Mobilizing a Cyber Risk Strategy

As businesses and governments focused on establishing or expanding their online presence, it sparked a change in traditional business models and supply chains, with digital transformation becoming a must-do to survive. New mobile apps and online services appearing during 2020 and 2021 covered a broad range of human interaction — from food delivery and shopping, to entertainment, to doctors’ visits (telehealth). 

As a result, the digital footprint of most homes and businesses — the record of their online activities — expanded by a factor many times larger than before COVID-19. Figures from the International Trade Administration offer some perspective: As a result of the pandemic, global e-commerce revenue grew by 28% in 2020 and 34% in 2021, compared to the forecast growth rates of 9% and 12%, respectively.

In the face of such growth, organizations have struggled to secure their digital assets, with cybersecurity investment lagging behind digital transformation investment. All of this has led to a cyber-risk gap, as organizations try to secure their resources with the same level of cybersecurity investment as in the pre-COVID era. The rise of successful and damaging cyberattacks in the past four years bears witness to this gap.

To address this issue, internal auditors have begun looking at cyber risk as not just an IT risk but a business risk. Audit functions have shifted focus from auditing the usual suspects of IT hardware and software to auditing critical business activities that rely on technology. To be successful, internal audit needs buy-in and involvement from the C-suite and senior business leaders, as well as other team members who can help the organization understand the consequences posed by a cyberattack. 

Gathering the Team

Over the last four years, cyberattacks have surged, disrupting daily business operations, causing reputational damage and loss of clientele, and resulting in significant impacts to organizations’ profits and operations. In the Allianz Risk Barometer 2023 survey, cyber incidents and business interruption tied for the “most important global business risk” for the second year in a row, each garnering 34% of the vote among risk professionals.

While many organizations now consider cyberattacks to be a business risk, the management and audit of cyber risks is still approached as a topic for the IT department and often not assessed in terms of other business drivers.

Although internal audit does need to continue to consult with operations and IT staff, it must throw a much wider net to include executives and specialists from legal, compliance, human resources, public relations, and business continuity. This enables the audit function to have a more holistic understanding of the organization’s cybersecurity strategy and risks. To assess the cyber risks, internal audit needs to understand what is likely to be attacked and why; how an attacker might strike; how a cyberattack could affect business operations; and what might be the reputational and financial impacts of an attack.

Shaping the Cybersecurity Landscape

There are different ways to conduct a cybersecurity audit. Some audits review technical IT controls, while others focus on compliance with cybersecurity standards or frameworks. A more optimal approach combines a strategic review of business, operational, and IT risks with a structured control methodology based on an authoritative cybersecurity framework. Internal audit can do this by reviewing the organization’s cybersecurity strategy or cybersecurity plan, in addition to the usual IT and technical controls.

Stratify cyber risks. A first step in understanding the organization’s cybersecurity strategy is to classify its cyber risks. To do this, internal audit needs to interview leaders and review company business strategies to understand the organization’s risk tolerance in relation to its goals and vital functions. The business units that enable current and future business operations — in particular, those that rely on technology and data — are where the cyber risks will be concentrated. This will be different from organization to organization. For instance, the cyber risks will be quite different between an organization that stores its data on premises versus one that stores its data in the cloud. 

Identify the “crown jewels.” To determine the organization’s most crucial technology assets, internal audit must first consider how the organization could be damaged by a cyberattack. It must then identify the business operations that are most important and therefore key to keeping the organization up and running. These key operations in many cases will rely upon technology in some way. For example, organizations may rely upon technology for their financial transaction systems, order processing systems, manufacturing systems, or data analytics systems. 

Next, internal audit should identify the sensitive data; the systems that store, transmit, and process this data; and the underlying network and hardware infrastructure that keep the key business operations functional. These are the crown jewels — a combination of data, software, and hardware. No expense should be spared in protecting these assets.

Adopt a cybersecurity standard. The two established global cybersecurity standards should be the foundation for a cybersecurity audit program. Adopting either the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework or ISO/IEC 27001 Information Security Management Systems can help auditors define the control objectives for their program. Of note, NIST provides a framework for auditing the five critical elements of a cybersecurity strategy, which are identify, protect, detect, respond, and recover. 

Covering More Ground

To go beyond the traditional IT audit focus, internal audit should review the full range of cyber risks across the enterprise. Specifically, there are six business domains that a cybersecurity audit should cover. 

Leadership and Governance. Within this domain, internal audit assesses whether management is demonstrating due diligence, ownership, and effective risk management. Audit objectives should begin with understanding how management has defined ownership of its cyber risk program, the governance structure for cybersecurity roles, and responsibility for each business function.

