Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs

Posted September 30th, 2008 by

No big surprise by now, I work for an accounting firm.  Oh, what’s that?  Oh yes, that’s right, it’s a consulting firm with a high percentage of accountants, including a plethora of CPAs.  “Accounting firm” is so 1950s-ish. =)

It’s my secret theory (well, not so much of a secret now, just between the Internet and me) that the primary problem we have in information security is that as a field we have borrowed heavily from public accounting.  The only problem is that public accounting is different from what we do.

Goals for public accounting run something like this:

  • Eliminate fraud through oversight
  • Protect the company’s money from rogue agents
  • Protect the shareholders of public companies
  • Ensure accountability of actions

Accounting for Mere Mortals Such as Security Folk

Accounting for Non-Accountants photo by happyeclair.

As a result of their goals, accountants have an interesting set of values:

  • Signatures are sacred
  • Separation of duties is sacrosanct
  • Auditing is designed to act as a deterrent to fraud
  • “Professional Skepticism” is a much-valued trait
  • Zero-Defects is a good condition

In other words, accountants live in a panopticon of tranparency, the concept being that through oversight and transparency, people will not become evildoers and those that do will be caught.  Pretty simple idea, makes me think about IDS in an entirely new light.

Words that accountants use that mean something entirely different from the way you or I use them:

  • Fraud, Waste, and Abuse: They’re talking about spending money, I’m usually talking about people doing something ethically wrong.
  • Investigation: They’re looking at the numbers to see how a particular number was created.  Me, I bring the nice people with guns when I do an investigation.
  • Incident: Their version is what I would call an event.  When I call something an incident, we’re headed towards an investigation.
  • Security test and evaluation: To them, it’s a compliance audit.  To me, it’s determining the frequency that the system will fail and if we have a way to fix it once it does.  Remember this, it’s a critical difference.
  • Control: I think their version has something to do with having oversight and separation of duties.  Me, when I see this word, I think “countermeasure to a specific threat and vulnerability”.
  • Audit: An activity designed to prove that fraud has not happened.  Usually we don’t use the word unless we absolutely have to.
  • Technical: They’re talking about the highly-detailed accounting rules.  I’m talking about if you know how to build your own server and OS using lumps of raw silicon and a soldering iron.
  • Checklist: They’re talking about a sacred list that condenses all the rules into an easily-auditable format.  Me, I’m thinking that a checklist is something that will fail because my threats and their capabilities don’t fit into nice little lists.
  • Forensics: Their version is what I would call “research to find out where the money went to” and involves looking at a bunch of numbers.  My version has something to do with logs, memory dumps, and hard drive images.
  • Risk Management: This has something to do with higher interest rates for high-risk loans.  For me, it’s looking for countermeasures and knowing what things to skimp on even though the catalog of controls says you have to have it.

In short, pretty much anything they could say about our line of work has a different meaning.  This is why I believe it’s a problem if we adopt too much of their methodology and management models because they are doing similar activities to what security people do, only for different purposes.

In order to understand the mentality that we’re working with, let’s give you a couple of scenarios:

After-Work Optional Training Session: The accountants not only make you put your name on the attendance roster but you have to sign it as well.  Are they worried that you’re committing fraud by showing up at training that you were not supposed to, so they need some sort of signature nonrepudiation to prove that you were there?  No!  They just make you sign it because they believe in the power of the signature and that’s just how they do things, no matter how trivial.

The Role of Security: To an accountant, the role of security in an organization is to reduce fraud by “hack-proof” configurations and monitoring.  This is a problem in that since security is economics, we’re somehow subordinate to the finance people.

Let’s look at the world of the typical security practitioner:

  • The guidance that security professionals have is very contradictory, missing, or non-relevant.
  • Really what we do comes down to risk management, which means that sometimes it makes more sense to break the rules (even though there is a rule that says break the rules, which should freak your brain out by now if you’re an accountant).
  • We have a constantly changing environment that rules cannot keep up with.

Now this whole blog post, although rambling on about accountants, is aimed at getting a message across.  In the US Federal Government, we use a process called certification and accreditation (C&A).  The certification part is pretty easy to understand–it’s like compliance, do you have it and does it work.  CPAs will readily understand that as a controls assessment.  That’s very much a transferable concept.

But in accreditation, you give the risks to a senior manager/executive and they accept the risks associated with operating the system.  The CPA’s zero-defects world comes through and they lie on the ground doing the cockroach.  Their skills aren’t transferable when dealing with risk management, only compliance with a set of rules.

Once again, the problem with security in Government is that it’s cultural.

And don’t get me wrong, I like accountants and they do what I do not have neither the skills nor the desire to do.  I just think that there aren’t as many transferable skills between our jobs as there might seem on the surface.



Similar Posts:

Posted in Odds-n-Sods, Rants | 4 Comments »
Tags:

4 Responses

  1.  Alfredo Reino » Archivo del Blog » Seguridad y contabilidad Says:

    […] un poco sobre el tema, encuentro este post en uno de los blogs que leo habitualmente, acerca de las similitudes (y diferencias) entre…. Goals for public accounting run something like […]

  2.  Vlad the Impaler Says:

    You forgot my favorite word in the accountant lexicon which means something entirely different to engineers…

    TEST. (eng) to put a system, network, or other device through its paces, thereby proving its suitability for a particular purpose. To exercise a network, or system using a suite of tools specifically designed to do the above.

    TEST (acc) to run a checklist.

  3.  Kimberley Says:

    I’ll be the unpopular one who stands up for the necessary – but unpopular – audit umpire…

    It’s easy for those without a strong understanding of financial auditing, business governance controls, and IT legal liability – to make wrong assumptions about their efforts.

    Sure – there are bad CPA IT auditors. But, for every CPA who can’t audit themselves out of a checklist paper bag, there’s 5 IT security assessor cowboys who have left gaping and costly “duh” non-technical IT governance gaps unaddressed.

    Harden that non-target test server without sensitive data some more while CIO and CFO collude for more fraud….and defend those sys admins to have access to do anything they like – the ones paying the assessor for the next clean audit report and beers.

    It’s not an exciting audit; but seg of duties is important – because MOST people do not do a bad thing when prevented from owning a process to self-benefit (i.e., Access Controls) or if subject to someone else’s potential ethics catching them.

    CPA firm practices tend to strain all creativity out of auditors who can think outside the box. I agree that they should focus better on the right areas for the right reasons – but we could use a lot more well-rounded and balanced folks in both IT as well as CPA firms.

    A few more years and IT security assessors will be as despised as lawyers and accountants.

  4.  rybolov Says:

    Hi Kimberley

    Note I didn’t say that accountants and auditors don’t fill a necessary function. It’s that the InfoSec world has adopted concepts from public accounting that don’t transfer very well, primarily because InfoSec has a different intent.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: