On the Frontlines: A 360-Approach to Cyber Risk

Has increased digitization made cyber risk a more pressing threat to organizations?

Technology is changing at a faster pace than ever. Today, we commonly shop on our phones, work remotely, and leverage smart devices like alarm systems or thermostats for our homes. These advances have created incredible conveniences, but along with those personal benefits, the cyber risks have shifted, creating new and more sophisticated threats to be managed.

How can CAEs build teams with well-informed professional judgement to help mitigate cyber risk?

I often coach my team to put themselves in the mindset of others. Think like a hacker; what tactics might I take as a hacker? Think like an engineer; how do I prefer to work? The team must understand security, threat intel, the tech stack, the business segment, and more. Keeping current with shifts in tactics, technology, regulations, and industry expectations helps to ensure the team stays knowledgeable in a world where cyber risk is constantly changing.

What are some key aspects of an effective threat-focused cyber risk program?

It’s critical to understand your business when thinking about threats. For example, what applies to retail might not be the same as another industry. We have a great relationship with our threat intelligence team, and they help us to understand the biggest threats facing retail and our specific business. Our cyber risk team acts upon that threat information by integrating it into our programs. This can take the form of creating a new test phish email with one of the latest tactics, adding a new vendor security question, or creating new customized training for a specific area of the company.

How can the internal audit function demonstrate the risk of cyber threats to employees and create a more risk-aware culture?

Security is everyone’s responsibility. However, building a strong security culture requires employee awareness and making it easy to do the right thing — from reporting a phish to collaborating with another team. Of course, internal audit values going deep, so we will proactively share our annual control testing plans for their visibility. We have a strong partnership with our internal audit team and work closely to ensure they attend key cyber meetings. Joining information sessions like threat intelligence briefs, incident response exercises, and other security training sessions can be invaluable to understanding the context behind the risks.

Do you see cyber risk continuing to accelerate in the coming years? If so, how can internal auditors ensure they’re staying ahead of the curve?

As we’ve seen over the past few years, how we work and function in our personal lives has completely changed because of technological advances. As cyberthreats continue to shift and evolve, we must be vigilant and employ different tactics to address them. Threats will vary by industry, but digital threats are big business, and our work is becoming more complex. It’s important to focus on the threats that are most likely to impact your business.  

To help educate internal auditors about the implications of cyber risk, Bjerke will be presenting a session on “Cyber Risk Excellence: Going Beyond Framework and Requirements” at The IIA’s 2023 General Audit Management (GAM) conference on March 13. This topic is among the more than 30 informative and engaging sessions designed to keep internal audit leaders abreast of the biggest changes in the profession and provide actionable information on how best to navigate and stay ahead of global trends.