Internal auditors should look at how management has defined and identified its sensitive data assets. Further, they should review how management has inventoried third-party supplier relationships and assess the organization’s current cybersecurity capabilities. Management should define a cybersecurity strategy and approach for how much investment should be made in terms of people, process, and technology. Finally, auditors should understand how the board and executive management are educated on current cybersecurity concerns and cyber risk management solutions.

Human Factors. In this second domain, internal audit should assess the level and integration of the security culture and whether it empowers and ensures the right people, skills, culture, and knowledge. The culture and expectations should be defined and supported by training and awareness programs, and the organization should have personnel security measures in place. Moreover, auditors should determine whether the organization has defined its talent management and developed specific learning paths for key personnel. For instance, IT personnel should not be asked to perform both IT and cybersecurity roles without adequate specialist training.

Information Risk Management. The third domain focuses on how well the organization achieves comprehensive and effective risk management of information for itself and how it ensures these standards are upheld by delivery and supply partners. Internal auditors should assess how the organization identifies and communicates risk tolerance. It is important to review how management has linked identified cyber risks to each sensitive data asset, the robustness of the risk assessment methodology, and the metrics used to measure risk. Additionally, internal auditors should look at how management assesses third-party supplier accreditation for the supply of IT systems, hardware, software, and managed IT services. 

Business Continuity and Crisis Management. Within this fourth domain, internal audit should ensure the organization is prepared for a security event and can prevent or minimize the impact through successful crisis and stakeholder management.

This involves looking at how management assesses its ability to manage cyber incidents and whether it performs an analysis of operational risks and financial requirements that may occur because of an attack. 

Management should have robust business continuity plans based on different cyberattack scenarios. For example, the response to a ransomware attack is different from the response to a denial of service attack where key IT systems and infrastructure are taken down by attackers, causing operational disruptions or massive system downtime. Internal auditors must understand how resources have been assigned and trained to execute the business continuity plan for cyberattack scenarios. A written plan is insufficient unless all personnel are trained in their respective roles and responsibilities. 

Moreover, it is important that management regularly tests the business continuity and crisis management plans. Internal auditors should understand how the crisis management plan integrates with corporate communications, as one of the best ways to prevent reputational damage in a crisis is by planning how to handle queries from the media, regulators, the board, employees, and other stakeholders.

IT and Operations. In this fifth domain, internal audit assesses how control measures are implemented to address identified risks and minimize the impact of compromise. Audit objectives for this domain begin with reviewing how management has cataloged all relevant cybersecurity compliance requirements and linked those requirements to cyber controls within the organization. It is important to include all risk relating to technology, privacy, data governance, third parties and outsourcing, business continuity, and security regulations when assessing this domain.

Internal audit should review how management performs threat and vulnerability management and security operations monitoring, both of which are crucial to prevent and detect potential pathways for cyberattacks. By assessing cyber-incident response capabilities, auditors can help the organization determine if it would be more advantageous to retain a third-party provider with proven expertise.

Another audit objective is to understand how the IT department builds systems and whether program code is written under a secure software development life cycle. Finally, auditors should review whether the cybersecurity activities are integrated with the broader IT service management activities, or whether IT and cybersecurity capabilities are running in operational silos.

Legal and Compliance. Internal audit should consider which regulatory and international certification standards are relevant to the organization’s sector.

Audit objectives for this sixth domain begin with understanding how management has selected and implemented an IT control framework and implemented logical and physical security controls. Additional audit considerations include whether cybersecurity is formalized as a standing agenda item for the audit committee, whether management is monitoring litigation and cyber event trends, and whether the organization needs cyber insurance.

Making the Cut

The cybersecurity strategy of organizations must evolve to address the business risks introduced by digital transformation, remote working, and escalating cyberattacks from a larger digital infrastructure. Cyber risk knows no boundaries and permeates across business, operations, and IT functions, but internal auditors can play a role in breaking down barriers between departments.

Auditors can help promote “cyber resilience by design,” wherein good security controls are built into systems and processes from the start, rather than bolted on during or after the development phase. The board should make itself accountable to fostering this culture by ensuring that cyber risks are understood, cybersecurity plans are well-designed, and coordination among teams is effective.

The pandemic has forced organizations to question the assumption that their supplier and partner ecosystem is operating as normal. Organizations need to revise and test resilience planning processes, equipping crisis management teams with the skills to manage under intense pressure. Organizations need to review the definition of a worst-case scenario in this new reality and take an “assumed breach” mindset. This means that everyone should understand that a cyberattack is imminent, and plan ahead and be ready for when an attack happens — the secret to becoming a cyber-resilient organization. 

IIA Resources:

Auditing the Cybersecurity Program Certificate
Fundamentals of Cybersecurity Auditing
Assessing Cybersecurity Risk: The Three Lines Model