They were warned. Computer hackers, nations, organized criminals, and malicious employees were after their data — using malware, email phishing, social engineering, and old-school hacking. But whenever an organization fell victim, the response of their peers often was, "It couldn't happen here."
Then the biggest prey began to fall — the Target breach in December 2013, then Home Depot, JPMorgan Chase, Sony, Anthem, the U.S. Internal Revenue Service, and U.S. Office of Personnel Management. Now cybersecurity has the attention of corporate boards. Now directors want to know whether the business' data and digital assets are protected, what the threats are, and whether the organization can respond. "Virtually any organization can be hacked by a determined adversary," says Eddie Schwartz, chief operating officer of cybersecurity firm WhiteOps in New York and chairman of ISACA's Cybersecurity Task Force. "These attacks have reaffirmed to directors and C-level executives that cybersecurity has to be top-of-mind for themselves and for their people."
But the answers to the board members' questions may not be what they want to hear: It's not a matter of whether the organization has had a breach; it's a matter of when and whether it was detected in time. Information security research firm Ponemon Institute reports that the mean time for large organizations to detect a security breach is 206 days, while information security firm Trustwave says up to 71 percent of incidents go undetected. Equally troubling, less than half of IT professionals and IT auditors surveyed recently by ISACA and RSA Conference are confident their organization could detect and respond to a serious breach.
In many organizations, boards and senior executives are turning to internal audit for assurance about the strength of their cybersecurity defense and response capabilities to protect against financial, operational, and reputational damage. If internal audit is going to meet this need, auditors will need to quickly get up to speed on the latest threats and raise their cybersecurity skills.
The Board Is Asking Questions
This year for the first time, cybersecurity broke into the top 10 risk priorities of respondents to Aon's Global Risk Management Survey, coming in ninth. Travelers Business Risk Index ranks it No. 2. Small wonder then that 80 percent of public company board members report their board discusses cybersecurity at most or all board meetings, according to a recent survey by New York Stock Exchange Governance Services and security vendor Veracode.
Such discussions have been a regular part of the board agenda at Huntington Ingalls Industries since the company spun off from defense contractor Northrop Grumman Corp. in 2011, says Scott Stabler, vice president of internal audit for the Newport News, Va.-based company. Because the bulk of its business is government defense contracting, the company has long been concerned with ensuring tight control over data, information systems, and access. "It's something that's central to the way we think about the business," he explains.
These days the board is asking Stabler and the company's IT leaders how the cybersecurity threat is evolving and what is being done to protect data, respond to the latest threats, and ensure the company's ability to continue to do business. More recently, as Huntington Ingalls has expanded beyond its two shipyards into environmental and energy markets, management has been considering how to come up with a common organizationwide approach to cybersecurity in a more diverse operating environment and tailor market-appropriate cybersecurity solutions for each business. "The board wants to understand how our audit program gets at these issues," Stabler says. "They ask about what kinds of things we find as we do our audit and what kinds of recommendations and corrective actions we are putting into play with our counterparts in IT."
Michael Corey, U.S. internal technology audit services leader at PricewaterhouseCoopers (PwC) in San Francisco, says in today's risk environment, board members should be asking their organization's executives, IT leaders, and internal auditors three basic questions: What is the organization's risk? What is it doing about that risk? And, is it doing enough? "Most of the boards that we interact with are trying to understand one of those three questions," he says.
The Cost of Cybersecurity
As with all risk considerations, the cyberrisk discussion ultimately must address costs. How much should the organization invest in cybersecurity controls and other measures? How much will a serious breach cost the organization? Organizations often struggle to determine whether the cost of cybersecurity is worth the investment.
Consider Sony. In a 2007 interview with
CIO Magazine, the Sony Pictures’ executive director of information security at that time said, “I will not invest US$10 million to avoid a possible US$1 million loss.” Sony now estimates that the financial cost of investigating and remedying last year’s breach so far is US$15 million, according to a March 30
Not surprisingly, organizations are expected to spend US$76.9 billion on cybersecurity this year worldwide, up from US$71.1 billion in 2014, according to research firm Gartner. However, in its latest Global State of Information Security Survey, PricewaterhouseCoopers (PwC) reports that cybersecurity budgets decreased 4 percent in 2014, with companies with less than US$100 million in revenues spending 20 percent less than in 2013.
