Internal Audit Mentality

Posted on by Anil Polat

Information security implicitly goes against our evolutionary defenses. Humans, for much of their history have been concentrated in small groups and forced to defend external threats.

Disease, predators, other groups of people; internal threats were focused at the top. Leaders changed, but the pecking order or 20-50 hunter gatherers remained relatively constant.

A 13 year old couldn’t say, learn to wield a knife and kill the top guy simply by watching. Even if this were possible, it would be suicide for the individual and harm the groups chances of survival. Internal trust was built upon the fact that in order to survive, you had to trust one another…and carefully weigh your options.

All of this leads us to today, where we have several cyber users equivalent to God, who don’t even run the companies they reign over. A 13 year old can launch an attack capable of crippling an organization and without much personal risk.

So we approach our employees with cautious confidence. Most IT managers cite insider data leaks as their top fear. So why don’t companies perform more internal audits?

For starters it’s difficult – most people in positions of management have their own administrators perform internal audits. More importantly a poorly implemented audit can create their own trust issues.

You don’t want your administrators to feel untrusted, but you need to monitor what they are doing. A good way is through automation. Establishing a good log review policy and being transparent about the controls in place will help also.

In the end you want your administrators to establish a bond with your organization and ideals – not just your machines. Doing so leads to better security and efficiency and improves your external defenses at the same time.