Audits of information security or cyber may be short
I have been involved in information security, either auditing it or being responsible for the function at a couple of financial institutions, for a very long time. To me, cyber is not separate from information security. If I were to make a distinction, information security would include not only digital information, but also hard copy reports and other information not stored electronically. But I will treat the terms interchangeably today.
X
Why do I say audits would be short?
Because they often were short when either I or my team of IT auditors performed them.
X
The first thing I do is ask for the information security risk assessment.
If they haven’t done one, it is difficult to know where we should focus our limited audit resources. I want to assess the areas where there is greater risk to the business and its success, the achievement of enterprise objectives.
It is difficult to assess whether they have adequate defenses or responses if they haven’t identified the greater sources of risk.
If they have done a risk assessment based on NIST or ISO guidance, it is usually disconnected from the achievement of business objectives and I again have a problem.
I don’t want to audit the “risk to information assets” (per NIST and ISO). I want to audit the risks to business objectives and success.
We can help management as a consulting activity understand how to perform such a risk assessment.
I wrote about this recently for EDPACS in an article that is now free to view: Making business sense of technology risk.
X
Where I am aware of a specific infosec risk that is critical to business success, I can target an audit.
But those are targeted audits, not an audit of all of information security.
In fact, my approach typically breaks the area up into multiple targeted audits.
X
I have written before about auditing what I call the information security foundation: where it reports, whether there is an acceptable risk assessment, who leads it, how it is funded, and so on.
I will do that first.
Then I will have some number of audits targeted at specific issues.
X
Do CAEs pay enough attention to cyber and information security?
I think they do, although every year there are complaints that CAEs don’t have the resources necessary.
My thinking is:
- The CAEs risk assessment should identify what they need to audit, including cyber-related audits
- That assessment should be shared with the audit committee of the board
- Where possible, the CAE should have sufficient internal resources to perform the necessary audits
- Where internal resources are not available, the CAE should engage external resources, such as from a consulting firm
- If the budget does not permit the funding of high priority audits, that should be a matter for discussion with the audit committee, and they will have the last word.
In his April 6th blog post, my good friend Richard Chambers said:
[The IIA’s Pulse of Internal Audit] reports that 85% of respondents rate “cybersecurity” as a high or very high risk, but it only accounts for 11% of internal audit plans. Allocation of resources to cyber risks is lower than to compliance and regulatory risks, operational risks, and internal controls over financial reporting (SOX).
He sees this as a problem, an alarm bell. I don’t.
11% of internal audit resources is a HUGE amount!
When you consider all the risks to business success these days, and the fact that the typical breach costs far less than people think, 11% may be appropriate. It might be too little, but it is more likely to be too much than too little!
If CAEs are following a true enterprise-risk based approach, I will trust them to be focusing on the highest risks to the enterprise, such as:
- The loss of critical employees, particularly those with strong connections to customers, those who drive product development, the leaders show inspire other employees, and the ones who perform critical controls
- Supply-chain risks in the midst of political upheaval
- The ability to leverage new technology and not fall behind competitors
- The potential for a downturn in the economy
- Compliance with new sanctions and other regulations
- The return on investment from marketing and sales initiatives
- Developing staff when they are remote
- And so on
X
The main point is that in the absence of an adequate, business-focused cyber risk assessment, knowing what cyber related audits to perform is difficult.
How do you audit what matters to the organization when those responsible for running the organization haven’t figured that out?
Remember, there’s a huge disconnect between information security leaders (CISO’s) and top management (including the board) when it comes to agreeing on how much resource to allocate to infosec.
X
I welcome your thoughts.
X
By the way, I will be speaking at an upcoming virtual conference in May, the Transforming Your Audit Summit 2022. The list of speakers is impressive!
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I have always seen cybersecurity as a subset of the old information security terminology although I think many don’t differentiate anymore. Aside from terminology, IT is in many businesses integrated into the business model. Think some progress has been made on linking cyber risk to business objectives however agree still is lot more to be done. Complexity faced is that the threat and technology landscape is rapidly changing that can quickly result in what was an acceptable level of risk in light of objectives needing continual reassessment. Are many unknown unknowns, do you think the business side understands enough about the technology side to properly assess the risks from a business strategy perspective?
I think that the business side can work with the technical team to assess the potential effect on the business, yes. But the technical team has to explain what impact on business services a breach would cause.