I’m mulling over some ideas this week.  It’s probably the death-by-CBT that being a new hire has become over the past 5 years.

I work with a ton of accountants in my new job.  Obviously, they’re CPAs and Uber-CPAs, and for the most part, they’re proud of the valuable service that accountants bring to their community and to the US economy as a whole.  $Diety bless them, there is no way I have the patience to do what they do on a daily basis, and from what I gather, they feel the same way about what I do.  However, while learning the history of the accounting profession, I can’t help but notice a couple of things:

• CPAs have some strange ideas and a rich history, cross-training has some merit.
• Accountants are obsessed with compliance.  More on this later.
• Attestation that a company has not cooked the books and is headed into a downward Enron/Worldcom/Hindenburg-esque firey crash is a good thing.
• Accountants highly value attestation.
• Accountants are typically weak on planning and project management (yes, making a generalization here).
• Accountants understand risk, but only qualitative dollar risks that can be measured via actuarial means.
• Accountants perform unnatural acts with spreadsheets.
• I have to be very careful when I mention the word “controls” because somewhere in there an interpreter is needed.

And then somewhere around day 3 of CBT-Hell, it dawned on me:  we’re taking the models for accounting and applying them en-mass to information security management.  Explains quite a bit of things, doesn’t it?

Stop and think about the Federal government.  Who is really in charge of security?  Not NIST, they just write standards.  The correct answer is the Office of Management and Budget (OMB) and the Goverment Accountability Office (GAO).  In other words, the accountants and the auditors.  It’s one of those things that make you go “hmmmm”.

Now, some of this is a necessary evil.  Any good CISO will tell you that whoever controls the money controls the security, just ask a security manager who has had their budget taken away.  As a profession, we’re tied to the economics of security just as tightly as the accountants are tied to the security of IT systems to maintain integrity of accounting systems.  It’s scary when you think about it, although I don’t know if it’s scarier for them or for us. =)

There’s an obvious reason why we adopted the accounting models for security:  expediency.  In the typical CIO’s option of build-buy-outsource, we outsourced the creation and maintenance of our governance model to the accountants.  And just like outsourcing to a managed service provider who has in turn offshored some of their operations, we might not be getting what we planned at the very beginning.

But now we’re getting to the limitations of using that model:

• For the most part, we are an industry driven by vulnerabilities and risk management.
• Accounting is driven by law and oversight boards.
• What laws we have are very broad because the laws cannot keep pace with the technology.
• Information security is not reported to oversight agencies/boards/whatever to the same level of granularity as is financial information.  Imagine reporting your WSUS stats on your SEC filing.
• Even the accountants are starting to agree on a more risk-based model than a compliance model.  The latest guidance from the SEC on SoX 404 called AS-5 is a step in this direction.
• IT has a higher level of acceptable risk on both an organizational and personal level than accounting.
• The accounting model is focused on audit and oversight.  Typically this is at the end of development and/or annually.
• True success in information security management needs a full-SDLC approach.

So this is what I’m mulling over:  we maybe have a need for some better tailoring of what we’re doing.  What I really want is a large-scale method for security management that cuts out the parts of the accounting model that don’t work.

Not that I have an answer today, but it’s something I’m using my spare brain cycles to figure out.  Who knows, maybe I’ll come full-circle and reinvent the current state. =)

• In Search of a Better Catalog of Controls
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Ack! With the Mandates!
• An Open Letter to NIST About SP 800-30
• It’s a Problem of Scale!