Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Cyber Root Cause Alarm Bells Are Ringing

Comments Views

A new study by Tripwire should be setting off your alarms.

The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.

90 percent of organizations lack the skills to address the full range of cyber threats!

There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.

97 percent of organizations lack the technology they need to address the threats!

If I was on the board and heard this, I would be questioning the executive team hard.

Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.

​But do they know the true extent of the problem?

Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?

When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.

Rather than audit the defenses, I had my team audit whether the company had the capability to build, maintain, and manage the defenses.

Key questions include:

  • Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?
  • Are you satisfied and if so why? If not, what are you doing about it?
  • Do you have the people to understand (on a continuing basis) and then address cyber risk?
  • Do they have the tools? Is that your opinion or theirs?
  • Is the voice of information security heard and listened to at senior and board levels?
  • Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?
  • How often is an objective assessment of information security performed and is it reliable? Are its recommendations acted on?
  • Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?

I welcome your comments.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3