close up of woman holding finger before her lips "shhhhhhhhh"
PHOTO: Kristina Flour

Before the confession, I want to share a recent and valuable report from Verizon. Its 2018 Data Breach Investigations Report has a depth of valuable information that merits the attention of every practitioner.

The summary of findings included these observations:

  • 73 percent of breaches in the last year (of which Verizon is aware) were perpetrated by outsiders, while 28 percent involved internal actors.
  • 50 percent were carried out by organized criminal groups.
  • 12 percent involved actors identified as nation-state or state-affiliated.
  • 58 percent of the victims were small businesses.
  • 24 percent of breaches affected healthcare organizations.
  • 76 percent were financially motivated.
  • 68 percent took months or longer to be discovered.

The extensive report analyzes breaches by type as well as by industry sector.

Another report that merits our attention is PwC’s The Global State of Information Security Report 2018. PwC has different numbers about who is responsible for security incidents, stating that 30 percent are from current employees, 28 percent from former employees, 26 percent from unknown hackers, 23 percent from competitors and 20 percent from current third parties.

I tend to believe more in the Verizon report (just a feeling rather than being based on any data). The one surprise for me in the PwC report was the assertion that competitors are the source of 23 percent of security incidents.

Cybersecurity's Growing Profile

I like and recommend a McKinsey article, "A new posture for cybersecurity in a networked world."

It has both useful information and excellent recommendations.

  • 75 percent of experts consider cybersecurity to be a top priority. That’s true even of industries like banking and automotive, which one might think would be preoccupied with other enormous risks that have emerged in recent years.
  • But while awareness is building, so is confusion. Executives are overwhelmed by the challenge. Only 16 percent said their companies are well prepared to deal with cyberrisk. The threat is only getting worse, as growth in most industries depends on new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), that will bring all kinds of benefits but also expose companies and their customers to new kinds of cyberrisk, arriving in new ways.
  • A global insurance company’s experience indicates the potential. It budgeted $70 million for a comprehensive cybersecurity program. One year later, only a fraction of the planned measures had been implemented. Business units had put pressure on the IT department to prioritize changes they favored, such as a sales campaign and some new reports, at the expense of security measures, such as email encryption and multifactor authentication. The business units also took issue with the restrictions that came with cybersecurity measures, such as the extra efforts that went into data-loss prevention, and limitations on the use of third-party vendors in critical areas.
  • The previous White House administration identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” Worldwide, the threat from cyberattacks is growing both in numbers and intensity. Consider these figures: some companies are investing up to $500 million on cybersecurity; worldwide, more than 100 billion lines of code are created annually. Many companies report thousands of attacks every month, ranging from the trivial to the extremely serious. Several billion data sets are breached annually. Every year, hackers produce some 120 million new variants of malware. 
  • Yet despite all the new defenses, companies still need about 99 days on average to detect a covert attack.

McKinsey's recommendations include:

  • Cyberrisk needs to be treated as a risk-management issue, not an IT problem.
  • Companies must address cyberrisk in a business context. 

Unfortunately, McKinsey continues the traditional approach of assessing risk to information assets rather than to enterprise objectives.

The Moment of Truth

Now to my confession: In all my years as an IT auditor and then a CAE, I cannot recall ever assessing information security as being "adequate" or "effective." There has always been at least one significant issue.

For example, I remember one company where I was responsible for IT auditing relied on security software and mechanisms provided by HP for their HP3000 computers and Image database systems. The vendor had told management its systems were secure. I didn’t think so and met with the CIO to share my views. His response was that I didn’t have any persuasive evidence given the assurance he had received from HP.

I asked for and received his permission to try to ‘hack’ the system myself. I would do so without any special knowledge, just access to a business user’s laptop (mine). A week or so later, I showed him a list of user IDs and passwords I had obtained. I had found one weak point and from there navigated my way to a security file.

Why share this confession?

I don’t think it's possible for any auditor ever to say information security these days is either "effective" or "adequate" — the best they can say is that it appears reasonable.

Reporting that it complies with a standard or is consistent with guidance in a framework doesn’t work for me. It wouldn't satisfy me if I was on the board.

Does this mean that we should give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open.

We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management. We should ask management whether they believe the risk to the organization from a breach is at acceptable levels and why. I would be highly skeptical if they said everything was under control.

Then the key is to see if they have thought everything through — all facets: prevention, detection and response — and that the risk assessment is based on the effect on enterprise objectives.

I welcome your comments.