Cyber Audits: The Missing Layer in Cybersecurity

Uploaded on 2018-11-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Involving the audit team ensures that technology solutions are not just sitting on the shelf or being under-utilised to strategically address security risks.

There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organisations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits.

There is no question that, in many cases, earlier and expanded input from auditors would have helped organisations that have suffered high-profile cyberattacks from sifting through the financial and reputational damage that ensued.

Cybersecurity audits provide a key, additional layer of assurance to organisations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process.

The audit function is well-positioned to assess the data protection and controls around those business processes. Organisations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.

Unless organisations have robust risk management processes in place, and many do not, there are common gaps in organisations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management.

Not only can cyber audits identify these gaps, they also counteract the tendency for organisations to become complacent and reactive by assuring that risk assessments are being conducted regularly.

People, Processes & Technology

Organisations often miss the mark on cybersecurity when they focus predominantly on the technology components of their programs rather than looking at people, processes, and technology in a more overarching way.

Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks. Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.

When organisations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business. Just as the businesses that auditors support, are rapidly transforming, the audit groups must follow suit.

This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.

Here's the good news: There are many more educational and training resources available today than 20 years ago, when I began in IT audit.

Despite time and budget constraints, it is incumbent upon auditors to pursue the appropriate training and credentialing to transform their organisations, refresh their skill sets, and obtain the auditing cybersecurity acumen needed to become integral to their organisation's cyber programs.

With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value. Reliance upon effective and secure technology deployment has spread well beyond a centralised IT department.

Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy. With so much at stake, enterprises cannot afford to take any shortcuts. Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.

Dark Reading:                       Image: Nick Youngson

You Might Also Read: 

Cyber Security is Now Business Critical (£):

4 Steps Toward A GDPR Compliance Audit:

 

« Machine Learning & Big Data - Where You Least Expect It
How Cybersecurity Threats Are Growing Investments »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Baker McKenzie

Baker McKenzie

Baker & McKenzie is an international law firm. Practice areas include Data & Technology.

CyberArk Software

CyberArk Software

CyberArk is an established leader in privileged access management and offers the most complete set of Identity Security capabilities.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

APrivacy

APrivacy

APrivacy provides information and communication security products for the financial services industry.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Riverside Research

Riverside Research

Riverside Research is a not-for-profit organization chartered to advance scientific research in areas including Trusted & Resilient Systems.

HCL Technologies

HCL Technologies

HCL offer an integrated portfolio of products, solutions and services built around Digital, IoT, Cloud, Automation, Cybersecurity, Analytics, Infrastructure Management and Engineering Services.

FileWave

FileWave

FileWave offers a single solution for managing apps, devices, and more for Mac, Windows, and mobile devices.

Bureau Veritas

Bureau Veritas

Bureau Veritas are a world leader in Testing, Inspection and Certification. We provide certification and training services in areas including cybersecurity and data protection.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

Secuvant

Secuvant

Secuvant is an independent IT Security firm providing enterprise-grade IT security services to mid-market organizations.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

JaCIRT

JaCIRT

JaCIRT is the national Cyber Incident Response Team for Jamaica, established to deliver on the mandate outlined in the GoJ’s National Cyber Security Strategy.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Phylum

Phylum

Phylum provides powerful, automated software supply chain risk analysis that protects organizations, defends developers and enables secure innovation.

Blue Mantis

Blue Mantis

Blue Mantis is a security-first, IT solutions and services provider with a 30+ year history of successfully helping clients achieve business modernization.