GUEST BLOG:
One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an “IT risk.” No. It’s a business risk. That is easy to say, and it makes all the sense in the world. However, people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.
The truth is that cybersecurity must be seen within the context of the whole business, not in a silo.
So, what is the potential effect of a breach on the achievement of the enterprise’s objectives?
If we are to assess cyber-related business risk, we have to have the answer to that question. That requires the involvement in the assessment process of both business and technical personnel. Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer. Yet, the most widely accepted cyber-risk standards are written by information security personnel, for (in my opinion) other information security practitioners.
If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to the question: “What is the potential effect of a breach on the achievement of the enterprise’s objectives?” An audit should probably include the participation of financial and operational auditors, and not be limited to the infosec experts.
In fact, the first step in any audit should be to determine whether management knows the answer! Then see whether they continue to know the answer as the business, technology, and the environment (including the hackers’ tools, techniques, and favorite targets) change.
If management has not completed and then maintained a business risk-oriented risk assessment that is integrated with enterprise risk management and decision-making, the audit team should consider calling the audit to a halt. If management doesn’t know where the risks are, what assurance does it have and what assurance can internal audit provide, that the right controls and security are in place?
The next step, the one I favor, is to determine whether the information security team has the necessary capabilities, position, and authority to address those risks. Only then would I consider assessing whether the measures in place are sufficient and effective.
Advice for Auditors on Cyber-risk
The IIA had different ideas when it published one of their newer pieces of ‘supplemental guidance’ in their 2020 Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk. The GTAG has some good and some not-so-good advice for auditors wishing to provide assurance, advice, and insight on cyber-related business risks.
This GTAG seems, however, to fall into the trap of assessing risks to information assets, rather than risks to the business, IT risks (whatever they are, absent the context of what the business is trying to achieve) vs. risks to the success of the business.
Let’s look and comment first at some excerpts. According to the guide, “Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.”
It also says, “Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete.”
Later in the guide, it notes, “The complexity of cybersecurity requires added layers of controls, such as monitoring for risk, detecting exploits as they happen, and prompting corrective action.”
I couldn’t disagree more on the first two of these excerpts. ITGC includes information security, which includes cybersecurity. Cyber is no different from what I was responsible for when Information Security reported to me at two financial institutions; what I evaluated as an IT auditor; or what my various Internal Audit teams assessed after I became a CAE.
The third quote is fine, although every source of significant risk needs to be monitored and the assessment updated at the speed of risk.
In another part of the report, the authors say, “Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access.” In other words, IT Information Security.
“Cybersecurity risks are notably more dynamic than most traditional risks and necessitate a timely response.” More dynamic (volatile) than currency or commodity prices? I doubt it. Second, all risks require more than just a timely response, they require timely identification and assessment.
The report also states: “Cybersecurity is relevant to the systems that support an organization’s objectives related to the effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations. An organization typically designs and implements cybersecurity controls across the organization to protect the integrity, confidentiality, and availability of information.”
The GTAG has correctly listed all the categories of objectives identified in the COSO Internal Control Framework. Nothing new here. But the controls need to be designed to address risks to the achievement of those objectives, a different dimension to “the integrity, confidentiality, and availability of information.”
The GTAG authors say, “Because assurance based on traditional, separate evaluations is not sufficient to keep up with the pace of cybersecurity risk, an innovative assurance strategy is required. Increasingly, continuous auditing techniques are needed to evaluate changes to security configurations, emerging risk outliers and trends, response times, and remediation activities.” I 100 percent disagree, and this is one of my primary problems with the GTAG. I will explain shortly.
The GTAG also says management should consider performing a business impact analysis (BIA). If management hasn’t done a BIA that identifies how a cyber incident could affect the achievement of its objectives, Internal Audit should immediately bring that to the attention of senior management and the board as a serious issue. Any risk assessment is likely to be wrong. If they have done one that only helps them prioritize information assets and does not enable multiple sources of risk (for example, not only cyber but also compliance, human resources, etc.) to be considered together when making a decision, the issue remains serious—but is easier to remedy.
The GTAG includes eight questions for a chief audit executive to consider.
It also has a Cybersecurity Risk Assessment Framework that has six components.
- Cybersecurity Governance
- Inventory of Information Assets
- Standard Security Configurations
- Information Access Management
- Prompt Response and Remediation
- Ongoing Monitoring
I will let you read and think about them. Instead, I want to be constructive. I will explain my two major issues and then suggest a far better approach.
It’s Not About Information Assets
One of the problems I have with the NIST, ISO, and FAIR standards and guidance is that they focus on ‘information assets’ and not on the business..
While the business cannot be considered absent IT-related risks and opportunities, those IT-related risks and opportunities cannot be considered absent the context of running the business and achieving objectives. Cyber (and other IT-related risks) should not be considered in a silo. Furthermore, cyber (and other IT-related risks) is just one source of risk that needs to be considered in decision-making.
In fact, a cyber incident can create a supply-chain, compliance, operational, financial, or other risk – because risk is inter-related. Similarly, a change in the supply chain such as the use of a new logistics company, or a change in operations or financial advisor, can change cybersecurity-related risks.
Cybersecurity risk assessment and treatment should be an integral part of the organization’s enterprise risk management program (ERM) and decision-making, not a siloed operation. If cybersecurity is not fully integrated, then Internal Audit should be reporting that to the board. We need to be concerned with risk to the ability of the organization to achieve its objectives, its purpose over time.
That is what a BIA should do, and it’s why the absence of one that is continually updated is a major issue that needs to be reported to the board and fixed. Internal Audit needs to rise above the silo and use its ability to see the whole, not just individual parts. Audit what might affect the organization, and that is likely to result in assessing cyber differently.
It’s Not About Doing It Ourselves
There’s too much focus on assessing what defenses are in place, and not nearly enough about whether management knows they have the right level of cybersecurity in place all the time. Note the ‘all the time’ qualifier in that sentence.
We shouldn’t be looking at continuously auditing cybersecurity (as suggested by the GTAG). Instead, we should be seeing if management not only has the right defenses at the time of our review, but will adapt them properly as risks change in the future.
Not only do we review their processes for cyber risk assessment (as an integral part of ERM), but review whether that assessment is continuously updated.
Forward-looking Assurance, Advice, and Insight
Any audit should provide our professional opinion on whether management’s processes and controls provide reasonable assurance that there is a low (i.e., acceptable) likelihood of a breach with an unacceptable effect on the organization and the achievement of its objectives.
Auditing what is in place today and whether it is sufficient to address today’s known risks is of limited value. Instead, audit whether management has the right capabilities in place today and is reasonably likely to have in the future.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
All audits should answer the question about the impact to the business to determine if they provide effective controls. Higher level auditors should have ongoing relations so the can pose these questions to senior business managers. Audit reports should reflect the potential impact on the business with its observations of inadequate controls.
Audit management has challenges to cross train its personnel since financial and IT auditors often don’ talk the same language.
Couldn’t agree more with perspectives shared here. One glaring gap I have observed in many engagements is also one that is often undermined. It is the absence or lack of specialist skills and understanding of business impact of cybersecurity risks amongst those playing a substantial role in ERM. The prevalence of this gap in the second line of defence goes almost unnoticed in comparison to internal auditors who are third line of defence. Irrespective these gaps should be identified recognised and bridged