Cyber Risk and Audit
Clearly, this is the topic of the day, if not the year and decade.
The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”.
He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group.
I will let you read his post and suggested action items.
But, as usual, I do have comments.
For a start, the three areas of risk that Brand lists do not top my personal list.
His list does not include the ability of a cyber attack to shut down the company!
When I was at Tosco, an oil and gas refining company, I engaged what was then Anderson (the people are now with Protiviti) to perform some ‘white hat’ intrusion testing. They were able to obtain root level access in one of our refinery’s control systems. That access would have permitted them to change temperature and/or pressure settings that could have led to a fire, explosion, and loss of life. The damage would have shut down the entire refinery, probably leading to the demise of the whole company.
We know that hackers from nation states and others might be interested in attacking our infrastructure systems, again causing catastrophic damage and huge financial loss. Certainly, they might be interested in taking actions that could cause a financial institution to be unable to service its customers.
No wonder the Federal and other governments worry about cyber!
Turning to his ten suggestions, I would prefer greater emphasis on his last point – staffing and resource shortages.
If I was on the board, or helping management assess cyber risk, I would be most concerned about whether the management team has the personnel with the appropriate level of experience and insight to understand cyber risk and adapt as the threats change. I would be concerned about whether they have the budget necessary a well as the influence with management to (a) understand the business risk, and (b) influence them to take necessary actions.
I would also like to see greater emphasis on considering cyber-related risk as new technology is implemented. Before, rather than after the fact! Are the information security personnel appropriately involved when new mobile devices and applications are considered, when Artificial Intelligence and Machine Learning uses are planned, or when the Internet of Things will be leveraged?
I agree with Protiviti that board engagement is important. But would prefer to see them focus their attention on whether management has the capability to manage the risk rather than see them get their fingers into the pie, trying to manage the risk themselves.
So, some useful tips but not, IMHO, a complete list.
What do you think?