Cybersecurity - TMHor Space

Reshape Audit’s Roles On Cybersecurity

Cybersecurity audits involve unique practices not commonly found in general business audits. These practices focus on specific cyber regulations, security policies, industry frameworks, digital threats, controls, and real-time risk detection, which are distinct from traditional financial or operational audits.

Most cyber audits assess compliance against documented policies, control measures, and procedures, which serve as the baseline for evaluation. Like a report card to the cyber chief, the audit verdict varies by major or minor findings, non-compliance or observations for improvement. When no exceptions are noted, a standard disclaimer is often included: “Only samples are taken; the audit does not represent a comprehensive review.” In any case, the outcome tends to be neither encouraging nor insightful, suggesting that checklist-driven audits serve compliance more than they deliver value.

Tech staff, overwhelmed by repetitive audit paperwork, find that compliance checklists often take precedence over addressing emerging threats. Audit tends to check against documents prepared by auditees, which may be incomplete or outdated, thus giving a false sense of security. Moreover, audit observations are often made on finished products, leaving risks exposed for far too long when they should have been addressed during development.

According to the Institute of Internal Auditors’ Three Lines Model, Internal Audit (Audit) assumes the third-line role: providing objective assessments of compliance and assurance, with accountability to the governing body. While independence is essential, it should not hinder Audit’s professional growth or its proactive engagement in addressing potential blind spots overlooked by tech teams. Continuous learning and value addition are key success factors for a transformative audit role. These enable Audit to collaborate with the cyber chief, not as a watchdog but as a partner offering meaningful insight into risk and controls.

Collaborate For Compliance

Concerns about conflict of interest (COI) often discourage collaboration, with the view that audits should not become consulting exercises. The belief that audits must only evaluate, not advise is unfounded.

Compliance is both a Key Performance Indicator (KPI) and a goal. Unlike KPIs, goals such as achieving Zero Findings represent a shared aspiration between Audit and the cyber chief. Both sides work together toward this ideal. There is no COI because the goal reflects the organization’s broader ambition for a flawless security posture.

A typical KPI, such as the number of findings per audit, may be used to gauge Audit’s performance. More findings might imply diligence and quality work yet simultaneously reflect poorly on the auditee. This apparent contradiction is best resolved by recognizing that KPIs serve diagnostic and process improvement functions, not individual performance evaluation, while goals set the aspirational direction.

Collaborate for Continuous Learning

Cybersecurity presents a steep learning curve for Audit, demanding full-time effort to stay abreast of growing technical complexity. A collaborative role allows Audit to work closely with the cyber chief for continuous learning. Real-life practices, security events, and incidents can reinforce this learning. Together, they can share concerns, align critical controls, and evaluate business impacts to ensure compliance at an optimal level.

AI-assisted audits are maturing, giving Audit greater confidence in this evolving role. Some AI models can now analyze vast amounts of incoming data to detect attack profiles and assess countermeasures in real time. They can identify abnormal authentication patterns like excessive login failures, understand intricate protocols and transactions between servers and clients, and assign appropriate risk levels to findings.

Another practical AI use is code analysis, which flags security loopholes and missing controls for compliance purposes. What was once a “coding myth” is now accessible and intelligible to auditors.

Collaborate For Project Work

The IT project lifecycle includes interconnected stages from planning, design, and development to testing, operations, and eventual decommissioning. Each requires built-in cybersecurity. As the saying goes, a stitch in time saves nine; rework at any stage can be costly and delay time-to-market.

A participative Audit role in project work enables just-in-time guidance, for example, highlighting missing access logs or control gaps that could lead to internal fraud. More importantly, this presents Audit as a value-adding partner rather than a bureaucratic obstacle.

Collaborate In Cyber Drills

There is growing number of organizations mandating table-top exercises and cyber drills as to prepare the business leaders, tech staff and users in responses to cyberattacks, and be apprised of their roles in service recovery and media communication. However, the planned scenarios in the drills are limited to the staff awareness of the existential threats without accounting for unexpected episodes in real-life like absentee key personnel, missing resources or previously undetected breaches that surface during the drill. Audit, with its external perspective, can introduce such realistic variables into the scenario, serving as a reality check that enhances the drill’s effectiveness.

Collaborate for Staff Development

Tech teams struggle to keep up with fast-evolving domains such as cloud computing, virtualization, and generative or agentic AI. Constrained by limited workforce and training budgets, some resort to trial-and-error or stopgap fixes, leaving root causes unresolved.

