Home
> Audit, Cyber, Governance, IIA, Risk, security, Technology > How much cyber risk should you take?
How much cyber risk should you take?
I have been spending a fair amount of time over the last few months, talking and listening to board members and advisors, including industry experts, about cyber risk.
A number of things are clear:
- Boards, not just those members who are on the audit and/or risk committee, are concerned about cyber and the risk it represents to their organization. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organization.
- They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses, and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
- The risk should be assessed, evaluated, and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
- It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
- Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer, and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared to the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!
The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).
Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.
- How do you identify and assess cyber-related risks?
- Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
- How do you evaluate the risk to know whether it is too high?
- How do you decide what actions to take and how much resource to allocate?
- How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
- How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
- Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
- How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
- Can you respond appropriately at speed?
- What procedures are in place to notify you, and then the board, in the event of a breach?
- Who has responsibility for cybersecurity and do they have the access they need to senior management?
- Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?
I welcome your thoughts, perspectives, and comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
How many IT auditors do you have in your internal audit department with at least 3years programmer/analyst experience studying for/with ISACA qualifications?
There’s no point in having good intentions about how much coal you can mine if you have no miners at the coal face.
Other questions:
Is your IT operation outsourced? If so, are you asking you outsourcer the above questions?
If you want detailed questions which will quickly provide a measure of cyber security:
Can the database administrators read your private e-mails and correspondence?
How many people have this level of access?
As a matter of interest, Norman, what answer would satisfy you an internal auditor?
As for me, I would only be satisfied if my work enabled me to report that throughout the organisation, adequate and effective governance, risk management and control processes were being implemented, as required by Std 2100, “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”
The mandatory IPPF guidance articulates two more detailed expectations of internal auditors regarding information technology:
“Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.” Std 1210.A3
“The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.” Std 2110.A2
In the context of Std 2100 and the totality of the mandatory IPF guidance, the above two standards demonstrate the danger of being too detailed than one needs to be.
The CIO and CISO should surely be expected to know more than the internal auditor about not only “key information technology risks and controls”. If this were not the case, then the organisation’s recruitment processes have dismally failed it. Anyway, who would determine what risks are key and which not? I hope not the internal auditors as that is a management responsibility.
Regarding information technology governance, one has to ask, what about other aspects like security management, user access management and IT service continuity?
I submit, therefore, that cyber risk concerns are effectively and efficiently addressed by the internal auditor simply through conformance to Std 2100 and by the organisation implementing adequate and effective governance, risk management and control processes.
The beauty of the scope of internal auditing, as expressed in Std 2100, is that internal auditors are forced to operate at the appropriate level, not too general and not too detailed. Internal auditing would never ever be able to focus on all individual risks or risk types. Even requiring that such risks be significant risks (or risks that matter) would entail the internal auditor assuming management responsibility by determining which risks are significant and which are not.
At any given moment, there would be a risk which has not been identified yet. Whether that risk is significant or not cannot be known before it is identified, assessed and its significance determined. This is why an internal audit focus on risks is a futile exercise which only provides the appearance of progress. It is much better to focus on the governance, risk management and control processes as required by Std 2100.
Risk types, whatever they are, should not be viewed in isolation but as intrinsic parts of any organisational objective, continually, as a matter of course, throughout the organisation.
Kaya, I respect your right to your opinion and interpretation of the Standards.