“The Odd Couple” of community banking — security and audit

In community banking today, the universes of information technology security and audit are anything but congruent. Much like Felix and Oscar from the stage play and television series, “The Odd Couple,” security and audit tend to fight like cats and dogs. It is as if they come from two distinct worlds, operating with completely different mindsets, often with “silo” mentalities.

Typically the security team is focused on structural and operational activities, such as patching systems, keeping anti-malware up-to-date and protecting the perimeter of the operations. Audit focuses on monitoring compliance, using regulatory guidance and internal policy as guidelines for conducting activities and measuring effectiveness. Somewhere, the two disconnect, forgetting that the ultimate goal of all activities is to strengthen the organization and provide value in meeting strategic objectives.

One of the major problems causing the separation is that the two teams often lack a full understanding of the other’s purpose, methods and means. Security personnel tend to have little or no background in audit and vice versa. Security personnel generally focus on technology and operational solutions, while ignoring or minimizing the importance of compliance issues. Auditor training for the most part focuses on regulations and guidance, rather than on technical operational issues.

Unfortunately both IT security and audit departments often are mistrusted by other employees, as both functions tend to make work more difficult. IT security can make other jobs harder, since the sky is always falling. And audit gets in the way by “shooting the wounded.”

Instead of battling each other, both teams should be operating with the strategic goals of the business as their primary drivers. Rather than work feverishly to keep hackers at bay, security should be reviewing practices to ensure that resources are being applied and utilized where they are most needed. Audit should be looking at how and whether these activities are effective and if not, should provide sound answers as to how to affect change, rather than criticize operations.

These efforts, combined with top-down management buy-in, can have a significant impact on getting the two departments to work constructively. Much like Felix and Oscar, they do need each other and despite often being at loggerheads, they ultimately work toward the same goals.