Auditors go undercover to test companies' cyber security

Picture an auditor. It’s probably a pretty mundane picture, right? Business suit, clipboard, geeky glasses.

However, a select group of auditors better resemble special ops troops - Black hats, olive shirts, burglary tools.

"We have guys that dress up," said Michelle Misko, of Trace Security, a firm that specializes in unique audits.

Misko said companies large and small are increasingly hiring auditors who pose as contractors. Dressed in work garb, their mission is to test security controls – one door at a time.

"They go in and try to get access to the computer rooms," she said. "We're not stealing the data, but we're preventing people from doing that."

Misko said her brand of surreptitious auditing is part of a wide range of undercover audits helping maintain cyber security.

"It's very important for all consumers,” she said. ”They just don't know about it."

We met Misko at a recent meeting of the Information Systems Audit and Control Association (ISACA).

The crowd of 1,000 included experts in many arenas. Some search for criminal patterns in data; others aim to reinforce firewalls, passwords, and such. All are focused on fighting hackers.

"Cyber security is everyone's business," said ISACA President Robert Stroud.

Stroud said auditing functions previously focused on accounting operations, but in the digital age, double-checking IT systems is paramount. 

"It all has to work together now," Stroud said.

Sal Apollo agrees. He works with Software Engineering of America, a firm that helps bridge the gap between traditional audits and IT audits. 

Apollo called it essential work that goes on in the background.

"I talk to family members that are not in the technology arena, like I am, and they have no clue what's going on," he said.

Misko, whose firm dispatches the “cable guy” to look for physical breaches, took the same position. She says her firm is committed to staying on step ahead of data thieves by thinking like them.

In some cases, that means dumpster diving, she said.

"If you've thrown paperwork and not shredded it, now we're going through that trying to see what information -- what privileged information -- we can gain from that," she said.

An ordinary trash dumpster. The unlikely front line in the extraordinary battle against data breaches.