While we often focus on business or technology risks, we may overlook the underlying issue or impeding risk of staff competency. Audit, through compliance assessment, can help identify and flag competency gaps, an unconventional yet valuable contribution to workforce development.

Conclusions

The broad scope of audit functions is crucial to keeping stakeholder trust and public confidence in corporate governance. Transitioning Audit into a collaborative role does not mean sacrificing compliance; it means evolving it to be more practical, risk-aware, and value-driven.

AI marks a significant inflection point after years of stagnant checklist-driven audits. It introduces new levels of capability, precision, and adaptability for assessing cyber risks; it enables Audit to rise to a more strategic role in the digital age.

Copyedit: ChatGPT

Becoming an Effective Board on Cybersecurity

A board directorship is a prestigious appointment, signaling public recognition of an individual’s industry expertise, business acumen, and leadership qualities. According to PwC’s 2024 Annual Corporate Director Survey, 13% of board directors reported that their boards had added someone with cybersecurity expertise in the past year. Given a typical term of five years, most corporations should have dedicated board oversight of cyber matters. However, what does it take to be effective?

Among the many cybersecurity challenges, some argue that the board should focus on governance and strategy rather than technology and operations, even though these are integral to cyber safety. Certainly, a sensible approach is that the board neither interferes with daily operations nor loses touch with on-the-ground realities. However, an overly narrow focus on governance and strategy can backfire, overlooking volatile business and operational changes that leave the organization more vulnerable.

In the aftermath of a security breach, every cybersecurity chief is prepared to address the board’s anticipated inquiries: How did it happen? Who is affected? What are the damages? While the report may highlight technical missteps and lessons learned, it often sidelines underlying office politics and unclear risk ownership. To uncover these issues, the board must cut through technical jargon and probe deeper.

Given its fiduciary role, the board is best positioned to confront the most insidious aspects of cybersecurity, such as near misses, risk ownership, peer comparisons, and even the probability of being hacked—critical issues that rarely make it onto the agenda.

Focus on Near Misses

Today, many boards mandate incident updates within 48 to 72 hours. Some require the same for significant cyberattacks on critical services and infrastructure. Analyzing these cases helps identify weaknesses, refine security controls, and prevent future incidents.

Learning from actual incidents, however, is costly and painful, often reflecting poorly on performance. Instead, the board can learn from near misses—situations where threats were detected and mitigated before causing harm. Near misses are positive indicators, encouraging staff to strive for improvement rather than fear repercussions. When risk owners feel less defensive and more receptive to issues raised, the organization benefits. After all, understanding near misses confirms that safeguards are working as intended—or that luck played a role, prompting further scrutiny.

Identify the Risk Owners

Who owns cybersecurity risk? This is a compelling question for the board, yet it has no straightforward answer. While many assume the cybersecurity chief is the risk owner, this perspective is incomplete and can obscure deeper accountability issues within an organization’s hierarchy.

Cybersecurity is a long-tail risk, with repercussions that can span years. Consider a massive personal data breach: the organization could face prolonged lawsuits, hefty regulatory penalties, job losses, and the need for fresh capital to overhaul its defense strategies. Restoring reputation and customer trust could take years. Clearly, no single individual can bear full ownership of these risks.

According to ChatGPT, a risk owner in cybersecurity is responsible for managing and mitigating risks associated with a specific asset, process, data set, or business function—a definition I fully support. For example, corporate infrastructure is a tangible asset, payroll is a financial process, staff training is an HR function, and regulatory compliance falls under legal purview. These risks span multiple business leaders across technology, finance, human resources, and legal and compliance—each of whom is responsible for ensuring compliance and security within their domain.

By setting the tone from the top and clearly assigning ownership, the board can break down silos and prevent disputes over responsibilities in data protection, security controls, and cybersecurity exigencies.

Ask for Peer Comparisons

We are accustomed to grading systems in school, where a pass mark is 50 out of 100. It is appealing to think that cyber risk could be similarly quantified, scored, and benchmarked against peers. Doing so would help align board assessments, track progress, optimize security spending, and negotiate appropriate cyber insurance coverage.

There are tools and services that assess cybersecurity posture by simulating an external threat actor scanning for vulnerabilities. However, since organizations vary in industry, size, technology, risk treatment, and appetite, the self-determined passing mark should be taken with caution. Nonetheless, benchmarking against peers in the same industry provides valuable insights.

