THANK YOU FOR SUBSCRIBING
If we look back five or more years, many CISOs were bemoaning the difficulty of getting cyber-security on the Board agenda.
In the present day, cyber-attacks often result in material financial loss and lasting reputational damage. This trend has elevated Cyber Security to the status of Enterprise Risk for most organisations. Consequently, it is now on the Board agenda, and has ongoing attention from Audit Committees (be careful what you wish for). This makes the CISO accountable for managing this risk in line with the organisation's risk appetite. Similarly, Internal Audit, who are accountable to the Board, are increasingly challenged in providing reliable assurance that security controls are effective.
Protecting an organisation's digital assets is increasingly challenging as the attack surface is forever expanding. Digital transformations, cloud migrations, smart devices, and exponential data growth means we have many more assets to protect. Few executives would deny the need for increased security spending. However, this is cash which could otherwise be invested in profit generation projects, such as new product development. Balancing security investment against other business priorities means having a risk appetite. Thus, organisations accept that losses resulting from an inevitable breach are tolerable and will be offset by increased profit generated by business innovations. Such a risk calculation is loaded with assumptions as losses may include finance costs, regulatory enforcement, and reputational damage. Nevertheless, this approach is more practicable than trying to protect everything through an all-encompassing security management system.
Many organisations think they are secure by virtue of their investment in cyber-security. Control frameworks, such as CIS Critical Security Controls and NIST, are widely adopted, and assurance is often provided through audit, accreditation, and maturity assessments. Yet, post-breach investigations often highlight basic security failures as the root cause. High profile attacks on organisations such as Equifax, Travelex, and British Airways were successful because basic security controls, which were thought to be in place, were not operating effectively.
Internal Audit have a unique position in an organisation as they can work across department boundaries, test processes end-to-end, and access all relevant data sources
For seasoned security practitioners, basic control weaknesses may not come as a surprise because processes such as vulnerability management are genuinely complex due to an overwhelming volume of alerts and a high dependency on people. Other factors, such as how to deal with legacy and un-patchable assets adds to this complexity.
One may ask why Internal Audit did not identify the problems in the aforementioned data breaches. Internal Audit are the third line of defence, responsible for providing assurance to the Board. They should also serve as a trusted partner to the CISO by identifying significant control weaknesses, even if they originate in functions outside of his/her direct control.
Internal Audit have a unique position in an organisation as they can work across department boundaries, test processes end-to-end, and access all relevant data sources. To be truly effective in their mission, auditors need to use a range of testing methods and make use of automation and data analytics. Reviewing point-in-time documentation is superficial, and unlikely to provide reliable assurance. Fortunately, many audit tasks can now be automated thanks to cloud computing platforms, which provide real-time compliance analytics, security health checks, process monitoring, and alerting. Thus, the tasks that previously involved laborious sampling and testing, can be accomplished in a fraction of the time.
Another strong assurance technique is misuse-case testing. Misuse cases describe threat actors and the tasks they want to perform. For example, to defend against sensitive data exfiltration, a company may implement a Data Loss Prevention (DLP) tool. Through misuse-case testing, auditors would attempt to execute a variety of threat scenarios to uncover weak links in a chain of controls. For example, one threat scenario would be a trusted insider transferring sensitive information to a personal email account or cloud storage bucket. Potential failure points would include:
Today's security auditor needs to be skilled in both cyber-security and audit practices. They should be aligned with business risks, take a threat-based approach to testing and utilise security analytics. They may also rely on offensive techniques such as penetration testing. However, the aim is not to simply report on vulnerabilities, but to uncover the root cause and provide insights to reduce the risk of material business losses.
In conclusion, a practical, risk-based approach to security would mean protecting the most valuable assets against the most likely threats by focussing on the controls which give the greatest risk reduction. Many victims of cyber-crime believe they had strong security controls in place, but post-breach investigations showed they were not operating effectively. Internal Audit play a key role in an organisation's cyber defence by identifying control weaknesses and providing insights to the CISO.