Recently, I have come under fire for writing about SOC reports because I am not a CPA. It is not really relevant to you, but I think that these people would attack me even if I were a CPA. They would say that I'm not a partner of a CPA firm, I don't have enough experience in a Big 4 public accounting firm, my firm isn't audited by the PCAOB, etc., etc. The bottom line is that it is easier to challenge my qualifications for speaking than it is to debate the subject and issues I am speaking about.
Well I'm going to come out and just say it. Just thinking about what I don't know completely blows my mind. As I write about a topic, I make sure that I know enough about what I am saying so that I can at least defend my position based on the facts that I have, but my mind remains completely open to alternate points of view and facts that I have not considered.
This is where I had an idea...there are a lot of CPAs who think they understand security, and a lot of security professionals who think they understand auditing and assurance. What if I post a few videos on deep, yet fundamental topics in each area? The goal would be to demonstrate that CPAs need true security professionals and vice versa.
Thanks to my friend @Hacksec's introduction to @SebastianThrun, I discovered a phenominal resource called Udacity that offers free education from instructors at real institutions of higher learning, and promptly enrolled in CS387: Applied Cryptography. The videos I have embedded below are from the course. Please watch them when you have a few minutes. The ease with which the instructor explains these very fundamental yet complex principles, compared with my difficulty comprehending his words enough to pass his simple quiz blew my mind.
My point is that when it comes to security and risk assurance, we need each other. The "we can do it all" mindset of some service auditors is not only ignorant, it is arrogant, and should not be indulged by service organizations. CPA firms need to understand that they are entering the security market for the first time. SAS 70 was not designed to provide assurance about security, nor was it accepted by people who knew better as assurance regarding security. Systrust and Webtrust were ignored by the market for the most part.
With SOC 2 we have the opportunity to leverage each other's strengths as I enumerated in my blog posts titled "So many security standards..." and "Don't worry...", and actually make a difference in the world of security. If CPAs and security professionals join forces, we may have a real opportunity to defeat, or at least discourage those who would try to cause mayhem in our IT infrastructures.
Enjoy the topic of cryptography (cryptology to be more accurate). Perhaps I will continue the theme in another post, and concentrate on some things CPAs know that security professionals do not.
Here's the answer to the quiz. By the way, if you get this one, you are much smarter than me, but you should enroll in the course, and watch some of the other things this instructor teaches! CS387: Applied Cryptography