enterprisesecuritymageurope

Is your Security Program Reducing Business Risk? -Expect More from your Internal Audit Function

Steve Williamson, Head of Internal Audit for Information Security and Data Privacy, GSK

Steve Williamson, Head of Internal Audit for Information Security and Data Privacy, GSK

If we look back five or more years, many CISOs were bemoaning the difficulty of getting cyber-security on the Board agenda.

In the present day, cyber-attacks often result in material financial loss and lasting reputational damage. This trend has elevated Cyber Security to the status of Enterprise Risk for most organisations.  Consequently, it is now on the Board agenda, and has ongoing attention from Audit Committees (be careful what you wish for).  This makes the CISO accountable for managing this risk in line with the organisation's risk appetite.  Similarly, Internal Audit, who are accountable to the Board, are increasingly challenged in providing reliable assurance that security controls are effective.

Protecting an organisation's digital assets is increasingly challenging as the attack surface is forever expanding. Digital transformations, cloud migrations, smart devices, and exponential data growth means we have many more assets to protect.  Few executives would deny the need for increased security spending. However, this is cash which could otherwise be invested in profit generation projects, such as new product development.  Balancing security investment against other business priorities means having a risk appetite.  Thus, organisations accept that losses resulting from an inevitable breach are tolerable and will be offset by increased profit generated by business innovations. Such a risk calculation is loaded with assumptions as losses may include finance costs, regulatory enforcement, and reputational damage.  Nevertheless, this approach is more practicable than trying to protect everything through an all-encompassing security management system.

Many organisations think they are secure by virtue of their investment in cyber-security. Control frameworks, such as CIS Critical Security Controls and NIST, are widely adopted, and assurance is often provided through audit, accreditation, and maturity assessments. Yet, post-breach investigations often highlight basic security failures as the root cause. High profile attacks on organisations such as Equifax, Travelex, and British Airways were successful because basic security controls, which were thought to be in place, were not operating effectively.

Internal Audit have a unique position in an organisation as they can work across department boundaries, test processes end-to-end, and access all relevant data sources

For seasoned security practitioners, basic control weaknesses may not come as a surprise because processes such as vulnerability management are genuinely complex due to an overwhelming volume of alerts and a high dependency on people.  Other factors, such as how to deal with legacy and un-patchable assets adds to this complexity. 

One may ask why Internal Audit did not identify the problems in the aforementioned data breaches. Internal Audit are the third line of defence, responsible for providing assurance to the Board. They should also serve as a trusted partner to the CISO by identifying significant control weaknesses, even if they originate in functions outside of his/her direct control.

Internal Audit have a unique position in an organisation as they can work across department boundaries, test processes end-to-end, and access all relevant data sources. To be truly effective in their mission, auditors need to use a range of testing methods and make use of automation and data analytics.  Reviewing point-in-time documentation is superficial, and unlikely to provide reliable assurance.  Fortunately, many audit tasks can now be automated thanks to cloud computing platforms, which provide real-time compliance analytics, security health checks, process monitoring, and alerting.  Thus, the tasks that previously involved laborious sampling and testing, can be accomplished in a fraction of the time. 

Another strong assurance technique is misuse-case testing.  Misuse cases describe threat actors and the tasks they want to perform.  For example, to defend against sensitive data exfiltration, a company may implement a Data Loss Prevention (DLP) tool.  Through misuse-case testing, auditors would attempt to execute a variety of threat scenarios to uncover weak links in a chain of controls. For example, one threat scenario would be a trusted insider transferring sensitive information to a personal email account or cloud storage bucket. Potential failure points would include:

  • Technology—ineffective rule set, which fails to trigger certain suspicious events
  • Process—excessive delays in actioning alerts or weak exception processes
  • People—Data owners' failure to classify information correctly
  • Governance—Misleading detection metrics, giving a false sense of assurance

Today's security auditor needs to be skilled in both cyber-security and audit practices. They should be aligned with business risks, take a threat-based approach to testing and utilise security analytics.  They may also rely on offensive techniques such as penetration testing. However, the aim is not to simply report on vulnerabilities, but to uncover the root cause and provide insights to reduce the risk of material business losses.

In conclusion, a practical, risk-based approach to security would mean protecting the most valuable assets against the most likely threats by focussing on the controls which give the greatest risk reduction. Many victims of cyber-crime believe they had strong security controls in place, but post-breach investigations showed they were not operating effectively.  Internal Audit play a key role in an organisation's cyber defence by identifying control weaknesses and providing insights to the CISO.

Weekly Brief

Read Also

Cyber Risk-The Key to take Cyber into the Transformation Journey

Cyber Risk-The Key to take Cyber into the Transformation Journey

Luís Morais, Chief Information Security Officer, Galp
Information Security Awareness - It's Time We Know What Works

Information Security Awareness - It's Time We Know What Works

Michael G. Carr, CISO, University of Kentucky
 Market Growth

Market Growth

Ioannis Roussos, Head of Deposits & Investment at Eurobank
Cloud At The Edge

Cloud At The Edge

Duncan Clubb, Head of Digital Infrastructure Advisory, CBRE
Automating the Engineering Journey with the Cloud

Automating the Engineering Journey with the Cloud

Wouter Meijs, Global Head of Cloud, ING