In the past dozen years or so, cybersecurity has gone from being a mysterious IT concern best left to chief security officers (CSOs) and chief information security officers (CISOs) to a top priority for boards and executive management. Yet, progress has been painfully slow for a problem everyone agrees is evolving at breakneck speed.
Reports of high-profile cyberattacks are now routine, and no sector or industry is immune to the threat. Indeed, the Privacy Rights Clearinghouse has documented more than 8,600 data breaches since 2005, including 831 in 2017. The group, located at the University of San Diego School of Law's Center for Public Interest Law, concedes it doesn't capture every successful cyberattack. Still, it estimates more than 11 billion records have been breached since it began keeping track.
Even so, I must admit I am troubled each time I read about cyberattacks that might have been avoided. Too often, successful hacks involve human failings, not technological ones. This is especially disturbing when one considers that cybersecurity ranks at or near the top of every management and board poll on risks.
I'm starting to wonder if the enormity of cybersecurity is feeding inaction within some organizations. I wonder if companies are simply throwing in the towel and accepting what they believe will be "inevitable." Despite knowing that data breaches can do incredible financial and reputational damage, organizations don't take all reasonable steps to protect themselves. Worse, a defeatist or fatalistic view about the eventuality of being hacked may be contributing to weak or ineffective controls.
Two recent surveys provide additional examples of our struggles with cybersecurity. A survey by Spencer Stuart of S&P 500 companies found that, although boards last year hired the largest number of new directors (397) since 2004, a scant 19 percent of them had a background in technology or telecommunications. This suggests that, while there is growing awareness of the importance of having directors who are knowledgeable about IT and cybersecurity, that awareness hasn't translated into greater action.
A new report from information security services firm IOActive identified cybersecurity vulnerabilities in nearly all of the 40 major online stock-trading platforms it investigated. The vulnerabilities varied in severity, from storage of unencrypted passwords to promoting features that are susceptible to malware.
This reflects the continuing challenge of cybersecurity not being integrated into all areas of the organization. I'm certain none of these stock-trading platforms sought to make themselves targets, but too often the drive for convenience or customer-friendly interactions comes at the price of higher cyber vulnerability.
If management is capitulating in the face of cybersecurity risks, internal auditors can't afford to join them. We must not only ensure we have the right talent on our staff to audit IT processes and controls, we also must be aware of how cybersecurity is viewed across the organization. In short, part of internal audit's scope must be to assess the organization's cyber culture and help build a culture that is cyber-savvy.
Talent was among four keys for transforming internal audit that I wrote about in a blog post earlier this year. In short, internal audit must redefine talent, especially with regard to auditing IT.
From the blog post:
The path forward on talent may be the most challenging. For example, CAEs report significant challenges in recruiting personnel with cybersecurity and privacy/data mining and analytical skills. Still, there are clear steps we can take to make sure we have the right people in place to meet stakeholder demands, innovate, and be agile.
[The North American Pulse of Internal Audit] identifies six keys that support getting the right people in place, including developing a talent strategy, seeking candidates with different backgrounds, and including future-focused training and development. But one of the most important is to make sure internal audit's scope drives staff competencies. Too often, the work internal audit functions take on is dictated by the skills they have on staff. This is a dangerous practice that works against innovation and agility.
Internal audit's role in building a cyber-savvy culture goes hand-in-hand with having the right talent on staff. Just as internal audit functions can build culture checks into each engagement they perform, so too can they assess how culture contributes to cybersecurity successes and failures.
Internal audit should work with CSOs and CISOs to identify weaknesses in the organization's cybersecurity controls and practices. It is especially important that the relationship between internal audit and IT leaders be a healthy and cooperative one. After all, they are working for the same goal of effective cybersecurity.
In all circumstances, internal audit must provide the board with a direct and objective assessment on how cybersecurity is carried out within the organization and whether the organization's culture supports or works against it. Just as important, we must provide assurance on the organization's preparedness to respond if/when the cybersecurity breaches occur.
I'd like to know what you are doing to assess your organization's cybersecurity culture. As always, I look forward to your comments.