Don't Worry. I've Got This.

Okay, it's time to address a sensitive subject.  In my post, "So Many Security Standards, Audits, and Certifications..." I laid out the reasons why I think CPAs need security professionals, and vice versa.  It is a tough subject because no one likes to hear that they are not capable of doing something, and I am no exception.  

Back in 2004, I was hired to "in-source" a previously outsourced IT function in hopes of saving the company money.  The project included everything from purchasing and setting up new equipment to bringing on additional staff.  The company ran SAP at the time, and part of my job was going to be managing SAP after the project was completed. When I was hired, I told the hiring manager that I had no experience managing SAP implementations, but that I had plenty of experience with ERP systems, so I should be able to handle it with some training and whatever documentation that was available.  

Well needless to say, I overestimated my ability to OJT SAP, and quickly learned after my $7,000, one week BASIS training class that you can't pick up SAP overnight.

My point is this...sometimes we fail to see that we don't know what we don't know.  I consider myself an IT generalist even with over 15 years experience in the IT industry.  The fact is that the minute we step away from hands on "doing", our knowledge becomes obsolete.  

There is nothing that changes faster than technology, and if you are not ahead of it, you are ancient history.  Within the category of technology, security is at the forefront of rapid change, and there is nothing more critical to ensure that we understand as auditors.

CPAs, here's the stark reality:  Security professionals laugh at you behind your backs when you ask for and accept "kick to the tires" level evidence when doing so-called security audits.

Security professionals, don't get too comfortable:  CPAs laugh at your so-called "certifications", and wonder why people accept your point-in-time assurance as evidence that your environment is secure.


There, I said it.  It needed to be said, and you can get mad at me for saying it if you would like, but it is true.

Here's where the opportunity is though!!  We both need each other, and the beauty of SOC2 is that it allows us to work together.  Instead of worrying about who is going to capture more market share in the assurance space, we can collaborate and focus on defeating the hackers for a change.

If we are not careful though, SOC2 will become a kick to the tires just like SAS70 was.  I have already been met with resistance from CPAs who think they can do it all just like I did back in 2004.  Will they have the good sense to realize that they are wrong like I did?  On the opposite side, will security professionals see that CPAs bring their understanding of audit methodology and documentation to the security assurance space where it is lacking today?

3 comments:

  1. Jon,

    I saw this many times during the early 2000's when ERP systems were the hot technology topic. I partnered with many CPA firms, some with great success and others with great disappointments. It's one thing to understand accounting, posting controls and financial statements. It is totally a different animal when your accounting software depends on elements such as SQL, Pervasive, seat licensing, Enterprise Manager and SQL scripting.

    As professionals, we should recognize each other's strengths and partner in such a way that ensures the engagement's and the client's success.

    ReplyDelete
  2. Here, here...So maybe I'm on track? Anyone from the opposing side of the argument?

    ReplyDelete
  3. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai

    ReplyDelete