Tone at the TOP

Submitted by Digital Willie on October 6, 2008 - 12:24 P.M.

This is what I opined about earlier. Tone at the Top sets that stage for what can be accomplished. If Sr. Management does not want change, it is bound to fail.

Smart managers and directors use Audit resources to prove their theories and uncover the sore spots that they have tried to correct for years without support.

If managers would embrace at least INTERNAL Audit as partners, and get them involved in new initiatives and projects up front, life could be so much easier.

The key here is that many Auditors are seen as playing the bully. Just coming in and looking for audit points without regard to what is best for the organization. While there are some like that, I think if more IT managers talked to Audit, and worked out where Audit can be helpful, rather than giving them the 'cold shoulder' we would find it much easier to work with them, and they would begin to trust that they are seeing the nuts and bolts of the operation.

What an Auditor fears more than anything else, is not finding something, and later having it rear its ugly head. If we open our Kimonos, so to speak, and show them where the warts are, there is nothing for them to fear, and we don't get any surprises, cause guess what, WE already know what they are going to say!

Reply | Report this comment

Sure Audits Help

Submitted by Jam on October 6, 2008 - 11:49 A.M.

Without regular audits, our economic system wouldn't be where it is today. Can you imagine what would happen if companies could just do whatever they pleased with no oversight?

Reply | Report this comment

no oversight

Submitted by Anonymous on October 6, 2008 - 11:57 A.M.

Didn't we just see that? You and your kids and your grandkids will be paying for that for decades. Chrysler paid their's back, but the mortgage market is frequently for 30 years.

Reply | Report this comment

Related Posts

This is why we document
And what could be more important than that?
Red Hat's number one
Who really has the most Linux users?

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.