Meanwhile, Ponemon Institute’s 2015 Cost of Data Breach Study puts the average cost of an information security breach at a large company at US$154 per record. A similar study by Verizon, however, estimates the cost at just 58 U.S. cents per record.
One trend PwC’s Michael Corey sees is a move away from investing in preventing incidents and toward quicker detection. In today’s threat environment, prevention can be like “putting another deadbolt lock on a screen door,” he says. Some of the headline-making breaches weren’t detected for as long as 15 months. “If you can identify the threat actor in your environment and shut it down in a short period of time, it doesn’t give that threat actor time to learn about the information flow and where it resides,” he says. “They’re significantly hampered in their ability to extract value.”
The organization's cyberrisk profile drives resource allocation decisions (see "The Cost of Cybersecurity" at right). "Ultimately what boards, audit committees, and executive management teams are faced with is understanding what the risk profile is and determining how many resources they're going to allocate to manage those risks," he explains.
The National Association of Corporate Directors' (NACD's) 2014 handbook, Cyber-risk Oversight, discusses five principles that should guide boards' cyberrisk discussions. Chief among these is treating cybersecurity as an enterprisewide risk, rather than an IT risk. Additional principles cover the legal implications of cyberrisks, seeking advice from cybersecurity experts, establishing a cyberrisk management framework, and discussions with management about which risks to avoid, mitigate, or transfer. A 2014 IIA/ISACA research report, Cybersecurity: What the Board of Directors Needs to Ask, uses the NACD's cyberrisk principles as the basis for board inquiries about cyberrisk (see "Six Questions From the Board," below right).
A Common Language
Just because boards are asking questions about cybersecurity doesn't mean they are getting the information they seek or understanding the answers they receive. In a recent Raytheon survey, 78 percent of information security officers say their board hasn't been briefed about cybersecurity in the past 12 months. And just 62 percent of C-level executives of large U.S. companies surveyed by Tripwire consider their board to be "cybersecurity literate," with 32 percent saying the board has a good understanding of information security issues.
But knowledge gaps work both ways, says David Meltzer, chief research officer at Tripwire, based in Portland, Ore. "Most boards and C-level executives would say they are cybersecurity literate today, and they probably wouldn't have said that five years ago," he explains. "But if you ask that question at the risk level — 'How much do the IT professionals know about risk and governance?' — it may not be as much."
Bridging those gaps is difficult because there is no generally accepted cybersecurity framework, Meltzer says. Instead the board, management, IT, information security, and internal audit may all have their own points of reference. Meltzer and other security experts recommend establishing a common framework that enables everyone in the organization to speak the same language about cyberrisk. Among the many frameworks are the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, the International Organization for Standardization's ISO 27001, and ISACA's COBIT. Organizations may also be subject to specific cybersecurity requirements included in the U.S. Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, and similar industry regulations or standards.
Late last year, Travis Finstad and his internal audit team at Zions Bancorporation in Salt Lake City used the NIST Cybersecurity Framework to perform an organizationwide cybersecurity health check. The auditors rated the company's maturity in each of the framework's five domains on a five-point scale, noting what security controls were in place and whether there were any opportunities for improvement. Finstad, Zion's senior vice president and director of internal audit, shared their report with the board, management, and the IT department. The health check and a common framework helped the board and management have a common understanding of the organization's cybersecurity risk landscape, strategy, and controls. "Cybersecurity is a business risk," Finstad says. "Once an incident happens, then it's about how you are going to respond and communicate with the public and your customers. These are things you want to have discussed and practiced before an event occurs."
The framework also provides a basis for working with the information security team. "Having a framework gives them a way to measure their progress, and it gives us a way to comment on it," he says. "Just as the hackers are constantly evolving with their methods and technology, we need to do the same."
