Cyber professionals generally know one thing – the cyber environment is constantly shifting. New business requirements, end-user needs and technologies change. New devices and applications create or remove vulnerabilities on a daily basis. Attackers respond and adapt as they seek to find exploitable weaknesses within the environment in order to reach an organization’s data.
As the changes occur and breaches happen, cyber professionals are called to account and explain what happened. Executive leadership then wants them to justify why they need additional funding or why last year’s technology no longer suffices.
Even with centuries to refine their auditing practices, corporations still have difficulties in complying with all of their financial reporting requirements. In contrast, cybersecurity auditing and compliance best practices are only a few short years old. The field is still developing and the best practices have yet to be written.
However, the nascent field of cyber assessment can learn from the financial industry. In order to communicate with the financial and leadership teams and “speak the same language,” the industry needs to adopt the financial community’s best practices and corporate governance models. The cybersecurity industry should embrace the methodologies and best practices put forward by professional organizations such as the International Internal Auditors (IIA)1 and the National Association of Corporate Directors (NACD).2 In doing so, the cybersecurity industry can learn, as these professional organizations and their member corporations have “discovered,” independence and objectivity are the foundational to success.
According to the IIA Standards,
“…independence is the freedom from conditions that threaten the ability of the internal audit activity or the chief audit executive to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board.”3
For the IIA, objectivity is the unprejudiced mental outlook which enables internal auditors to undertake engagements in a way that enables them to honestly have confidence in their work results and ensures that no important value compromises are created. Objectivity necessitates internal auditors not to lower their decision on issues related to audit.4
The American security technologist Bruce Schneier wrote, “Defending computer systems often requires people who can think like hackers.”5 Vulnerability assessments and penetration testing help an organization to see how an attacker will identify a system weakness. As I have written in my forthcoming book, The Art of Cyber Conflict, “similar to a financial audit, an organization should use a structured independent and objective vulnerability assessment and penetration-testing approach to develop a detailed view of the threats that faces its data.”6 With a structured process that includes risk management, baseline establishment, monitoring, and correlation, organizations can effectively assess their cyber environment with an eye toward effective security rather than checklist-driven compliance.
In the U.S., publicly traded companies are required to have an audit committee. The audit committee has oversight of financial reporting and disclosure. While the committee is drawn from members of the company’s board of directors, current U.S. regulations requires that this committee include a financial expert. This committee provides executive supervision of the organization’s financial reporting, audit, and internal controls, to include compliance with laws and regulations.
Auditors, and in turn cybersecurity assessors, derive their credibility and value from basic assumptions of independence and objectivity. IIA Standards state that internal auditing is an independent and objective consultative activity, adding value and enhancing the operations of an organization. The analysis and resulting reports are expected to be honest and unbiased. These principles are also essential to cyber assessment.
While generally focused on compliance, the audit committee’s responsibilities include oversight on a wide variety of internal controls. Within the wider context of risk management and corporate governance, auditors and assessors also have the responsibility of evaluating not just the financial systems but must also include reporting and evaluating cyber risks.
Given information technology’s critical role within most organizations, cyber risk management is a business problem, not an information technology problem.
Given information technology’s critical role within most organizations, cyber risk management is a business problem, not an information technology problem. Cybersecurity needs to be managed and reported in the same disciplined, structured manner as financial risks. In the end, boards of directors and company executives are the ones ultimately responsible for the state of a company’s cyber posture. Emerging best practice has the inclusion of a cybersecurity expert on the board.
The IIA Code of Ethics includes basic principles to be followed by internal auditors. The objectivity principle requires internal auditors to show the highest professional objectivity level in collecting, assessing, and communicating information about the processes examined. Further, internal auditors are expected to perform a balanced assessment of every relevant situation and must not be influenced by their own or other people’s interest while forming judgments. The IIA’s published framework instructs internal auditors to recognize, evaluate and manage risks to their objectivity, and includes the need to consider safeguards which could mitigate the impacts of realized risks.7 The objectivity principle can directly apply to cybersecurity assessments.
This recognized and accepted framework assists organizations in accomplishing their objectives by bringing an organized, disciplined method for assessing and improving the efficiency of the control, risk management and administrative processes.8
The degree of involvement of the audit committee in cybersecurity issues differs considerably by industry and business. In some companies, cybersecurity risk is given directly to the audit committee. Technology organizations frequently have a dedicated cyber risk committee which concentrates entirely on cybersecurity. Regardless of the formal structure an organization adopts, the fast pace of data and technology growth and the concomitant risks highlight the importance of understanding cybersecurity as a fundamental, business-wide enterprise risk. Audit committees must be aware of the trends in cybersecurity, related regulatory progress and major threats to the business. The assessment needs to include an organization’s key cyber targets, the data assets whose loss would create adverse business and economic impacts which might substantially affect the shareholders.
