Auditors and regulators: Time to hire more IT grunts?

Agency heads, acquisition officers and even CIOs don't need to be hard-core techies. FCW's four-part look at the expertise that's really required to make federal IT run.

09/15 FCW Magazine Feature.

Regulators and auditors have long been management analysts and accountants. But in a world where technology permeates everything — and presents new risks — should IT proficiency be a priority for overseers?

It becomes a matter of asking: “Do the watchers have a flashlight that works?” NASA Inspector General Paul Martin said.

It turns out those flashlights can be few and far between. Inspectors with IT proficiency are in short supply in both industry and government.

In the financial sector, for instance, four primary agencies are responsible for examining tens of thousands of institutions, as the Government Accountability Office detailed in a July report.

Although NBC News quoted Dmitri Alperovitch, co-founder of computer security company CrowdStrike, as saying that hackers could wreak “absolute havoc on the world’s financial system for years” by altering electronic bank records, there are only a handful of IT-proficient regulators.

Among the findings in GAO’s recent report:

  • The Federal Deposit Insurance Corp. has 60 “premium IT examiners” to review more than 4,000 financial institutions.
  • The Office of the Comptroller of the Currency has 100 IT specialist examiners to monitor 1,500 institutions.
  • The National Credit Union Administration has roughly 50 IT specialists for the 6,200 credit unions it monitors.
  • The Federal Reserve System has some 85 IT examiners for the 5,500 institutions under its watch.

What you really need to know about tech

09/15 FCW Magazine thumbnail image.

CIOs

Agency heads

Acquisition

Auditors and regulators


You can also view the print version of this package in our digital edition.

GAO auditors said a generalist examiner who has some IT training often reviews the cybersecurity situation at small and midsize banks, which means those institutions are receiving less-than-optimal analysis and advice.

A similar scarcity persists in IG offices. At NASA, Martin said, there are 80 auditors in the IG’s office, but only five of them have IT expertise.

“They are very difficult to retain,” he said of IT-proficient auditors. “We tend to poach from each other in the IG community.”

The lack of expertise hinders thorough reviews. “I think every agency has no doubt dozens of IT audits or reviews that should be done” but aren’t due to a lack of tech-savvy auditors, Martin added.

What auditors should know

Martin has criticized the checklist nature of Federal Information Security Management Act reports in the past, noting that FISMA “doesn’t get down onto the ground” to deeply assess security.

“You don’t want to have a bus driver be the flight examiner for a Boeing 747 pilot just because he can follow a checklist,” said Montana Williams, senior manager of ISACA’s Cybersecurity Practices. “If you’re not a cybersecurity professional, how can you audit cybersecurity?”

Among the skills regulators and auditors should have is “detailed knowledge of the operating systems and the technology in operation” at the agencies or institutions they’re monitoring, said Gregory Wilshusen, GAO’s director of information security issues.

“They have to understand security policies and procedures and how they are implemented, and they have to understand technical security controls to be able to judge, ‘Are they implemented and operating as intended?’” he added.

Those skills can be difficult to pick up on the fly, which is why some experts advocate looking for people who have an IT background.

“I’ve found the best IT auditors are former IT grunts,” notes Mack, an IT auditor and author of the ITauditSecurity blog. The blog keeps a running tally of the skills IT auditors should have, from basic typing to understanding permissions and knowing how networks, applications and databases interact.

However, Williams and Martin both said that even IT-proficient auditors need continuous training to stay sharp. Williams plugged the Cybersecurity Nexus training program he runs at ISACA. Martin said IGs need to find specialized training for their auditors because the Council of the Inspectors General on Integrity and Efficiency’s training program does not offer the necessary cybersecurity courses.

Martin added that tech can be a boon, not just a burden, for regulators and auditors, and he cited the analytics work done by the National Science Foundation’s IG as an example.

In the meantime, experts advise making the most of the resources you have.

“We matrix our teams,” said Martin, explaining that one IT pro can support a bigger team of reviewers to make audits more effective.