Tag: CyberRisk

Reshape Audit’s Roles On Cybersecurity

Cybersecurity audits involve unique practices not commonly found in general business audits. These practices focus on specific cyber regulations, security policies, industry frameworks, digital threats, controls, and real-time risk detection, which are distinct from traditional financial or operational audits.

Most cyber audits assess compliance against documented policies, control measures, and procedures, which serve as the baseline for evaluation. Like a report card to the cyber chief, the audit verdict varies by major or minor findings, non-compliance or observations for improvement. When no exceptions are noted, a standard disclaimer is often included: “Only samples are taken; the audit does not represent a comprehensive review.” In any case, the outcome tends to be neither encouraging nor insightful, suggesting that checklist-driven audits serve compliance more than they deliver value.

Tech staff, overwhelmed by repetitive audit paperwork, find that compliance checklists often take precedence over addressing emerging threats. Audit tends to check against documents prepared by auditees, which may be incomplete or outdated, thus giving a false sense of security. Moreover, audit observations are often made on finished products, leaving risks exposed for far too long when they should have been addressed during development.

According to the Institute of Internal Auditors’ Three Lines Model, Internal Audit (Audit) assumes the third-line role: providing objective assessments of compliance and assurance, with accountability to the governing body. While independence is essential, it should not hinder Audit’s professional growth or its proactive engagement in addressing potential blind spots overlooked by tech teams. Continuous learning and value addition are key success factors for a transformative audit role. These enable Audit to collaborate with the cyber chief, not as a watchdog but as a partner offering meaningful insight into risk and controls.

Collaborate For Compliance

Concerns about conflict of interest (COI) often discourage collaboration, with the view that audits should not become consulting exercises. The belief that audits must only evaluate, not advise is unfounded.

Compliance is both a Key Performance Indicator (KPI) and a goal. Unlike KPIs, goals such as achieving Zero Findings represent a shared aspiration between Audit and the cyber chief. Both sides work together toward this ideal. There is no COI because the goal reflects the organization’s broader ambition for a flawless security posture.

A typical KPI, such as the number of findings per audit, may be used to gauge Audit’s performance. More findings might imply diligence and quality work yet simultaneously reflect poorly on the auditee. This apparent contradiction is best resolved by recognizing that KPIs serve diagnostic and process improvement functions, not individual performance evaluation, while goals set the aspirational direction.

Collaborate for Continuous Learning

Cybersecurity presents a steep learning curve for Audit, demanding full-time effort to stay abreast of growing technical complexity. A collaborative role allows Audit to work closely with the cyber chief for continuous learning. Real-life practices, security events, and incidents can reinforce this learning. Together, they can share concerns, align critical controls, and evaluate business impacts to ensure compliance at an optimal level.

AI-assisted audits are maturing, giving Audit greater confidence in this evolving role. Some AI models can now analyze vast amounts of incoming data to detect attack profiles and assess countermeasures in real time. They can identify abnormal authentication patterns like excessive login failures, understand intricate protocols and transactions between servers and clients, and assign appropriate risk levels to findings.

Another practical AI use is code analysis, which flags security loopholes and missing controls for compliance purposes. What was once a “coding myth” is now accessible and intelligible to auditors.

Collaborate For Project Work

The IT project lifecycle includes interconnected stages from planning, design, and development to testing, operations, and eventual decommissioning. Each requires built-in cybersecurity. As the saying goes, a stitch in time saves nine; rework at any stage can be costly and delay time-to-market.

A participative Audit role in project work enables just-in-time guidance, for example, highlighting missing access logs or control gaps that could lead to internal fraud. More importantly, this presents Audit as a value-adding partner rather than a bureaucratic obstacle.

Collaborate In Cyber Drills

There is growing number of organizations mandating table-top exercises and cyber drills as to prepare the business leaders, tech staff and users in responses to cyberattacks, and be apprised of their roles in service recovery and media communication. However, the planned scenarios in the drills are limited to the staff awareness of the existential threats without accounting for unexpected episodes in real-life like absentee key personnel, missing resources or previously undetected breaches that surface during the drill. Audit, with its external perspective, can introduce such realistic variables into the scenario, serving as a reality check that enhances the drill’s effectiveness.

Collaborate for Staff Development

Tech teams struggle to keep up with fast-evolving domains such as cloud computing, virtualization, and generative or agentic AI. Constrained by limited workforce and training budgets, some resort to trial-and-error or stopgap fixes, leaving root causes unresolved.

While we often focus on business or technology risks, we may overlook the underlying issue or impeding risk of staff competency. Audit, through compliance assessment, can help identify and flag competency gaps, an unconventional yet valuable contribution to workforce development.

Conclusions

The broad scope of audit functions is crucial to keeping stakeholder trust and public confidence in corporate governance. Transitioning Audit into a collaborative role does not mean sacrificing compliance; it means evolving it to be more practical, risk-aware, and value-driven.

AI marks a significant inflection point after years of stagnant checklist-driven audits. It introduces new levels of capability, precision, and adaptability for assessing cyber risks; it enables Audit to rise to a more strategic role in the digital age.

