One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an IT risk — it’s a business risk.
That makes all the sense in the world, no? Yet people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.
The truth is that cybersecurity MUST be seen within the context of the whole business, not in a silo.
How Would a Breach Impact Your Organization?
What is the potential effect of a breach on the achievement of the enterprise’s objectives? If we are to assess cyber-related business risk, we have to have the answer to that question. That requires the involvement in the assessment process of both business and technical personnel.
Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer.
Yet, the most widely accepted cyber risk standards are written by information security personnel, for (in my opinion) other information security practitioners.
If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to that question: “What is the potential effect of a breach on the achievement of the enterprise’s objectives?”
An audit should probably include the participation of financial and operational auditors, not be limited to the infosec experts.
First Steps for Internal Audit
In fact, the first step in any audit should be to determine whether management knows the answer. Then see whether they continue to know the answer as the business, technology and the environment (including the hackers’ tools, techniques and favorite targets) change.
If management has not completed and then maintained a business risk-oriented risk assessment that is integrated with enterprise risk management and decision-making, the audit team should consider halting the audit.
If management doesn’t know where the risks are, what assurance does it have and what assurance can internal audit provide, that the right controls and security are in place?
The next step, the one I favor, is to determine whether the information security team has the necessary capabilities, position, and authority to address those risks.
Only then would I consider assessing whether the measures in place are sufficient and effective.
IIA's Good and Not-so-Good Advice for Internal Audit
The IIA had different ideas when it published its ‘supplemental guidance’ in the 2020 Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk.
The GTAG has some good and some not-so-good advice for auditors wishing to provide assurance, advice and insight on cyber-related business risks. This GTAG seems to fall into the trap of assessing risks to information assets, rather than risks to the business, IT risks (whatever they are, absent the context of what the business is trying to achieve) vs. risks to the success of the business.
Let’s first look and comment on some excerpts.
Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.
Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete,
Comment: I couldn’t disagree more on these two excerpts. ITGC includes information security, which includes cybersecurity. Cyber is no different from what I was responsible for when Information Security reported to me at two financial institutions; what I evaluated as an IT auditor; or what my various Internal Audit teams assessed after I became a CAE.
Cybersecurity risks are notably more dynamic than most traditional risks and necessitate a timely response.
Comment: More dynamic (volatile) than currency or commodity prices? I doubt it.
All risks require more than just a timely response, they require timely identification and assessment.
Cybersecurity is relevant to the systems that support an organization’s objectives related to the effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations. An organization typically designs and implements cybersecurity controls across the organization to protect the integrity, confidentiality, and availability of information.
Comment: The GTAG has correctly listed all the categories of objectives identified in the COSO Internal Control Framework. Nothing new here. But the controls need to be designed to address risks to the achievement of those objectives, a different dimension to “the integrity, confidentiality and availability of information.”
Because assurance based on traditional, separate evaluations is not sufficient to keep up with the pace of cybersecurity risk, an innovative assurance strategy is required. Increasingly, continuous auditing techniques are needed to evaluate changes to security configurations, emerging risk outliers and trends, response times, and remediation activities.
Comment: 100% disagree, and this is one of my primary problems with the GTAG. I will explain shortly.
Management should consider performing a business impact analysis (BIA).
Comment: If management hasn’t done a BIA that identifies how a cyber incident could affect the achievement of its objectives, Internal Audit should immediately bring that to the attention of senior management and the board as a serious issue. Any risk assessment is likely to be wrong. If they have done one that only helps them prioritize information assets and does not enable multiple sources of risk (i.e., not only cyber but also compliance, human resources, etc.) to be considered together when making a decision, the issue remains serious – but is easier to remedy. See discussion later.
There is a great deal more in the report which I encourage you to review. In the spirit of remaining constructive, I'll explain my two major issues and suggest what is in my opinion a far better approach.
Cybersecurity Isn't About Information Assets
One of the problems I have with the NIST, ISO and FAIR standards and guidance is that they focus on ‘information assets’ and not on the business..
While the business cannot be considered absent IT-related risks and opportunities, those IT-related risks and opportunities cannot be considered absent the context of running the business and achieving objectives.
Cyber (and other IT-related risks) should not be considered in a silo.
Cyber (and other IT-related risks) is just one source of risk that needs to be considered in decision-making.
In fact, a cyber incident can create a supply-chain, compliance, operational, financial, or other risk – because risk is inter-related.
Similarly, a change in the supply chain such as the use of a new logistics company, or a change in operations or financial advisor, can change cybersecurity-related risks.
Cybersecurity risk assessment and treatment should be an integral part of the organization’s enterprise risk management program (ERM) and decision-making, not a siloed operation.
If cybersecurity is not fully integrated, then Internal Audit should be reporting that to the board.
We need to be concerned with risk to the ability of the organization to achieve its objectives, its purpose over time.
That is what a BIA should do, and it’s why the absence of one that is continually updated is a major issue that needs to be reported to the board and fixed.
Internal Audit needs to rise above the silo and use its ability to see the whole, not just individual parts.
Audit what might affect the organization, and that is likely to result in assessing cyber differently.
It’s Not About Doing It Ourselves
There’s too much focus on assessing what defenses are in place, and not nearly enough about whether management knows they have the right level of cybersecurity in place all the time.
Note the ‘all the time’ qualifier in that sentence.
We shouldn’t be looking at continuously auditing cybersecurity (as suggested by the GTAG). Instead, we should be seeing if management not only has the right defenses at the time of our review, but will adapt them properly as risks change in the future.
Not only do we review their processes for cyber risk assessment (as an integral part of ERM), but review whether that assessment is continuously updated.
Provide Forward-Looking Assurance, Advice and Insight
Any audit should provide our professional opinion on whether management’s processes and controls provide reasonable assurance that there is a low (i.e., acceptable) likelihood of a breach with an unacceptable effect on the organization and the achievement of its objectives.
Auditing what is in place today and whether it is sufficient to address today’s known risks is of limited value.
Audit whether management has the right capabilities in place today and is reasonably likely to have in the future.
I welcome your thoughts.