Ten Cybersecurity Action Items for CAEs and Internal Audit Departments

David Brand, Managing Director IT Audit

Since the release of our 2016 Internal Audit Capabilities and Needs Survey last month, I’ve been going back and looking at the results, which also include some insightful 10-year trends. We will get back to these in another post; instead, I prefer to focus here on one aspect of the results – the growing need for cybersecurity skills and resources.

Cybersecurity risk is a growing concern – not only for internal stakeholders, but for customers and insurers. More than half (57 percent) of the survey respondents said they’d received inquiries from customers, clients or insurers about the organization’s state of cybersecurity.

It’s hardly surprising then, that nearly three out of four respondents (73 percent) said their organizations are evaluating cyber risk as part of the annual audit plan, compared to just over half in 2015. They listed brand and reputation damage, data security (company information) and data leakage (employee personal information) as representing the greatest risks.

Similar to last year, our results show two differentiators between top performers and the rest of the pack – a high level of board engagement in information security and inclusion of cybersecurity in the audit plan. But that’s just the tip of the iceberg.

Here, then, are ten internal audit to-do’s, aimed to ensure that your organization is prepared to avoid a cyber “collision” with what’s below the surface:

  1. Work with management and the board to develop and/or validate a cybersecurity strategy and policy.
  2. Identify and act on opportunities to improve the organization’s ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
  3. Recognize that cybersecurity risk is not only external – assess and mitigate potential threats that could result from the actions of employees or business partners.
  4. Leverage relationships with the audit committee and board to a) heighten awareness and knowledge of cyber threats; and b) ensure the board remains highly engaged with cybersecurity matters and up to date on the changing nature of cybersecurity risk.
  5. Ensure cybersecurity risk is integrated formally into the audit plan.
  6. Develop, and keep current, an understanding of how emerging technologies and trends are affecting the company and its cybersecurity risk profile.
  7. Evaluate the organization’s cybersecurity program against the National Institute of Standards and Technology (NIST) cybersecurity framework, recognizing that because the framework does not reach down to the control level, your cybersecurity program may require additional evaluations using ISO 27001 and 27002.
  8. Seek out opportunities to communicate to management that, with regard to cybersecurity, the strongest preventative capability has both human and technological aspects – a complementary blend of education, awareness, vigilance and technology tools.
  9. Emphasize that cybersecurity monitoring and cyber-incident response should be a top management priority – a clear formal escalation protocol can help make the case for (and sustain) this priority.
  10. Address any IT audit staffing and resource shortages as well as any lack of supporting technology tools, either of which can impede efforts to manage cybersecurity risk.

I know I’m preaching to the choir here, but it is important for organizations to understand that cybersecurity is not an IT issue – it is a business risk requiring a comprehensive risk-based approach to manage. To focus on what may be lingering below the surface, cybersecurity risk management strategies must be both present and effective.

Cybersecurity and information security are not the same thing. Each requires its own set of controls. Boards should not only be aware of cybersecurity risks, but they also should be engaged, at least at a high level, with the organization’s information security measures. And internal audit should integrate cybersecurity into its daily activities as well as its annual audit plan.

The report covers this issue in much greater detail. It’s definitely worth a read.