Once an emerging risk discussed just annually by boards and audit committees, cybersecurity is now a board-level issue that must be top of mind for board members and management, alike. Yet, for many board members, cyber risks can be an adventure into unknown territory. These risks comprise a rapidly evolving technical puzzle where the magnitude, vulnerability, likelihood, accountability, and strategies for managing, detecting, monitoring, and responding to risks are a maze of alternatives, with no definitive "right answer."
Defensive strategies such as identity management, perimeter protections, patch management, and multifactor authentication are now minimum requirements for an organization. Companies also must be on the offensive and be vigilant in monitoring for external and internal threats. Moreover, companies must have a forward-looking strategy for responding, preparing, and being resilient when actions must be taken.
Internal audit can help promote transparency, awareness, accountability, and collaboration with management across the three lines and work with the board on cybersecurity. Auditors must help the board see cybersecurity as more than an IT risk — one that can impact the organization's brand, operations, financial, and strategic objectives.
Understanding the Risks
Internal audit can collaborate with the first and second lines, chief information officer (CIO), and chief information security officer (CISO) to help the board and audit committee understand and address cybersecurity risks. Together, they can present an enterprise perspective of the organization's key cybersecurity risks, as well as the strategies and plans to protect against, monitor, and respond to those threats.
Internal audit also can lead or participate in a cyber risk assessment that can help the board understand the organization's capability to manage the associated risks. Sharing a maturity model visualization with the board is a great way to communicate insights, the desired state of maturity versus the organization's current state, and a high-level enterprise view of cyber risks.
Selecting a framework — or multiple frameworks — as a foundation for risk and maturity assessments can help establish a basis, a definition of the domains used, and evaluation criteria for assessments. Some common frameworks include:
- The International Organization for Standardization's ISO/SEC 27000 standards for managing information security.
- The U.S. National Institute of Standards and Technology Cybersecurity Framework to help improve critical infrastructure.
- ISACA's COBIT control framework to govern IT infrastructure.
What to Talk About
Many boards and organizations may have a false sense of comfort because internal audit and the IT function have completed assessments of IT general computer controls and an attack and penetration audit. Unfortunately, these assessments do not provide adequate assurance across the ever-changing cyber risk landscape. Internal audit and management must provide information about the full spectrum of cyber risks as well as management's plans for raising the organization's cybersecurity capabilities to its maturity target.
Some of the board topics to provide clear insights on include:
- How has the organization inventoried and mapped its IT and operational technology assets and their associated risks and vulnerabilities?
- What are the critical assets and processes, and how vulnerable are they?
- How does the organization monitor and respond to potential external and insider threats?
- How prepared is the organization to respond to an event? Are there playbooks and business continuity and disaster recovery plans?
- How decentralized is the organization? What complexities or challenges does that create? Are there silos?
- Is there accountability and ownership of processes and controls?
- Have tabletop and simulation exercises been planned or completed? What were their results and what action plans were recommended?
- What efforts to educate the broader organization about phishing schemes and other tactics are underway or planned? For example, many organizations deliberately send phishing emails to test whether employees will click on these types of messages. Often, clicking on these test links will take users to a training page.
- How is the organization using risk-sensing and analytics efforts to proactively identify threats and risks?
- What are the third-party, supplier risk management strategies to address cybersecurity risks?
- Is the budget adequate to support efforts devoted not just to prevention and detection but also business resiliency?
Internal audit and management, such as the CIO and CISO, can address all of these topics by collaborating across the three lines to help the business align proactively against cybersecurity threats.
Could It Happen Here?
Discussing hypothetical risks can be a daunting task for internal audit. But facilitating a discussion about a risk that has happened in another organization can help make the conversation and dialogue less controversial.
A great way to foster a constructive dialogue about the organization's vulnerability to a risk is to take a headline, incident, or case study from another organization and pose the question, "Could it happen here?" To answer that question, internal audit should bring together a group of individuals from different levels, groups, and positions in the organization.
The answer to that question can reveal how prepared the organization is, if it has adequate processes and oversight, and how robust and mature its response plans are. It also can show the board how to recognize if a similar incident is happening or has happened at the business.
Auditors should foster constructive debate and dialogue about the issue, and welcome all opinions and perspectives. The goal is to understand what the vulnerabilities are, how prepared the organization might be, and what actions the organization needs to take next. Anonymous voting technologies or techniques that enable individuals to share thoughts freely can be important for this approach to work.
The objective of this approach is to understand not only what is supposed to happen, but also perceptions about what may happen in reality:
- Could this type of incident or risk happen at the organization? Why or why not?
- What is the organization doing to prevent or detect this situation?
- How would the organization know if this risk is happening?
- How would the organization respond? Who would it communicate with internally and externally?
- Who would be accountable for addressing the risk and resolving the issues?
- Are there third parties involved? If so, what is their role?
- What are the organization's weakest links?
Conducting a "Could it happen here?" exercise is an engaging approach internal auditors can use to prepare to respond to board member questions about the organization's vulnerability to threats and readiness to respond to them.
Influencing the Agenda
Internal audit executives can help influence the board and committee agendas to ensure time is allocated at every meeting or periodically to a discussion of cybersecurity risks. The CAE can contact the management team and the chair of the committee responsible for oversight of cyber risk to review the committee's standing agenda topics and reporting responsibilities for cybersecurity.
Internal audit also should have a plan for specifically communicating its efforts to address cyber risks, as well as how the department is collaborating with the CIO, CISO, and first and second lines. Internal audit should detail the trends it sees and provide an overall perspective of the robustness and proactiveness of the cybersecurity effort. The department also can encourage board or committee members to participate in table-top exercises where a facilitated simulation helps the organization outline the steps and action plans during a cyberattack or crisis scenario. Moreover, auditors can work with the enterprise risk management team to discuss risk tolerances and techniques for managing cyber risks.
Collaboration Across the Three Lines
Cybersecurity presents a great opportunity for internal audit to collaborate across the enterprise with the first- and second-line functions — and with the CIO and CISO departments — to inform the board about the risks facing the organization. By working with these functions, internal audit can pull in resources who understand the changing dynamics of cybersecurity.
Work-from-anywhere dynamics, digital accelerations, cloud computing, increased threats, and the complexity of today's environments make keeping technical skills current to address cyber risks challenging for internal auditors and organizations. Internal auditors should work with management across the three lines and the board, engage outside resources as needed, and focus on providing timely, transparent, and proactive information to management and the board. Internal audit should help the organization build data governance, privacy, and cybersecurity controls; regulatory requirements; and capabilities into new enterprise platforms and cloud initiatives up front versus after the fact. Moreover, auditors should understand how the organization is tackling threat management and incident response activities.
Assure, Advise, and Anticipate
Internal audit cannot sit on the sidelines and only provide hindsight assurance on the effectiveness of controls or commentary on historical actions. While assurance is an important responsibility for internal audit, management and boards are demanding that internal audit provide forward-looking advice on risks and controls as well as anticipate future risks.
Cybersecurity is a prime area for the internal audit function to evolve efforts to add value and to provide foresight. Internal audit can still provide objective oversight and additional advisory services around issues such as cybersecurity. Communicating with the board about internal audit's work in these areas can help the organization establish a united cyber defense and assist the board in fulfilling its risk oversight responsibilities.