With organizations large and small falling victim to a troubling number of cybersecurity issues, 2014 infamously became the year of the data breach.
To avoid making 2015 the same, internal auditors must play an important role in securing the organization. That responsibility entails working closely with the board, executive management and functional leaders to ensure that cybersecurity is incorporated into the flow of daily business and its multitude of processes.
In our 2015 Internal Audit Capabilities and Needs Survey, we’ve devoted a special section to the current state of cybersecurity. With the help of more than 800 chief audit executives and internal audit professionals who participated in the study, we’ve identified organizational traits and practices that lead to effective cybersecurity measures.
The two most critical success factors?
- High level of engagement in cybersecurity by the board of directors
- Evaluating cybersecurity risk as part of the current audit plan
There is a clear correlation between the two. For example, 69 percent of organizations that reported a high level of board engagement in information security risks include cybersecurity in their audit plans. By comparison, only 46 percent of organizations reporting lesser levels of board engagement address cybersecurity in their audit plans. The correlation goes the other way too: 40 percent of organizations with audit plans tackling cybersecurity report high level of engagement by their boards. Only 20 percent of organizations without such audit plans say their boards are similarly engaged in information security issues.
A pressing priority for nearly every organization is strengthening its ability to identify, assess and mitigate cybersecurity risk to an acceptable level. Most of the organizations that rate themselves as “very effective” in tackling these tasks are organizations that have either a high level of board engagement or those that have included cybersecurity in their audit plans. For example, 39 percent of companies with boards that are highly engaged in information security issues say they mitigate issues very effectively. Only 15 percent of companies with less involved boards exhibit the confidence to say so.
Internal auditors must prioritize and cultivate the critical success factors because it’s their job to make sure their companies are prepared to deal with a variety of threats. On a scale of 1 to 10, with 10 posing the highest level of risk, participants in our survey cited the following as their biggest cybersecurity concerns: data security (company information) – 7.9; brand/reputational damage – 7.7; regulatory and compliance violations – 7.5; data leakage (employee personal information) – 7.5; and viruses and malware – 7.3.
For CAEs and internal auditors to achieve “top performer” status, Protiviti recommends the following ten cybersecurity action items:
- Work with management and the board to develop a cybersecurity strategy and policy.
- Seek to have the organization become “very effective” in its ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
- Leverage board relationships to a) heighten the board’s awareness and knowledge of cybersecurity risk; and b) ensure that the board remains highly engaged with cybersecurity matters and up to date on the changing nature and strategic importance of cybersecurity risk.
- Focus on the organization’s most critical data and information assets and information systems (the so-called “crown jewels”); these are the assets of highest value that the organization cannot afford to lose.
- Ensure cybersecurity risk is formally integrated into the audit plan.
- Stay in touch with the threat landscape by developing an understanding of and keeping current with emerging technologies and technological trends that are affecting the company and its cybersecurity risk profile.
- Evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not run to the control level and therefore may require additional evaluations from an ISO 27001 and 27002 standpoint.
- Recognize that with regard to cybersecurity, the strongest preventive capability is a combination of technology and human involvement – a complementary blend of education, awareness, vigilance, and technology tools.
- Make cybersecurity monitoring and cyber incident response a top management priority. A clear escalation protocol can help make the case for and sustain this priority.
- Address any IT/audit staffing and resource shortages – this represents a top technology challenge in many organizations and can hamper efforts to address cybersecurity issues.
For a more in-depth discussion on cybersecurity risks and what internal audit functions can do to ensure their organizations are adequately addressing the risks, I’d highly recommend that you read the full report. In addition, check out Issue 66 of Board Perspectives: Risk Oversight, Managing Cyber Threats with Confidence.