Getting at Cyberrisk
As the NACD guidance recommends, organizations increasingly are treating cybersecurity as an enterprisewide risk. Pervez Bamji, vice president and general auditor at technology company Pitney Bowes in Stamford, Conn., says cybersecurity is firmly part of its enterprise risk management program and internal audit universe. "There is no audit or review that you do in this day and age that is not security related," he explains.
Like many boards, Pitney Bowes' directors are concerned with protecting the company's data (see "Protecting Customer Data"). Its internal auditors start by looking at cyberrisk at an organizational level. They conduct an inventory of the company's data assets to determine what data needs to be protected and how it is currently being protected. Another consideration is who the data must be protected from — both outside and inside the company. From there, auditors review policies and procedures over data and how the organization monitors compliance with them. Another general concern is how the company educates employees about data security, an area where many organizations fall short (see "The Trouble With Awareness Training" at the end of this article). Next, they drill down to the specific technical details such as whether the organization is updating patches, performing reviews of firewalls and data centers, and reviewing the security that third parties have in place.
This detailed approach requires ongoing collaboration and discussions with the IT and information security functions. "You can't work without having a close relationship," Bamji says. "That's not to say we don't have different points of view now and then. But we can learn from them and they can learn from us."
That collaboration needs to extend to cybersecurity stakeholders throughout the organization. At Huntington Ingalls cybersecurity involves information security, human resources, and compliance personnel. "IT alone is not going to solve the cyber riddle," Stabler says.
Another good practice is benchmarking cybersecurity against other organizations in the same industry or that are of the same size. Industries such as energy, financial services, and technology have information sharing and analysis centers where companies can share information about the latest information security threats and benchmark their practices against others. Moreover, the U.S. government has announced plans to create centers that encourage companies to share threat and breach information with the government in hopes of improving cybersecurity nationally. "There's a lot of interest in hearing what other organizations are doing and ultimately using that information to better protect U.S. companies," says PwC's Corey, who participated in discussions about the centers at the RSA Conference in April.
Meltzer suggests another tactic: war-gaming. When a breach happens to another company, internal auditors and cybersecurity professionals should perform simulations to see how those attacks succeeded, whether a similar attack could happen to their organization, what it would have cost the organization, and whether the organization would have responded differently. "That can give you some concrete information that the board understands," he says.
Facing the Talent Shortage
Six Questions From the Board
The joint IIA/ISACA research report, Cybersecurity: What the Board of Directors Needs to Ask, uses the NACD’s Cyber-risk Oversight guide as a starting point for determining what boards should be asking management and internal audit. Author Sajay Rai, CEO of Securely Yours, lists six questions:
- Does the organization use a cybersecurity framework?
- What are the organization’s top five cybersecurity risks?
- How are employees made aware of their role in cybersecurity?
- Does the organization consider external and internal threats when planning cybersecurity program activities?
- How does the organization manage information security governance?
- In the event of a serious breach, has management developed a robust response protocol?
In August, The IIA and ISACA will release a new research report, the Cyber-resilient Enterprise: What the Board of Directors Needs to Ask.
One issue CAEs are talking about with their peers is how challenging it is to hire and retain auditors with cybersecurity knowledge. "When I go to industry forums, I hear the moaning of the damned as people describe the search to find those experts," Stabler says.
That's a problem they share with IT executives. There are an estimated 600,000 unfilled information security jobs worldwide. Nearly half of the respondents to the ISACA/RSA Conference Security survey say 25 percent or fewer of candidates for information security jobs are highly qualified for those positions, and job openings can remain unfilled for as long as six months.
Stabler suspects he'll be testing the waters soon, while Finstad says he's always on the lookout for IT audit talent at Zions. Recruiting qualified IT auditors is less of a worry for Bamji at Pitney Bowes, because candidates often are attracted to working at technology companies.
While there is a shortage of candidates with advanced security skills, one of the biggest shortcomings of security professionals is business skills, Schwartz notes. This can make it hard for IT security personnel to communicate technical issues to the board and management. "There's often a perception that there's not a relationship between what really matters to business leaders and C-level executives and what constitutes success in the technical IT realm," he says.