Know Your Hacking Probability

When the board is satisfied with regular cybersecurity updates, existing mitigations, and business-as-usual operations, one critical question remains: What is the probability of being hacked in the next 12 months? Since perfect security is unattainable, a data-driven approach offers insight into the likelihood of a breach, potential attack vectors, and staff preparedness.

Simply put, the probability of a successful cyber breach is a function of attack vectors and defensive controls. For example, to model a takeover attack on an administrator account with privileged access, one must consider prevalent attack vectors such as social engineering, malware infections, and password spraying. Then, mitigating measures such as endpoint protection, two-factor authentication, and privileged account management must be factored in. Running simulations with repeated interactions can yield probabilities of an event occurring within a given timeframe. Nowadays, AI models can further refine risk assessments in complex environments with interdependent variables.

Conclusion

An effective board is not confined to governance and strategy. It plays a crucial role in fostering a collaborative environment where the cybersecurity chief and risk owners work together cohesively. It must be willing to challenge the status quo and trigger critical thinking. It drives a cultural shift, emphasizing that the best time to strengthen cybersecurity is during periods of stability, rather than waiting for a crisis. We must remain vigilant, ensuring cybersecurity always remains a priority.

Drills For Cybersecurity Fitness

Not just in personal finance, but also in cybersecurity, the phrase “making hay while the sun shines” holds true. Cyber threats are persistent but often remain concealed until they strike. In such unfortunate instances, the safeguards you expected to work have failed, and your secure coding checklist was not followed. To make matters worse, a standby service has failed to activate, and the log files for crucial insights of the attack have gone missing. Moreover, rumour-heard reporters kept reaching out to you for details. As an example, this episode could begin with a seemingly benign web defacement and escalate to a massive SQL Injection, compromising sensitive data, causing prolonged service outages, and leaving uncertainties about the timeline and sources of the attack, despite painstaking investigation.

Many companies invest heavily in cybersecurity but pay less attention to its ongoing operations. This is not by choice but due to prioritization constraints. Tech staff often face hectic schedules and long working hours. One moment, we are racing against time to meet project deadlines; the next, we are scrambling to recover from system outages. On quieter days, we conduct training sessions, attend sales pitches, experiment with emerging technologies, and endure the monotony of meetings. If any time remains, we work on procurement tenders, technical documentation, reports, and assist with recruitment. After getting home late, we clear urgent emails, get a few hours of rest, and repeat the routine the next day. As a result, aspects of cybersecurity that are not immediately pressing are often neglected. Over time, we let our guard down, allowing the busyness to take over our minds.

Just as regular exercise is essential for maintaining physical health, consistent drills are necessary to ensure cybersecurity fitness. These drills help confirm that all safeguards, processes, and alerts remain effective and operate as intended. Most importantly, they allow businesses, staff, users, and vendors to identify any missteps and validate assumptions made from the last review, and be ready for actions should crisis erupts.

Penetration Test

The idea behind a penetration test (Pentest) is to identify our own vulnerabilities before our adversaries do. The tools allow us to scan the entire network, mapping out hosts, operating systems, protocols, services, and versions in use, and critically uncover any shadow IT without our knowledge. With scripting, we can simulate common attacks like brute-force attempts on websites and databases. It can, also, check against a list of Common Vulnerabilities and Exposures (CVEs) such as SQL Injection and Cross-Site Scripting, etc., and alert us if our hosts were indeed vulnerable. Over time, the accomplished Pentest and its checklist could serve as a key performance indicator of the enterprise and to be tracked yearly.

Red Teaming

Unlike penetration testing that aims to uncover vulnerabilities, Red Teaming simulates a threat actor’s thought process to target specific assets, whether personal data, intellectual property, critical services, or privileged access for financial gain. This exercise tests various methods and pathways to bypass corporate defenses, evade surveillance systems, and exploit both system and human vulnerabilities within an organization, all while leaving no trace.

For example, understanding that remote reconnaissance might be blocked by corporate firewalls, the Red Team could exploit exposed remote access services to establish a covert foothold. This allows them to bypass perimeter defenses and advance the exploits further, such as harvesting login credentials and creating shadow accounts with elevated privileges to exfiltrate sensitive data. In another scenario, the Red Team might study the organization’s hierarchy, impersonating a procurement officer to submit fraudulent purchase orders to suppliers or posing as a newly hired senior executive to trick employees for financial gain.

