Cyber Audits: The Missing Layer in Cybersecurity

Involving the audit team ensures that technology solutions are not just sitting on the shelf or being under-utilised to strategically address security risks.

There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organisations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits.

There is no question that, in many cases, earlier and expanded input from auditors would have helped organisations that have suffered high-profile cyberattacks from sifting through the financial and reputational damage that ensued.

Cybersecurity audits provide a key, additional layer of assurance to organisations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process.

The audit function is well-positioned to assess the data protection and controls around those business processes. Organisations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.

Unless organisations have robust risk management processes in place, and many do not, there are common gaps in organisations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management.

Not only can cyber audits identify these gaps, they also counteract the tendency for organisations to become complacent and reactive by assuring that risk assessments are being conducted regularly.

People, Processes & Technology

Organisations often miss the mark on cybersecurity when they focus predominantly on the technology components of their programs rather than looking at people, processes, and technology in a more overarching way.

Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks. Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.

When organisations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business. Just as the businesses that auditors support, are rapidly transforming, the audit groups must follow suit.

This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.

Here's the good news: There are many more educational and training resources available today than 20 years ago, when I began in IT audit.

Despite time and budget constraints, it is incumbent upon auditors to pursue the appropriate training and credentialing to transform their organisations, refresh their skill sets, and obtain the auditing cybersecurity acumen needed to become integral to their organisation's cyber programs.

With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value. Reliance upon effective and secure technology deployment has spread well beyond a centralised IT department.

Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy. With so much at stake, enterprises cannot afford to take any shortcuts. Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.

Dark Reading:                       Image: Nick Youngson

You Might Also Read: 

Cyber Security is Now Business Critical (£):

4 Steps Toward A GDPR Compliance Audit:

 

« Machine Learning & Big Data - Where You Least Expect It
How Cybersecurity Threats Are Growing Investments »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

it-sa 365

it-sa 365

it-sa 365 is a digital platform for connecting IT security vendors and experts with those who bear responsibility for IT security in management and technology.

Rambus Security Division

Rambus Security Division

Rambus Security Division solutions span areas including tamper resistance, content protection, network security, mobile payment, smart ticketing, and trusted provisioning services.

Paladion

Paladion

Paladion is a provider of managed IT security services.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

NanoLock Security

NanoLock Security

NanoLock delivers the industry’s only end-to-end platform for the IoT and connected devices ecosystem.

FireCompass

FireCompass

FireCompass SAAS platform helps CISOs & Security Teams in continuous risk assessment by mapping your attack surface and knowing the “unknown unknowns”.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

Cyber Security Works (CSW)

Cyber Security Works (CSW)

Cyber Security Works is your organization’s early cybersecurity warning system to help prevent attacks before they happen.

Wabbi

Wabbi

Wabbi’s continuous security platform centralizes, automates and orchestrates security governance and vulnerability management to empower development teams to own appsec.

443ID

443ID

443ID brings OSINT data to Identity Security professionals on any digital platform.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Supra ITS

Supra ITS

Supra ITS is a leading full-service technology partner offering IT Consulting, Cloud Services, 24x7 Managed IT & Cybersecurity Services, and IT Project Support.

Solvo

Solvo

Solvo enables security teams and other stakeholders to automatically uncover, prioritize, mitigate and remediate cloud infrastructure access risks.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.