For Immediate Release: Shape Minds, Build Brands, and Deliver Results with Game-Changing Public Relations (2015)
• Friday, September 26
Despite breaking every speed limit on the way, I’m twenty minutes late to the audit meeting in Building 2. When I step into the conference room, I’m stunned at how packed it is.
It’s immediately obvious that this is a high-stakes meeting, fraught with political nuance. Dick and our corporate counsel are at the head of the table.
Opposite them are the external auditors who are legally liable for finding financial reporting errors and fraud, and yet they still want to keep us as clients.
Dick and his team will try to show that everything the auditors have found is all a genuine misunderstanding. Their goal is to appear earnest, but indignant that their precious time is being wasted.
It’s all political theater but high-stakes political theater that is definitely above my pay grade.
Ann and Nancy are also here along with Wes and some other folks who look familiar.
Then I see John and do a double take.
My God, he looks terrible—like someone on his third day of quitting an addiction. He looks as if he thinks that the entire room will turn on him at a moment’s notice and tear him to shreds, which may not be that far from the truth.
Sitting next to John is Erik, who is the picture of composure.
How did he get here so quickly? And where did he change into those khaki pants and denim shirt? In the car? While he was walking?
As I sit down next to Wes, he leans toward me. He gestures at a stapled set of papers and whispers, “The agenda for this meeting is to go through these two material weaknesses and the sixteen significant deficiencies. There’s John, looking like he’s in front of the firing squad, waiting for the bullet.”
I see the sweat stains under John’s arms, and think to myself, Good grief, John. Pull yourself together. I’m the operational manager where all those IT deficiencies reside, so I’m actually the one on the firing line, not you.
But unlike John, I’ve had the benefit of having Erik’s constant reassurances that everything will work out.
Then again, Erik doesn’t have his ass on the line and for a brief moment, I wonder whether I should be as nervous as John.
Five hours later, the conference table is covered with marked-up papers and empty cups of coffee, the room smelling stale and rank from all the tension and heated arguments.
I look up at the sound of the audit partner closing his briefcase.
He says to Dick, “Given this new data, it does appear that for the two potential material weaknesses, the IT controls may indeed be out of scope and thus can be resolved very quickly. Thank you in advance for making yourselves available to get us the documentation we need to close out these issues as expeditiously as possible.
“We will take all this under advisement and send you something in the next day or two,” he continues. “Most likely, we’ll want to schedule further testing of these newly documented downstream controls to make sure they were in place and operating—to support the financial statement assertions you’re making.”
As he stands up, I stare in disbelief at the audit partner. We really dodged the bullet. Looking around the table, the Parts Unlimited team looks equally surprised.
One exception is Erik, who just nods approvingly, obviously irritated that it took so long to finally have the auditors on the run.
The other exception is John. He looks extremely distraught, sitting with his shoulders slumped over that I’m suddenly concerned about his well-being.
I’m about to get up to check on John when the audit partner shakes Dick’s hand and, to my surprise, Erik gets up to give him a hug.
“Erik, it’s been a long time since GAIT and Orlando,” the audit partner says warmly. “I was sure our paths would cross again, but I never would have guessed it would be at a client engagement! What have you been up to lately?”
Erik laughs and says, “Mostly, happily sailing on my boat. A friend asked me to join the Parts Unlimited board, partly due to their external auditors making trouble with a bunch of young, bottom-up auditors who strayed off the reservation. I should have known you’d be involved.”
The audit partner looks genuinely embarrassed, and they huddle together, whispering.
For the past five hours, John, Wes, and I sat on the sidelines while the business managers walked the auditors through a precise discussion about how the IT control issues simply couldn’t lead to an undetected financial reporting error. They pulled out something called the “GAIT Principles” document and cited some of the enclosed flowcharts.
