Despite organizations increasing cybersecurity spending by 23 percent last year, successful security breaches rose 27 percent compared to 2016, according to the 2017 Cost of Cyber Crime Study. The joint study by Accenture and the Ponemon Institute is based on interviews with more than 2,100 cybersecurity and IT professionals worldwide. To find out what went wrong, researchers looked at the value organizations gained from nine areas of cybersecurity investments. What they discovered is that organizations are investing in the wrong areas when it comes to cybersecurity and risk.
Take perimeter security, for example. Advanced perimeter controls are the highest spending category, while being fifth in cost savings. Yet, focusing primarily on perimeter security makes less sense when most companies can’t even define their perimeter in the age of the Internet of Things. Research firm Gartner predicts there will be 20 billion internet-connected devices by 2020, up from 6 billion devices in 2014.
As the areas where attackers can target continue to expand, organizations need their cybersecurity and internal audit functions to partner to more effectively deploy resources against cyber threats. Cybersecurity teams and executive management can leverage internal audit’s insight into organizational risks to invest in areas that can provide the greatest protective and efficiency value to the business. To build this relationship, both internal audit and cybersecurity professionals will need to change how they do business and collaborate to build cybersecurity and risk management strategies and inform executive management.
Neither cybersecurity professionals nor internal auditors are wholly innocent when it comes to how they work together. Too often, cybersecurity teams are defensive when it comes to internal audit. They don’t want to look bad in front of their peers and management, so they try to conceal their flaws from auditors. At best, this produces a strained relationship between internal audit and cybersecurity, and at worst, it exposes the business to vulnerabilities and threats.
Executive management needs clear information about the risks so it can make the best decisions on where to spend resources to enable the business to operate securely. Internal auditors can help cybersecurity professionals provide this information by giving them a second pair of eyes to find security flaws before a malicious user might exploit them. In addition, a strong relationship with auditors can provide the cybersecurity team a broad view of the organization and its risks. Otherwise, the cybersecurity team can lose sight of the organization’s overall risks as it concentrates to protect the business’ systems and assets. Finally, with its access to executive management and the board of directors, internal audit can communicate the severity of risks and their impact to the business when the cybersecurity team cannot get the appropriate visibility.
Ignoring Cybersecurity Plans
Internal auditors share blame, too. Often, auditors are quick to make independent assessments outside of the cybersecurity team’s plans, which can lead to inappropriate prioritization of risks. Consider this example:
Bill performs an IT security audit of his business. While planning his audit, he researches the generally accepted frameworks, best practices, and the company’s IT security policies. Bill does not consider the cybersecurity team’s roadmap or plans, which show that the team’s No. 1 priority is to shore up the business’ asset management program.
During the fieldwork, Bill finds that not all systems have the appropriate security agents installed on them. He reports his finding and a management action plan and date are set. Because the company takes internal audit seriously, that action plan takes priority over the cybersecurity team’s roadmap.
The problem with this scenario is that if the cybersecurity team is forced to concentrate on agent deployment, it can’t shore up its asset management. That can lead to future issues with agent deployment because the business lacks a clear understanding of its hardware and software assets. Without a clear partnership between internal audit and cybersecurity, the business may overspend and under protect its assets.
Internal audit, itself, stands to benefit from partnering with the cybersecurity team. Cybersecurity professionals can become deep experts in their field and have access to the latest research from security-focused professional associations. They can give auditors a better understanding of current and upcoming threats to the business and how they interplay with other business risks.
Auditors also can benefit from learning how the tools and strategies the cybersecurity team has deployed work with each other to build defense in depth. Often, auditors may have a single understanding of how a certain set of controls should be implemented to protect an area of the business. For example, developer access to production historically has been considered a security issue that must be addressed, with clearly defined lines of segregation of duties needed. However, DevOps and continuous release change management are blurring the lines of traditional segregation of duties risks. Today, small, agile teams rapidly create, test, and auto-deploy application code. This would be impossible in traditional segregation-of-duties-based development life cycles. Partnering with the cybersecurity team will help auditors understand the risks this new way of working brings to the business.
A successful collaboration between cybersecurity and internal audit requires two essential ingredients: communication and empathy. Communication should happen at least monthly, and the two functions should conduct a full agenda focused on risk management and cybersecurity threats and plans at least quarterly. The other meetings can be less formal with some emphasis on getting to know people to cultivate empathy.
Empathy is about walking in someone else’s shoes. There is no better way to do that than to actually do that person’s job. Cross-training employees can help an organization be successful. Because internal audit and cybersecurity have a common concern with risk management, they are a natural fit for job rotations between them.
Another way to build empathy is to have internal audit and cybersecurity team members pair up to present training sessions at events such as in-house lunch and learns and local conferences. Finally, the two teams can partner to perform the organization’s cyber risk assessments.
A Symbiotic Relationship
Ultimately, the key byproduct of internal audit’s partnership with the cybersecurity team will be to give management and the board a clear understanding of the cyber risks and opportunities the business faces. That information can enable them to make the best decisions about which security tools to invest in and how and where to deploy those resources. This can’t happen without a symbiotic relationship between auditors and cybersecurity professionals. By gaining a deeper view into the organization’s security risks, internal audit can produce a global assessment of cyber risks and leverage its relationships with executive management and the audit committee to drive effective change to protect the organization.