With cybersecurity becoming a greater priority for both corporate leaders and their internal auditors, the organizations that are the best at managing information security risks are the ones whose boards are most engaged in addressing them, a recent Protiviti report observes. The report,
From Cybersecurity to Collaboration (PDF), surveyed 800 internal auditors worldwide.
Thirty percent of respondents say their organization's board is highly engaged with information security risks facing the business, while 41 percent say the board has a medium engagement and 14 percent have low engagement. Respondents say high board engagement translates into greater confidence in the organization's ability to identify (47 percent), assess (43 percent), and mitigate (39 percent) cyberrisks to an acceptable level.
Moreover, organizations with high board engagement (69 percent) are more likely than other organizations (46 percent) to include cybersecurity in their internal audit plan. Overall, 53 percent of respondents say evaluating and auditing cyberrisks is part of their audit plan, while another 27 percent expect to add it to next year's plan. Top cyberrisks they are addressing include data security, brand and reputational damage, regulatory and compliance violations, leakage of employee personal information, and viruses and malware.
"Across the globe, businesses are continuing to experience cybersecurity issues, challenges, and breakdowns," says Brian Christensen, executive vice president of Protiviti's global internal audit and financial advisory group. "Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats."
Protiviti's findings are comparable to responses to The IIA's latest
North American Pulse of Internal Audit survey, in which 69 percent of the 311 internal audit respondents view cyber threats as a critical or high priority. Organizations that include cybersecurity in their audit plan are more likely to have a cybersecurity risk strategy and policy, Protiviti reports. Seventy percent of organizations that have included information security in their audit plan also have a cyberrisk strategy, and 65 percent have a cybersecurity policy in place. Among organizations that didn't include it in their audit plan, the percentages were 42 percent and 39 percent, respectively.
Most responding organizations address cyberrisks in their overall risk assessment or through a separate assessment. In organizations that perform such assessments, human resources (69 percent), internal audit (48 percent), and executive management (44 percent) have the most significant involvement. Seventeen percent say the audit committee is significantly involved, but another 43 percent say it is moderately involved.
Cyber Skills in Demand
Moves by internal audit departments to focus more on cyberrisks are complicated by their continued struggle to fill information security skill gaps. Protiviti's respondents say auditing IT security is the audit process area they most need to improve. They rate learning the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, released last year, second among general technical knowledge areas needing improvement. In general, 12 of the 13 top "needs improvement" areas cited in the report pertain to IT risks and directives.
Respondents to The IIA's Pulse survey ranked cybersecurity and privacy third in terms of skills their departments are lacking. These skills are the second-most difficult to hire, behind general IT skills, respondents say. To fill the void, 37 percent of respondents' organizations are outsourcing for these skills, while 23 percent are recruiting them.
Faced with growing cyberrisks, greater board interest, and a skills gap, the Protiviti report advises internal audit to take several actions. Chief among these are working with the board and management to develop a cybersecurity strategy and policy and seeking to increase the organization's ability to identify, assess, and mitigate information security risks "very effectively." Other recommended actions include:
- Recognizing the potential for breaches due to employee or business partners' actions.
- Heightening the board's awareness of cyberrisks and its engagement in cybersecurity matters.
- Integrating cyberrisk into the audit plan.
- Evaluating the cybersecurity program against the NIST Cybersecurity Framework and other frameworks.
- Making cybersecurity monitoring and incident response a top management priority.
- Addressing audit staffing and resource shortages.
In its introduction, the Protiviti report asks, "Will 2015 be a repeat of 2014 and become the year of the data breach?" Every week, there seem to be new security incidents in the headlines and new reminders that organizations aren't as prepared as they should be — or believe themselves to be. As the Protiviti report suggests, internal audit can contribute to making cybersecurity a priority with corporate leaders and an integral consideration in business processes. But many internal audit departments have much to do before they are capable of making a difference in security initiatives.