I think it is fair to say that cybersecurity is one of the issues that are top of mind for boards, risk, and audit professionals.
I have written quite a lot about it in previous posts, including:
Now The IIA's Internal Audit Foundation has partnered with Crowe Horwath to publish
The Security Intelligence Center Next Steps: Beyond Response to Anticipation.
I recommend it to every IT auditor and CAE.
But, it's not perfect (sorry, IIA).
This is good:
- As cyberattacks become increasingly commonplace, much of the discussion among security professionals has moved from the desire to avoid and block all intrusions. Instead, there is growing recognition that despite everyone's best efforts to prevent it, there is always a probability that an intrusion will occur. This shift in outlook has extensive implications in terms of cybersecurity operations. Once it is recognized that 100 percent protection 100 percent of the time is not achievable, the cybersecurity emphasis can begin to shift from a defensive posture to a more offensive and proactive one that focuses on learning about how certain threats operate, how their effects can be limited or mitigated, and how the incident response time (from identification to remediation) can be accelerated.
- Organizations that rate higher on the cybersecurity maturity scale are not necessarily spending more dollars overall, but are taking a more predictive approach to cybersecurity intelligence by integrating well-rounded security solutions and avoiding bolt-on products. As they do this, they also help bring the issue of cybersecurity further into the mainstream and make the anticipation and mitigation of attacks a more manageable experience. By following this example, organizations that are less mature in cybersecurity can begin to focus their existing IT security resources and budgets more intelligently as they make the transition to a more mature approach to the overall cybersecurity challenge.
The report has some good reference materials, identifying cyber and information security frameworks and guides.
It focuses on the existence and attributes of security operations centers, which may be of value in assessing what your organization has implemented.
I also like the emphasis on the emerging field of threat intelligence — trying to anticipate attacks and how they may be made.
But when it comes to the involvement of internal audit and some basic first steps, I have a problem.
This is what the report says:
The authors of the report recommended seven key questions for internal audit to ask about cybersecurity preparedness. The questions are:
- Is the organization able to monitor suspicious network intrusion?
- Is the organization able to identify whether an attack is occurring?
- Can the organization isolate the attack and restrict potential damage?
- Is the organization able to know whether confidential data is leaving the organization?
- If an incident does occur, is a written crisis-management plan in place that has been tested and is in line with organizational risk?
- If an incident does occur, does the organization have access to forensic skills to assist with the incident?
- Is the incident team in place, and do they know their roles and responsibilities?
The most critical omission is a business risk assessment. As I have explained in other posts (listed above), it is mandatory in my opinion to understand how the business and the achievement of its objectives would be affected by a breach.
Then there is the omission of any question relating to the adequate resourcing of the cyber team, or the
timely detection of a breach.
The seven questions are a decent start, but there is more that needs to be done.
I welcome your thoughts.