Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.
Malcolm Wheatley is a freelance writer in England. And this "Judgment Calls" article was dead on with good advice especially number four:
Strategy No. 4: Teach Them Security Heim’s mention of a back-and-forth negotiation between auditors and security executives carries with it an important conclusion: Security-savvy auditors are a must.
Communicating with auditors as part of a cooperative process is one way of educating them about the security function. Another solution, according to Radianz’s Hession, is to obtain the requisite combination of skills and separation by turning security folks into auditors.
How can you have an effective Information Security Management System without auditors who know “Risk Management” from an IT perspective? The answer is, you can’t. And you can’t have an effective audit for legal compliance issues without IT security professionals who understand the intent of the law. To do this you must have a cooperative team who thinks like a criminal and that is not easy to create.”
“The reciprocity between CSO, CIO, CRO, CFO and General Counsel is imperative if any sizeable company is going to mitigate the threats from internal and external attackers. And as this article clearly points out, a healthy set of objectivity and anxiety is imperative if you are going to have professionals on the front lines do their jobs within the intent of the law.