Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​​​​Cybersecurity Effectiveness

Comments Views

​I think it is fair to say that cybersecurity is one of the issues that are top of mind for board​​s, risk, and audit professionals.

I have written quite a lot about it in previous posts, including:

Now The IIA's Internal Audit Foundation has partnered with Crow​e Horwath to publish The Security Intelligence Center Next Steps: Beyond Response to Anticipation.

I recommend it to every IT auditor and CAE.

But, it's not perfect (sorry, IIA).

This is good:

  • As cyberattacks become increasingly commonplace, much of the discussion among security professionals has moved from the desire to avoid and block all intrusions. Instead, there is growing recognition that despite everyone's best efforts to prevent it, there is always a probability that an intrusion will occur. This shift in outlook has extensive implications in terms of cybersecurity operations. Once it is recognized that 100 percent protection 100 percent of the time is not achievable, the cybersecurity emphasis can begin to shift from a defensive posture to a more offensive and proactive one that focuses on learning about how certain threats operate, how their effects can be limited or mitigated, and how the incident response time (from identification to remediation) can be accelerated.

  • Organizations that rate higher on the cybersecurity maturity scale are not necessarily spending more dollars overall, but are taking a more predictive approach to cybersecurity intelligence by integrating well-rounded security solutions and avoiding bolt-on products. As they do this, they also help bring the issue of cybersecurity further into the mainstream and make the anticipation and mitigation of attacks a more manageable experience. By following this example, organizations that are less mature in cybersecurity can begin to focus their existing IT security resources and budgets more intelligently as they make the transition to a more mature approach to the overall cybersecurity challenge.

The report has some good reference materials, identifying cyber and information security frameworks and guides.

It focuses on the existence and attributes of security operations centers, which may be of value in assessing what your organization has implemented.

I also like the emphasis on the emerging field of threat intelligence — trying to anticipate attacks and how they may be made.

But when it comes to the involvement of internal audit and some basic first steps, I have a problem.

This is what the report says:

The authors of the report recommended seven key questions for internal audit to ask about cybersecurity preparedness. The questions are:

  1. Is the organization able to monitor suspicious network intrusion?
  2. Is the organization able to identify whether an attack is occurring?
  3. Can the organization isolate the attack and restrict potential damage?
  4. Is the organization able to know whether confidential data is leaving the organization?
  5. If an incident does occur, is a written crisis-management plan in place that has been tested and is in line with organizational risk?
  6. If an incident does occur, does the organization have access to forensic skills to assist with the incident?
  7. Is the incident team in place, and do they know their roles and responsibilities?

The most critical omission is a business risk assessment. As I have explained in other posts (listed above), it is mandatory in my opinion to understand how the business and the achievement of its objectives would be affected by a breach.

Then there is the omission of any question relating to the adequate resourcing of the cyber team, or the timely detection of a breach.

The seven questions are a decent start, but there is more that needs to be done.

I welcome your thoughts.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3