We take our jobs and our mission to help organizations become more secure very seriously. I don’t think it is any secret in our industry that we have a great time and as much fun as anyone while doing it, but one of the reasons that we are able to have so much fun at work is that we all love what we do. We are also all very close friends and think of each other as family. While this may seem warm and fuzzy and all, it actually has a very large benefit for organizations with whom we work. In many consulting organizations there can be a rift between Governance Risk and Compliance (GRC) who are seen as the more straight laced auditor types and the more technical functions such as penetration testers who are seen as edgier and cool. This is definitely not the case at TrustedSec. While there is a great deal of good natured ribbing within our walls, we all have the greatest personal and professional respect for each other. This close relationship benefits our clients in a myriad of ways, but chief among them is the fact that when you work with any of us, you get the expertise of all of us.
Take for example compliance with the Payment Card Industry Data Security Standard (PCI DSS). The DSS covers many domains that all require knowledge about different areas of information, application, and organizational security, among others. As a QSA, I am expected to have a solid understanding of all these areas, which I do; however we all know it is not possible (well, at least not common) for any one person to have the application development knowledge of a lead developer with decades of experience, focused experience with deployment of every model of firewall out there, the technical knowledge of an experienced penetration tester, deep network design experience earned over a long career and so forth. It would be insulting to the experience of people who have devoted their careers to one of these specific areas to suggest otherwise. As an assessor and an auditor, it is paramount that I provide the most thorough and honest service possible to organizations with whom we work, and this often means seeking the opinions of our experts. There is no rift between our departments. I talk to Dave and Rick and Scott almost every day- sometimes it is about what type of meat we have in our smokers, but more often than not we are bouncing ideas off each other about how we can best provide services to our clients.
I hear people time and time again complain that their auditor doesn’t understand certain deep technical issues, and due to ego or some other issue refuses to listen to reason. These situations can become a battle of wills and the result isn’t good for anyone nor security in general. In these situations, I will always consult with an expert in a specific domain. There are always areas where things are black and white and a control is either in place or it isn’t and if it isn’t there it has to be reported as such, but when it comes to the gray areas, an auditor or assessor needs to completely understand the issues at hand. In these situations I will often set up a call so all the affected parties can be sure that each of us fully understands the issue. (How many times do we find ourselves, as information security professionals, in situations where we actually agree but argue because we are describing the same situation differently?) We always hold ourselves to the absolute highest of ethical standards, but we will always seek to be fair. And being fair requires a true understanding of the issues and situation.
So if you are on the GRC side of the business, call a pen tester and how their day is going- if you are a pen tester, go ahead and call an auditor, even if just to joke about how tight their tie is tied. We are all in this together, and in the end we all have the same goal of more secure organizations.
This article was written by Alex Hamerstone (@Infosecdoc) of TrustedSec.