Enlisting the communication function to help translate can be of value, as the internal audit and IT functions at Pitney Bowes have done. But Schwartz says this is an area where internal audit can build a bridge between organizational leaders and the IT function. To do this, internal audit will need to find and enhance its cybersecurity knowledge.
Training and Certification Internal audit functions can obtain cybersecurity training through webinars, seminars, and conferences. Cybersecurity is among the training auditors at Huntington Ingalls must pursue as part of their annual continuing education, which helps the department supplement the expertise of its one IT specialist. Pitney Bowes has the luxury of five IT auditors, but Bamji is now considering having all of his team members pursue IT certifications.
Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit. In some cases, they may bring in experts from their organization's IT function on a rotational basis, as Stabler is considering doing at his company.
Outsourcing/cosourcing Similarly, internal audit departments can bring in expertise from outside firms. This can enable them to benefit from economies of scale, as the outside advisers often possess knowledge about current threats and control strategies culled from working with other clients, Schwartz says. Organizations may assign some pieces of cybersecurity audits such as operational aspects to outside experts, while keeping more sensitive aspects in-house.
Automate Much of the information security audit process can be very manual, involving going through logs and gathering information for analysis. Increased use of audit analytics and other technologies can streamline the work and time involved, enabling auditors to focus on their analysis, Meltzer says.
Making It Top of Mind
With security breaches becoming more common and striking bigger targets, it's easy to think the public will become desensitized to them and the reputational risk might be diminished. "The Target breach made big news," Meltzer says. "But will the 50th retailer to have millions of records breached still be big news?"
That still leaves the financial and operational damage from losing data and remedying security breaches. But Meltzer is optimistic that more organizations will begin to tie their cybersecurity programs to real risks and implement more effective security controls. This may enable them to detect breaches more quickly before the damage is done and perhaps even prevent future attacks.
Internal audit's readiness to advise and provide assurance on cybersecurity isn't likely to abate. The cyberthreats are coming from all sides, and the attackers only have to be successful once. "Don't let down your guard," Bamji says. "Cybersecurity has to become second nature — and not just for technology audits, but with everything we do."
The Trouble With Awareness Training
Nonmalicious insiders are one of the biggest cyber threats
organizations face. Employees mean well, but they often fall prey to phishing
emails and social media messages that can provide a gateway for an attack on
Historically one of the first things cybersecurity companies
and advocates advise organizations to do to protect themselves is establish an
information security awareness and training program for employees, contractors,
business partners, and even customers. But the recent ISACA/RSA Security survey
reveals a troubling finding: Organizations that have such programs actually
suffer more security breaches.
Eddie Schwartz, chairman of ISACA’s Cybersecurity Task
Force, says the problem may be that some awareness programs don’t provide much
training at all. Instead, many may ask participants to read some information
online or sit through a session on security, answer a few questions, and then
sign off that they’ve completed the program. “That’s great, but that’s no
evidence that a person is going to behave properly in a situation where they
receive an email with some malware in it,” he says.
Instead, Schwartz says training should take participants
through various types of security scenarios such as receiving a phishing
message. Then, the organization should test what they’ve learned by sending
users phishing emails that are targeted at someone in their job position and
measuring whether they respond to them. Targeting employees with messages based
on their actual job function is important, because the way the organization
will address an attack may differ depending on the sensitivity of the
department, Schwartz says. If participants fail the test, the organization
should provide remedial training and explain why they went wrong. “Continue to
hammer at that until it really does improve,” he advises.
PwC’s Michael Corey says
he’s beginning to see some of his clients perform this kind of training and
that it delivers positive results. “What I like about these types of exercises
is you’re touching the user base and you can get back to them with very specific
data,” he says. “That’s a powerful statement that connects back to a specific
behavior that you’re trying to modify.”
The shortage of information security professionals has many organizations looking to high schools and middle schools. Read "The Next Generation of Cybersecurity Experts."