While onsite with a client recently, they let me know about their growing concern with the inordinate amount of time they seem to be spending on Audit issues.
The way their internal process is set up, any issue flagged as a “medium” by the Internal Audit department requires a mandatory review by the Information Security team. So, what happens more often than not? You guessed it, almost every issue is a “medium” with few exceptions.
The way the Information Security figured it, they were roughly spending 1 FTE worth of time addressing, and responding to these issues. Now to some organizations, that may seem like a small amount. To this organization, it meant they frequently missed their own goals and metrics.
I imagine that this internal process did not spring up out of nowhere. That it had its genesis from some industry best practice and/or a series of Audit findings that were truly critical in nature and required immediate attention, because believe it or not, every so often it does happen.
Yet when I thought about the problem my client faced, which is the seemingly excessive amount of time they're spending on Audit issues, this was really just a manifestation of a more systemic concern.
The underlying problem is that the two teams had varying views on what was of real concern or risk to the organization and thus warranted their time.
So what are the core components of addressing this issue?
The first hurdle to tackle is priming Audit for what I call the “ah-ha” moment. It’s been my experience that people learn only when they want to. This is to say that if someone is cognitively closed off, doesn’t care what you’re talking about and/or feels as if they already know everything, it really doesn’t matter what you say, it’s not getting in.
So, you need to do something that opens their mind, if even just a little bit. In this situation, the ah-ha moment comes in the form of conducting just a few risk analyses on some of the issues Audit has come up with.
The goal here being, once you've translated their issue into a scenario that can actually be analyzed, gathered the necessary data points, and run them through the results, that it should become more evident that what they identified as a concern, is:
- First, most likely not a risk, and
- Two does not represent that much exposure to the organization.
From here, it should prime them for the next step.
Speaking the same language
Now that you’ve whet their appetites, the next step is to get them thinking differently about the issues they see on a daily basis; this is where the mind-changing power of FAIR training comes into play.
A realistic goal leaving the training is to have Audit understand that risk is more than just control deficiencies and findings. That we’re always searching for the loss event and how that materializes in lost dollars to our organization.
With a shared understanding of risk between the two teams, this could be the start of a beautiful friendship.