​Cybersecurity's Key Ally

Internal audit should be a strong cybersecurity advocate, says DaMon Ross Sr., senior vice president and head of Cybersecurity Operations for SunTrust.

Comments Views

What is the relationship between IT and internal audit in cybersecurity and preparedness? 

IT is essentially the assets that cybersecurity is supposed to be protecting. Internal audit should ensure technical and nontechnical controls are in place and operating effectively. Internal audit personnel must become intimately familiar with cybersecurity and how to test the effectiveness of cyber controls. Too often, internal auditors are not technical enough to assess whether an organization’s cyber controls are adequate to protect the assets they were put in place to protect. 

Internal audit’s most valuable role is ensuring cybersecurity functions have the resources necessary to protect the organization effectively. Whether those resources be funding, staffing, or data from the organization’s IT systems, internal audit should be a strong advocate for the cybersecurity function by raising awareness around the organization’s cybersecurity needs. Internal audit assessment results should be a major topic in C-suite briefings to ensure the cybersecurity function receives the support necessary to protect the organization.

How can an organization ensure its employees do not become part of a social engineering attack?

Employees should be trained to identify and avoid becoming a victim of social engineering as part of an effective cyber education and awareness program, where frequent simulation exercises are a core component. The results of these exercises should be communicated across the organization, and C-suite executives should be kept up to speed on how the various areas of the company score on these exercises. Some organizations have begun to factor the results into employee performance reviews. For example, if an employee continuously fails phishing tests, that employee may be subjected to extra training, or his or her yearly performance rating might be impacted. Regardless of the consequences, C-level support is critical to raising awareness of social engineering among employees.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Ia Online StaffIa Online Staff<p>Written by <em>Internal Auditor </em>magazine staff.</p>https://iaonline.theiia.org/authors/Pages/Ia-Online-Staff.aspx


Comment on this article

comments powered by Disqus
  • PwC-October-2021-Premium-1
  • FastPath-October-2021-Premium-2
  • AuditBoard-October-2021-Premium-3



Stopwatch Auditinghttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Stopwatch-Auditing.aspxStopwatch Auditing
Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Hidden Goalshttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspxHidden Goals
Building a Better Auditor: Which Way Should I Go?https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspxBuilding a Better Auditor: Which Way Should I Go?