One of the features of The IIA's Three Lines Model (PDF) is its clear description of accountability among key players within an organization. The governing body is responsible for organizational oversight, management is tasked with achieving organizational objectives, and internal audit's role is to provide assurance and advice. The model also points out that this delineation does not imply isolation. Among all roles, "the basis for successful coherence is regular and effective coordination, collaboration, and communication," the model states.
This idea of teamwork boosting organizational objectives is backed by empirical evidence. A 2018 study by Arizona State University, the University of Nevada, the University of Massachusetts Amherst, and Iowa State University shows that a positive relationship between internal audit and information security can improve an organization's cybersecurity efforts. For instance, the findings indicate that stronger relationships between the two functions results in better detection of security incidents, internal control weaknesses, and incidents of noncompliance.
At Cboe Global Markets Inc., Umesh Yerram, chief information security officer (CISO), and Heidi Zenger, senior director of internal audit, demonstrate how a successful relationship between information security and internal audit works in practice. As a global exchange operator with 21 markets offering options, futures, equities, and foreign exchange products that trade billions in contracts daily, Cboe is naturally focused on cybersecurity as a critical risk. Yerram, based in Philadelphia, and Zenger, who works in the Kansas City, Kan., metro area and heads up IT audit, discussed how a strong collaboration between information security and internal audit helps them amplify their findings and better mitigate cyber risk.
How did the working relationship between your functions evolve?
Zenger One pivot point was hiring an auditor with specialized security skills. As auditors, we say that a process is a process; we can understand all of the risks if you have the time to dedicate and teach us. But there really is a place for specialized skills; so I think that helped [enhance] our relationship quite a bit. After Umesh joined the company as CISO, I think the next real pivot point was the security team stepping into more of a second-line monitoring role. There's still some first-line activities, but by increasing that second-line monitoring role, it just brought us a little bit closer to speaking the same language from a risk management perspective.
Yerram I joined Cboe in January, and the relationship between Heidi's team and my team has definitely expanded over the course of seven months. We have clear role responsibilities; I am part of the second line, and internal audit is the third line. But at the end of the day, we are both trying to make sure that cyber risk or any other risk is properly identified, addressed, or brought to leadership's attention. That's been our goal and what we've been doing from day one. We want the board to hear the same message, whether it's coming from me or it's coming from internal audit. Heidi and team present to the audit committee, and I present to the risk committee — and, of course, to the full board — so we want to make sure that we convey the strong collaboration between our two functions.
Another thing that helps us build that strong relationship is to Heidi's point: Heidi has a resource who is a cyber specialist, so we can actually speak the same language. [The specialist] does work behind the scenes to make sure Heidi and team are aware of some of the technical nuances that need to happen in remediating. Now it's a lot more streamlined to have those conversations — without any barriers. So that definitely helps.
To what extent is that relationship formalized?
Zenger Umesh has a security governance team within his group. The security governance team and our IT audit team meet on a monthly basis to talk through risks, monitor any issues or vulnerabilities, and discuss any upcoming audits. Umesh and I meet one-on-one on a monthly basis, as well, to talk about the same things on a slightly higher level, and Umesh also meets with our chief audit executive once a month to make sure that we're communicating with each level of the organization.
In addition, the company has a formal weekly project management meeting where we discuss the status of larger projects within the organization, as well as approve any new ones coming on board. This gives audit and security an opportunity to say, "Hey, we need to be involved in this, and we want to review the risks before this is approved and moves forward." Or if we've identified anything with the ongoing projects, we have an opportunity to voice those concerns upfront.
Yerram I also have a security council meeting that Heidi participates in, so that's another touch point where she and I have conversations about cyber risk. We use some of the open findings from internal audit that Heidi's team presents, so that our chief operating officer and chief risk officer understand the audit items that are coming to them, along with any delays or risks that we need to highlight at that point. We want to make sure that leadership is aware of the progress on a monthly basis before we present to the board on a quarterly schedule.
How do your teams collaborate?
Yerram If two teams have two different messages, that creates confusion, and then, how do you prioritize the risk? But with the relationship we have, the expertise internal audit has, and the communication we have established, it helps us to really get on the same page. So we have those conversations regularly and say, "OK, we've identified 10 risks, but what are the top three, four, or five that we can actually bring to senior leadership's attention? Then when we are aligned and we go and make that case together, it definitely gets heard and reacted upon. I think one of the biggest benefits of our collaboration is that now we actually prioritize the highest risks for the company from a cyber perspective.
Zenger The security team conducts its own security risk assessment based on all of the input and data they're receiving from their tools and an awareness of external threats. The security risk assessment serves as one of the inputs we can use in the internal audit risk assessment, which is our own independent perspective of risks throughout the company. And then, similarly, as we have audit issues and findings that we're aware of and that we include in our reports, that's one of the things the security team can pick up and use to inform its security risk assessment. So it's a two-way street from that capacity. I also see a lot more of the information sharing occurring across the teams now where we say, "OK, we identified these vulnerabilities or risks and we're seeing this on our side. What are you seeing through all the monitoring activity that you're doing and how does that inform each one of our programs?'
What has been the impact of the relationship on your organization's cybersecurity efforts?
Yerram A good measure for us is patch management. I talk to my peers constantly and it's not a very exciting piece of work to do. Nowadays, given the onslaught of zero day [attacks] and the vulnerabilities that threat actors are exploiting, it's not on the top of everybody's priorities to go patch the system. By working together on this risk, we significantly improved our ability to patch, to align with our changing risk profile. We now have more resources and awareness from the senior leadership that this work has to be done, based on the risk that we articulated.
Zenger Cboe recently invested in a leadership training program, and I believe that has helped us foster and maintain a healthy relationship. We don't always see eye to eye. I see things through an audit perspective; I view the world based on the evidence of the body of work and conclusions we're reaching. And Umesh sees the risk to the organization from the outside and from a cyber perspective. We do have a lot of challenging conversations, and I think that's to our benefit. In our training, we call these kinds of conversations "crucial conversations." We have these crucial conversations on a regular basis — and that's good, because if we weren't having them, that means we're afraid to bring up those differences in opinions, and the organization suffers as a result of the lack of conversation and challenge. Umesh called me one day after having a conversation the previous day, and just as he started it out, I paused and said, "Umesh, are we having a crucial conversation right now?" and he said, "Yes, exactly!" And so, by knowing that we were going into an important conversation, we could both relax. We could both appreciate the idea that, "We've got to do some hard work today and we can tackle it together."