Speaking at the 2016 Techno Security & Forensics Investigation Conference

Let’s see:

  • Technology conference… check!
  • At Myrtle Beach, SC… check!
  • During the Summer… check!

I’ve attended the Techno Security & (various names here) Conference for the last few years and have always come home having learned something important. It’s a relatively small conference but it has the tendency to attract some folks as keynotes and speakers who have some up-to-date knowledge to drop. Some of it is high government, like when the Secret Service comes and tells you about the state of the world with respect to cybercrime. Some of it is lo-tech creativity like when a guy uses a couple of Lego Technic sets to build an apparatus that automatically takes pictures of the pages of a document on an iPad – a document protected by enterprise class rights management.

So I was very happy to be selected to speak at this year’s Techno Security & Forensics Investigation conference. If your job involves IT security and you’ve not heard of the conference, check out the talks and the keynotes. The location is wonderful. And there’s plenty to do in Myrtle Beach and the surrounding area in the summer.

 

Train Your IT Auditors

I hear this response all the time,

“They’re auditors. I’m going to give them exactly what they asked for.”

STOP. Don’t do this. Yes, it gets the auditors off your back this time but it doesn’t help the overall security posture of your organization. After all, if the IT auditors are asking for the wrong things and they don’t know they are asking for the wrong things, then they will look at and render a judgment based on the wrong things. As a result, your organization won’t be any more secure. Logically, all you’ve done is waste their time and YOURS because you’ve delivered something with no intrinsic value.

If you suspect that an auditor is asking for the wrong thing, don’t just deliver what the auditor has asked for. Instead, ask the auditor what he or she is trying to verify or understand. I’ll give you a recent example. I was recently looking at a SQL Server audit script given to me by an external auditor. Within the first 30 seconds I could see huge gaps in what they were auditing for, meaning the audit wasn’t going to achieve its goals. Because it was dealing with SQL Server and because I teach auditors how to audit SQL Server, I didn’t have to ask what they were looking for. So I simply pointed out the scripts weren’t going to do the job and that I could sit down with them and help them understand why and what they actually needed.

Don’t waste your time. If you do, you won’t have work you can be proud of. Be willing to speak up (diplomatically… something I always have to work better on) and let folks know that you think there’s an issue, why you think there’s an issue, and how you might be able to help. That last part is key, too. Otherwise, it will often be dismissed as complaining. So don’t waste your time with your auditors. Train them to understand what they need to understand to make proper calls on the operating environment.