Like watching a tennis match, the ball went back and forth between our team and the auditors, using words like “linkage,” “significance,” and “controls reliance.” On occasion, Dick would trot in a bunch of experts from the relevant business areas to show that even if someone malicious managed to cause a failure in the IT control, the fraud would still be caught by another control somewhere downstream.
Managers from Materials Management, Order Entry, Treasury, and Human Resources showed that even if the application, database, operating system, and firewall were riddled with security holes and thoroughly compromised, the fraudulent transaction would still be caught by some daily or weekly inventory reconciliation report.
Over and over again, they went through scenarios that assumed all the IT infrastructure was made of Swiss cheese, where any disgruntled or wrongdoing employee or external, malicious hacker could log in and commit fraud with impunity.
But they would still detect any material error in the financial statements.
Once, Dick pointed out that an entire department of twenty people is responsible for spotting erroneous, let alone fraudulent, orders. They, and not an IT control, served as the business safety net.
Each time, the auditors, often reluctantly, agreed that controls reliance was placed on finance doing reconciliations. And not on the IT systems or the IT controls within.
This was news to me. But I certainly wasn’t going to disagree with them. In fact, if shutting up and staying silent would allow Parts Unlimited to escape all the audit findings, I’d be happy to drool and pretend to be unable to read.
“You have a minute to talk?” I hear John say beside me in a scratchy voice.
He’s still slumped over, his head in his hands.
“Sure,” I say, looking around at the nearly empty room. It’s just John and me at the large conference table, while Erik continues his whispered powwow with the audit partner in the far corner.
John looks awful. If his shirt were just a little more wrinkled, and maybe had a stain or two in front, he could almost pass as a homeless person.
“John, are you coming down with something? You don’t look so hot,” I say.
His expression turns ugly, “Do you know how much political capital I’ve spent over the last two years, trying to get everyone to do the right thing? This organization has been kicking the information security can down the road for a decade. I put absolutely everything on the line. I told them the world would end if they didn’t go beyond lip-service, and at least try to fix some of these systemic IT security issues… I mean, we need to at least pretend to care.”
From the other side of the room, I see Erik turn to look at us. The audit partner doesn’t seem to have heard John. Nevertheless, Erik puts his arm around him and collegially moves the conversation into the hallway, closing the door loudly behind him.
Oblivious, John continues, “You know, there are times when I think I’m the only person in this entire company that actually cares about the security of our systems and data. Do you know how it feels to have the entire Dev organization hiding their activities from me, and having to beg people to tell me where they’re meeting? What is this, elementary school? I’m only trying to help them do their jobs!”
When I don’t say anything, he just sneers at me. “Don’t look at me like that. I know you look down at me, Bill.”
I look at him with genuine surprise.
“I know you never read my e-mails. I have to call you to even get you to open them up—I know, because I get the read receipts while we’re on the phone, you asshole.”
But I’ve read many of his e-mails without him having to call me first. However, before I can respond, he barrels forward, “You all look down on me. You know, I used to manage servers, just like you do. But I found my calling doing information security. I wanted to help catch bad guys. I wanted to help organizations protect themselves from people who were out to get them. It came out of a sense of duty and a desire to make the world a better place.
“But ever since I’ve been here, all I do is fight the corporate bureaucracy and the business, even though I’m trying to protect them from themselves.” Laughing harshly he says, “The auditors were supposed to put the screws on us. They were supposed to punish us sinners for our ungodly ways. And you know what? All afternoon, we just watched the audit partner pamper us with kid gloves. What is the point of even having an information security program at all? Even the auditors don’t care! Everything just got brushed under the rug for the cost of a golf game.”
John is almost shouting, “Our auditors should be put on trial for incompetence! All those findings they dismissed were basic hygiene issues! We live in a churning cesspool of risk. I’m amazed this place doesn’t just collapse under its own weight from lack of caring. I’ve waited for years for everything to come crashing down upon us.”
He pauses, whispering, “And yet, here we still are…”
Just then, Erik enters the room again, slamming the door behind him. He grabs the seat closest to the door and looks sternly at John.
