Cyber Audits: The Missing Layer in Cybersecurity
Involving the audit team ensures that technology solutions are not just sitting on the shelf or being under-utilised to strategically address security risks.
There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organisations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits.
There is no question that, in many cases, earlier and expanded input from auditors would have helped organisations that have suffered high-profile cyberattacks from sifting through the financial and reputational damage that ensued.
Cybersecurity audits provide a key, additional layer of assurance to organisations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process.
The audit function is well-positioned to assess the data protection and controls around those business processes. Organisations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.
Unless organisations have robust risk management processes in place, and many do not, there are common gaps in organisations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management.
Not only can cyber audits identify these gaps, they also counteract the tendency for organisations to become complacent and reactive by assuring that risk assessments are being conducted regularly.
People, Processes & Technology
Organisations often miss the mark on cybersecurity when they focus predominantly on the technology components of their programs rather than looking at people, processes, and technology in a more overarching way.
Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks. Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.
When organisations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business. Just as the businesses that auditors support, are rapidly transforming, the audit groups must follow suit.
This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.
Here's the good news: There are many more educational and training resources available today than 20 years ago, when I began in IT audit.
Despite time and budget constraints, it is incumbent upon auditors to pursue the appropriate training and credentialing to transform their organisations, refresh their skill sets, and obtain the auditing cybersecurity acumen needed to become integral to their organisation's cyber programs.
With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value. Reliance upon effective and secure technology deployment has spread well beyond a centralised IT department.
Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy. With so much at stake, enterprises cannot afford to take any shortcuts. Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.
Dark Reading: Image: Nick Youngson
You Might Also Read:
Cyber Security is Now Business Critical (£):
4 Steps Toward A GDPR Compliance Audit: