Executives should love IT auditors because auditors provide something every CEO/CIO wants: A view into the operating effectiveness of their company or department. Without audit functions a company might be wasting money, man-power, or spending a lot of time doing things that have no impact on the business.
Today, a story broke that an audit of the TSA’s security procedures revealed that “Investigators were able to smuggle weapons past airport checks in 95 percent of tests”. Stories like these are why I always recommend that executives make data driven decisions based on tests. Otherwise they could be wasting a lot of time and money.
According to officials briefed on the results of a recent Homeland Security Inspector General’s report, TSA agents failed 67 out of 70 tests, with Red Team members repeatedly able to get potential weapons through checkpoints.
In one test an undercover agent was stopped after setting off an alarm at a magnetometer, but TSA screeners failed to detect a fake explosive device that was taped to his back during a follow-on pat down.
In addition, the review determined that despite spending $540 million for checked baggage screening equipment and another $11 million for training since a previous review in 2009, the TSA failed to make any noticeable improvements in that time.
I see the same pattern when it comes to cybersecurity. Audits and processes are often put into place after a major event and the value of comprehensive IT security is not realized until the damage is done. If I’m a CEO or Government Official I think there is a lesson here about the value of preemptive process auditing.