From denial-of-service attacks to DLL sideloading, DNS poisoning, identity theft, ransomware, social engineering, spear phishing, and SQL injection, Red Teaming adapts its attack vectors to bypass specific defenses. As cyber threats evolve rapidly, it is advisable to engage external Red Team services, as these vendors bring a wealth of experience and up-to-date industry knowledge.

Phishing Drills

Phishing attacks are inexpensive to launch but highly effective. They exploit human emotions such as fear, greed, empathy, and curiosity. A single inadvertent click or screen touch can lead to disastrous consequences for an organization, and with finger-tip access to Generative AI and deepfakes, it has made it worse. While technology can provide some level of protection, regular drills and user education are far more effective in mitigating human error. But are there supporting data?

A well-designed phishing drill can help test several assumptions. First, does the relevance of the drill’s theme affect the likelihood of falling prey? For instance, general staff may be quick to click on an announcement about pay structures, while healthcare professionals might be more concerned with changes in patient care regulations. Second, do regular reminders from corporate leadership help reduce phishing click rates? Third, are employees who are subjected to regular drills less susceptible than those in a control group?

The results from previous drills I’ve experienced were encouraging. Staff members were particularly vulnerable to phishing emails related to organizational matters, with a 24% fall-prey rate compared to just 8% for other themes. The drills themselves were highly effective, reducing the click rate to 15% for those who received two rounds of practice, compared to 18% for the control group. However, management intervention, such as reminders from corporate leadership, did not significantly reduce the click rate.

That said, phishing drills aren’t without challenges. They can cause resentment, erode trust among staff, and may not even be effective, according to The Wall Street Journal reports from October 2023 and February 2025. Still, they remain a worthwhile exercise as they address the reality that individuals are often the weakest link in an organization’s security.

Table-Top Exercise

A cyber breach can cause far-reaching damage to an organization beyond just its infrastructure and systems. This includes business disruption, potential privacy violations, financial and reputational losses, legal claims, regulatory penalties, and more. With so much at stake, incident response should not be confined to the tech team alone but must also involve business partners and corporate leadership, including the heads of communications and legal.

In the event of a breach, time is of the essence. The tech team must sift through vast amounts of data and devices to identify the source of the attack and neutralize it. The situation can quickly become chaotic, with team members rushing into action from all directions, calling for additional resources, deciding on the best course of action, issuing public communications, and updating users and board executives, all while new findings and hypotheses continue to emerge.

Infrequent though they may be, cyber breaches can leave both tech and corporate leadership unprepared. Some team members may be unclear about their roles, while others could be distracted by irrelevant system issues. This is where a tabletop exercise becomes invaluable. By working through realistic scenarios, the interdisciplinary incident response team can familiarize themselves with their roles, actions, procedures, and responses in the event of a breach. Only when our response becomes as automatic as a muscle reflex can we contain an attack and minimize damage as quickly as possible.

Finally, with regular drills, we will be prepared to defend, recover quickly, and minimize losses in the event of a breach.

*Copyedit: ChatGPT

Cyber Safeguards Against Human Lapses

Whether you are a novice or a seasoned professional, one of the great advantages of working in cybersecurity is the availability of well-established industry frameworks and standards. These include concepts like Zero Trust Security, Secure by Design, Defense in Depth, and guidelines from the National Institute of Standards and Technology (NIST). These frameworks offer excellent guidance on security strategies, designs, and practices. However, selecting the most effective safeguards for your specific organization requires significant on-the-job experience and possibly, lessons learned from past headline-making incidents.

Some organizations, driven by a fear of cyber threats, may choose to implement as many safeguards as their budget allows. Others might assess their risk profile, quantifying the likelihood and impact of various attack scenarios to determine the essential protections. However, neither approach is ideal. An excess of defensive solutions can create a false sense of security, expand the attack surface, and unnecessarily inconvenience users. Conversely, focusing solely on risks from potential attacks can overlook the critical human factor.

Humans are often the weakest link in cybersecurity. End users with poor cyber hygiene, who are unaware of phishing attempts and security patches, or who continue to use outdated software, pose a constant threat. However, it’s important to recognize that even the most seasoned tech staff can be part of this vulnerability. Network engineers, server administrators, and software developers are only human, and a momentary lapse in judgment could lead to dire consequences. These individuals often hold privileged credentials, which, if compromised, could allow attackers to create backdoors into servers, inject malware, or crack user passwords across the organization.