“You know what your problem is, Jimmy?” Erik says, pointing his finger at him. “You are like the political commissar who walks onto the plant floor, proudly flashing your badge at all the line workers, sadistically poking your nose in everybody’s business and intimidating them into doing your bidding, just to increase your own puny sense of self-worth. Half the time, you break more than you fix. Worse, you screw up the work schedules of everyone who’s actually doing important work.”
This is going way overboard.
John sputters, “Who do you think you are? I’m trying to keep this organization secure and keep the auditors away! I’m—”
“Why, thank you for nothing, Mr. CISO,” Erik says, interrupting him. “As you just observed, the organization can keep the auditors away without you having to do anything at all. You are like the plumber who doesn’t even realize that you’re servicing an airplane, let alone the route you’re flying, or the business condition of the airline.”
By now, John is white as a sheet, his jaw hanging open.
I’m about to intervene on his behalf, when Erik stands up and shouts to John, “I don’t have anything further to say to you until you prove to me that you understand what just happened in this room. The business managed to dodge the SOX-404 audit bullet, without any help from your team. Until you figure out how and why, you don’t have any business interfering with the daily operations of this organization. This should be your guiding principle: You win when you protect the organization without putting meaningless work into the IT system. And you win even more when you can take meaningless work out of the IT system.”
He then turns to me and says, “Bill, you just may be right. You guys around here sure seem to have completely screwed up information security.”
I never said any such thing. I turn to look at John, intending to convey that I have no idea what he’s talking about, but John doesn’t notice me. He’s staring at Erik with an expression of intense hatred on his face.
Erik says to me, pointing his thumb at John, “This guy is like the QA manager who has his group writing millions of new tests for a product we don’t even ship anymore and then files millions of bug reports for features that no longer exist. Obviously, he is making what you and I would call a ‘scoping error.’ ”
John is shaking with outrage. He says, “How dare you! As a potential board director, I can’t believe you’re telling us to put our customer data and financial statements at risk!”
Erik looks calmly back at John. “You really don’t get it, do you? The biggest risk to Parts Unlimited is going out of business. And you seem hell-bent on making it go out of business even faster, with all your ill-conceived, irrelevant technical minutia. No wonder you’ve been marginalized! Everyone else is at least trying to help the business survive. If this were an episode of Survivor, you’d have been voted off a long time ago!”
By now, Erik is standing over John. “Jimmy, Parts Unlimited has at least four of my family’s credit card numbers in your systems. I need you to protect that data. But you’ll never adequately protect it when the work product is already in production. You need to protect it in the processes that create the work product.”
Putting his hands in his pockets, he says more softly, “You want a clue? Go to MRP-8 plant and find the plant safety officer. Go talk to her, find out what she’s trying to accomplish and how she does it.”
Erik’s expression brightens slightly and he adds, “And please convey my regards to her. I’ll be ready to talk with you again when Dick says he actually wants you around.”
With that, he walks out the door.
John looks at me, “What the hell?”
Pulling myself out of my chair, I say, “Don’t let it get to you. He says similar things to me. I’m exhausted and I’m going home. I suggest you do the same.”
John stands up wordlessly. With the calm expression remaining on his face, he pushes the three-ring binder off the table. It hits the ground with a large thump, all the contents scattering everywhere. Hundreds of pages are now strewn across the floor.
He looks at me with a humorless smile and says, “I will. Go home, that is. I don’t know if I’ll be in tomorrow—or ever. What’s the point, really?”
He then walks out of the room.
I stare at John’s binder, not quite believing he discarded it so carelessly. He’s been carrying it around for over two years. In front of where he was sitting is a single piece of paper, almost blank with a few lines scribbled on it. Wondering if it’s a suicide note or a resignation letter, I sneak a quick peek at what appears to be a poem.
Here I sit, hands tied
Room angry, I could save them
If only they knew