Copyedit: ChatGPT

Becoming an Effective Board on Cybersecurity

A board directorship is a prestigious appointment, signaling public recognition of an individual’s industry expertise, business acumen, and leadership qualities. According to PwC’s 2024 Annual Corporate Director Survey, 13% of board directors reported that their boards had added someone with cybersecurity expertise in the past year. Given a typical term of five years, most corporations should have dedicated board oversight of cyber matters. However, what does it take to be effective?

Among the many cybersecurity challenges, some argue that the board should focus on governance and strategy rather than technology and operations, even though these are integral to cyber safety. Certainly, a sensible approach is that the board neither interferes with daily operations nor loses touch with on-the-ground realities. However, an overly narrow focus on governance and strategy can backfire, overlooking volatile business and operational changes that leave the organization more vulnerable.

In the aftermath of a security breach, every cybersecurity chief is prepared to address the board’s anticipated inquiries: How did it happen? Who is affected? What are the damages? While the report may highlight technical missteps and lessons learned, it often sidelines underlying office politics and unclear risk ownership. To uncover these issues, the board must cut through technical jargon and probe deeper.

Given its fiduciary role, the board is best positioned to confront the most insidious aspects of cybersecurity, such as near misses, risk ownership, peer comparisons, and even the probability of being hacked—critical issues that rarely make it onto the agenda.

Focus on Near Misses

Today, many boards mandate incident updates within 48 to 72 hours. Some require the same for significant cyberattacks on critical services and infrastructure. Analyzing these cases helps identify weaknesses, refine security controls, and prevent future incidents.

Learning from actual incidents, however, is costly and painful, often reflecting poorly on performance. Instead, the board can learn from near misses—situations where threats were detected and mitigated before causing harm. Near misses are positive indicators, encouraging staff to strive for improvement rather than fear repercussions. When risk owners feel less defensive and more receptive to issues raised, the organization benefits. After all, understanding near misses confirms that safeguards are working as intended—or that luck played a role, prompting further scrutiny.

Identify the Risk Owners

Who owns cybersecurity risk? This is a compelling question for the board, yet it has no straightforward answer. While many assume the cybersecurity chief is the risk owner, this perspective is incomplete and can obscure deeper accountability issues within an organization’s hierarchy.

Cybersecurity is a long-tail risk, with repercussions that can span years. Consider a massive personal data breach: the organization could face prolonged lawsuits, hefty regulatory penalties, job losses, and the need for fresh capital to overhaul its defense strategies. Restoring reputation and customer trust could take years. Clearly, no single individual can bear full ownership of these risks.

According to ChatGPT, a risk owner in cybersecurity is responsible for managing and mitigating risks associated with a specific asset, process, data set, or business function—a definition I fully support. For example, corporate infrastructure is a tangible asset, payroll is a financial process, staff training is an HR function, and regulatory compliance falls under legal purview. These risks span multiple business leaders across technology, finance, human resources, and legal and compliance—each of whom is responsible for ensuring compliance and security within their domain.

By setting the tone from the top and clearly assigning ownership, the board can break down silos and prevent disputes over responsibilities in data protection, security controls, and cybersecurity exigencies.

Ask for Peer Comparisons

We are accustomed to grading systems in school, where a pass mark is 50 out of 100. It is appealing to think that cyber risk could be similarly quantified, scored, and benchmarked against peers. Doing so would help align board assessments, track progress, optimize security spending, and negotiate appropriate cyber insurance coverage.

There are tools and services that assess cybersecurity posture by simulating an external threat actor scanning for vulnerabilities. However, since organizations vary in industry, size, technology, risk treatment, and appetite, the self-determined passing mark should be taken with caution. Nonetheless, benchmarking against peers in the same industry provides valuable insights.

Know Your Hacking Probability

When the board is satisfied with regular cybersecurity updates, existing mitigations, and business-as-usual operations, one critical question remains: What is the probability of being hacked in the next 12 months? Since perfect security is unattainable, a data-driven approach offers insight into the likelihood of a breach, potential attack vectors, and staff preparedness.

Simply put, the probability of a successful cyber breach is a function of attack vectors and defensive controls. For example, to model a takeover attack on an administrator account with privileged access, one must consider prevalent attack vectors such as social engineering, malware infections, and password spraying. Then, mitigating measures such as endpoint protection, two-factor authentication, and privileged account management must be factored in. Running simulations with repeated interactions can yield probabilities of an event occurring within a given timeframe. Nowadays, AI models can further refine risk assessments in complex environments with interdependent variables.

Conclusion

An effective board is not confined to governance and strategy. It plays a crucial role in fostering a collaborative environment where the cybersecurity chief and risk owners work together cohesively. It must be willing to challenge the status quo and trigger critical thinking. It drives a cultural shift, emphasizing that the best time to strengthen cybersecurity is during periods of stability, rather than waiting for a crisis. We must remain vigilant, ensuring cybersecurity always remains a priority.