In my decades of experience as a tech chief, I have seen that the most malicious attacks require the exploitation of three key assets: the corporate network, a login identity, and a device. Unfortunately, many organizations fall victim to attacks because the human element, which serves as the first line of defense, is inadvertently compromised.

Capitalizing on Private IP Addresses

Personal computers, by design, are often viewed as devices that individuals can use with minimal restrictions. This includes the freedom to share folders and files, and to run freeware and shareware. However, the influx of thousands of “install-and-forget” Internet-of-Things (IoT) sensors and personal smart gadgets into corporate networks has made it increasingly difficult to strike a balance between mitigating endpoint exposures and providing a user-friendly experience.

One effective protection against attacks, particularly Zero-Day threats from the Internet, is the use of private IP addresses. These addresses are not routable, meaning that servers, applications, desktops, IoT devices, and other resources within this address space are not reachable from the outside. This effectively blocks malicious probes and connection requests from ever reaching them.

Enforcing Network Admission Control

Internally, the combination of user lapses and the sheer scale of desktop computers presents significant risks. It’s not uncommon to find misconfigured folders with open access to sensitive data, outdated software with known vulnerabilities, or desktops lacking the anti-malware provisions that should have been in place from day one.

With Internet ingress heavily guarded by firewalls and virtual private networks, adversaries often target users’ desktops as a soft entry point into the enterprise. Known as lateral movement in cybersecurity, this tactic allows attackers to conduct reconnaissance, exploit identities, escalate privileges, and eventually target high-value resources.

To mitigate user lapses, it’s crucial to limit users’ rights to make indiscriminate changes to their desktops. If this isn’t feasible administratively, Network Admission Control (NAC) should be adopted to enforce compliance before allowing any desktop to connect to the network. The enrollment process should ensure that all legitimate and authenticated devices are registered centrally. Upon user login, NAC will check for compliance against a pre-qualified list of cybersecurity safeguards, such as excessive rights or signs of infection. This is particularly valuable in complex environments with multiple operating systems, hardware, and software profiles.

Automating Security Patches and Configurations

A moment of human error can be costly for an enterprise. Relying too heavily on memory, written standard operating procedures (SOPs), or common practices often falls short when it comes to addressing anomalies. Server administrators are inundated with software updates, bug fixes, security patches, and configuration changes daily. A missed patch on one of thousands of servers might go unnoticed until it’s too late, especially if that server was supposed to be taken offline months ago but becomes the initial point of entry for a lateral move attack.

With frequent server additions, removals, and configuration changes, it’s essential for server administrators to maintain continuous visibility of all servers, be promptly alerted to security patches and dubious changes, and have confidence in an accurate asset list for remediation.

Patch and Configuration Management (PCM) automates asset tracking, checks for pending software updates and security patches, and applies remediation. As with any automation, it’s crucial to establish a process with identified control points before implementing the tools around it. In the case of PCM, ensuring that the enterprise keeps an up-to-date server inventory is pivotal to the overall cybersecurity operation.

Locking Up Privileged Credentials

Most user access to corporate resources is now protected by two-factor authentication (2FA). While not perfect due to risks like phishing and lifelike login pages, 2FA is still a reasonable safeguard for general user logins. However, when it comes to privileged credentials with full control and access over databases, log files, memory dumps, and the ability to spawn new processes across all servers, the stakes are much higher.

Integrating 2FA for privileged credentials in a heterogeneous environment, with a mix of third-party cloud applications, proprietary core business management software, and network and security appliances, is not always straightforward. Furthermore, the human factor often comes under scrutiny during audits. For example, should admin credentials be disabled when idle? Are there improper uses when there is no record of access? Should credentials be changed after each use? With staff turnover, disgruntled employees, and operational lapses, audits, rightfully highlight the need for action.

Like a bank managing deposits and withdrawals, organizations should use automation and tools to secure privileged credentials and allow access only upon approval. These tools can enforce audit trails, check out privileged credentials, set time limits for use, check them in upon expiry, and change passwords without the tech staff’s knowledge. Effectively, nobody should have access to privileged credentials unless cleared through the control process.

Final Thoughts

From the boardroom to the executive suite, very few would argue against investing in cybersecurity. However, one provocative thought I encountered is that even the top companies by market capitalization, despite significant cybersecurity investments, still get hacked. My response? The key to success isn’t just how much you spend, but the people on the job—those who can make or break your security efforts.

Ultimately, the effectiveness of cybersecurity lies not just in technology but in the people who implement, manage, and use it.

*Copyedit: ChatGPT