A company that makes use of a structured approach for vulnerability assessment and penetration testing has a better understanding of its risk posture, and the threats to its critical information. Internal audit and cyber assessment process must have the capability to create a road map for the future management of the diverse cyber risk cases and problems.
The assessment must determine if proper cybersecurity controls relevant to technology, processes, and people are in place.
The internal audit and cybersecurity assessment process plays a significant role in determining whether a systematic approach is available for managing cyber risk. The assessment must determine if proper cybersecurity controls relevant to technology, processes, and people are in place. Routine assessments are important as they present to the audit committee a thorough appraisal of the organization’s strengths and weaknesses.9
The first phase for internal auditing is a cyber-risk evaluation whose results are presented to the audit team and management. Next, based on the evaluation, a risk-based cybersecurity and audit plan is created and implemented. The information technology and business unit functions incorporate the plan’s cyber risk controls into daily operations, thus constituting the first defense line. The next line of defense comprises technology and data risk control managers who observe security activities and act when necessary. Many organizations are adding a third cyber defense line: Independent assessment of safety measures and the internal audit function’s performance.10
Auditors must involve people who have the required skills and experience in their activities. It is imperative to engage experts with the necessary technical knowledge and awareness of the risk situation. Such experts are key resources.11
A successful and trusted cybersecurity assessment program calls for the proactive and regular engagement of the technical team, the auditors, the audit committee and the executive management team. However, as auditors and assessors carry their duties, independence and objectivity is required. As with financial audits, there should be no interference in the cybersecurity assessment. And, as with financial audits, cybersecurity assessments need to be presented in a framework that is understood and accepted.
1. International Internal Auditors. (2017, April 6). International Standards for the Professional Practice of Internal Auditing (Standards). Retrieved from International Internal Auditors:
https://na.theiaa.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx
2. National Association of Corporate Directors.
(2017, April 6). Resource Center: Audit Committee. Retrieved from www.nacdonline.org:
https://www.nacdonline.org/Resources/BoardResource.cfm?ItemNumber=28530
3. (International Internal Auditors, 2017)
4. (International Internal Auditors, 2017)
5. Schneier, B. (2016, November 30). Retrieved from Pros and Cons in Penetration Testing Services: The Debate Continues: http://resources.infosecinstitute. com/pros-and-cons-in-penetration-testing-services-the-debate-continues/#gref
6. Sienkiewicz, H. J. (2017). The Art of Cyber Conflict. Alexandria, VA: DogEar Publishing.
7. Cascarino, R. E. (2007). Auditor’s guide to information systems auditing. Hoboken, NJ: John Wiley & Sons.
8. Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide. Hoboken, NJ : John Wiley & Sons.
9. Stewart, J. &. (2010). Internal audit independence and objectivity: emerging research opportunities. Managerial Auditing Journal 25(4), 328-360.
10. (Stewart, 2010)
11. Gray, I. &. (2015). The Audit Process: Principles, Practice and Cases. Boston, MA: Cengage Learning.
References
Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide. Hoboken, NJ : John Wiley & Sons.
Cascarino, R. E. (2007). Auditor’s guide to information systems auditing. Hoboken, NJ: John Wiley & Sons.
Gray, I. &. (2015). The Audit Process: Principles, Practice and Cases. Boston, MA: Cengage Learning.
International Internal Auditors. (2017, April 6). International Standards for the Professional Practice of Internal Auditing (Standards). Retrieved from International Internal Auditors: https://na.theiaa.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx
National Association of Corporate Directors. (2017, April 6). Resource Center: Audit Committee. Retrieved from www.nacdonline.org: https://www.nacdonline.org/Resources/BoardResource.cfm?ItemNumber=28530
Schneier, B. (2016, November 30). Retrieved from Pros and Cons in Penetration Testing Services: The Debate Continues: http://resources.infosecinstitute.com/pros-and-cons-in-penetration-testing-services-the-debate-continues/#gref
Sienkiewicz, H. J. (2017). The Art of Cyber Conflict. Alexandria, VA: DogEar Publishing.
Stewart, J. &. (2010). Internal audit independence and objectivity: emerging research opportunities Managerial Auditing Journal 25(4), 328-360.
Leave a Comment