Yesterday I travelled for nearly the entire day. Tomorrow I’ll travel for nearly the entire day. Today, I had about a 5 hour meeting.
I don’t know what the ratio of travel time to meeting time was, but whatever it was, it was worth it.
I’m in Raliegh, North Carolina. We had an audit today. We have them about once a year at all of our sites. This was a security audit. The format of a security audit is pretty straight forward. The client sends out an auditor. Our security person and I come out from Salt Lake City.
We then work with the various departments at our center; operations, HR, Mission Control, local desktops, account management, site management, quality assurance, compliance, senior management, security, facilities, and more.
The auditor sets the pace. He moves from group to group, sometimes agent to agent. He asks questions. He observes. He checks. It sounds confrontational. It’s actually very collaborative.
Some people view an audit like a test. We certainly perpare for it like we would an exam. But, an audit isn’t a test, it’s an evaluation. The purpose of an exam is not to find out if you did right or wrong. The point is to find the areas where you can improve.
Several years ago I worked as the IT manager for the email system of a large non-profit organization. We had a brand new Microsoft Exchange email system. It was a very large system. We had over 30,000 users. We were still in the process of tuning the email system. A process that can take up to a year. We have to figure out how much storage we need. We needed to know how big our servers needed to be. How many users we could put on each database. How many databases per server. There were dozens of metrics we were watching.
My manager called me into his office,
You know the auditors will be here tomorrow, right?
Sure, you’ve told me every day all week.
Well, audits are a big deal. The auditor will be meeting with just you for much of the day. Don’t tell him anything.
Excuse me?
I mean don’t volunteer any information. Don’t give him anything.
My manager viewed an audit like an exam. Instead, I treated like an evaluation. I figured that I could hire a consultant to help me tune my new system, or the auditor could do it for free. I viewed it as an evaluation rather than an examination.
The auditor today wanted to help us make our system better. If there was a weakness, he’d find it. Not because he wanted us to fail, but because he was interested in making us better.
Even though our audits happen once per year, we run our business on a day to day basis as if we are being audited every day. The auditor found a single issue with a security patch. We immediately patched the affected computer.
After five hours we went through our “Finding” meeting. To no one’s surprise we passed with zero issues. I almost wish the auditor had found something. After all, we can always get better.
Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com(c) 2018 Rodney M Bliss, all rights reserved