Cyber Risk and Audit
Clearly, this is the topic of the day, if not the year and decade.
The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”.
He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group.
I will let you read his post and suggested action items.
But, as usual, I do have comments.
For a start, the three areas of risk that Brand lists do not top my personal list.
His list does not include the ability of a cyber attack to shut down the company!
When I was at Tosco, an oil and gas refining company, I engaged what was then Anderson (the people are now with Protiviti) to perform some ‘white hat’ intrusion testing. They were able to obtain root level access in one of our refinery’s control systems. That access would have permitted them to change temperature and/or pressure settings that could have led to a fire, explosion, and loss of life. The damage would have shut down the entire refinery, probably leading to the demise of the whole company.
We know that hackers from nation states and others might be interested in attacking our infrastructure systems, again causing catastrophic damage and huge financial loss. Certainly, they might be interested in taking actions that could cause a financial institution to be unable to service its customers.
No wonder the Federal and other governments worry about cyber!
Turning to his ten suggestions, I would prefer greater emphasis on his last point – staffing and resource shortages.
If I was on the board, or helping management assess cyber risk, I would be most concerned about whether the management team has the personnel with the appropriate level of experience and insight to understand cyber risk and adapt as the threats change. I would be concerned about whether they have the budget necessary a well as the influence with management to (a) understand the business risk, and (b) influence them to take necessary actions.
I would also like to see greater emphasis on considering cyber-related risk as new technology is implemented. Before, rather than after the fact! Are the information security personnel appropriately involved when new mobile devices and applications are considered, when Artificial Intelligence and Machine Learning uses are planned, or when the Internet of Things will be leveraged?
I agree with Protiviti that board engagement is important. But would prefer to see them focus their attention on whether management has the capability to manage the risk rather than see them get their fingers into the pie, trying to manage the risk themselves.
So, some useful tips but not, IMHO, a complete list.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Generally agree with the views. I notice that the IT Manager can be in an ego stage of telling other management staff that everything in order, this is something not many able to challenge his statement because we lack the knowledge. The white hacker is an excellent idea.
Norman and Gary, I agree with your comments. I think the Protiviti points are a rather random list and my list of actions would be:
1. Ensure IA has staff who are capable of asking the relevant cybersecurity questions and understanding, and verifying, the answers.
2. Examine IT management’s work on determining objectives, identifying associated risks and introducing controls, this includes Protiviti points 6 and 7.Not much point in doing points 1-4 until this has been done.
3. Using the results from 2, take appropriate action to report, educate and test further (incorporates other points).
I’ve written the above and I’ve suddenly realised I don’t know what the definition of cybersecurity is!. The Protiviti report doesn’t define it. Wikipedia defines it, ‘Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.’ So, under this definition, it’s good old IT security! So I disagree with the point made in the Protiviti report that, ‘Cybersecurity has graduated from an IT risk to a strategic risk’. I’ve been around since 80 column punched cards were used for input and it’s been a strategic risk for all of that time.The report states only 73% of IA departments include cybersecurity as part of their audit plan which suggests that a quarter of IA departments haven’t got a proper plan.
Getting top management commitment and mindset is most crucial. Measuring threat impact to be at its worse. Using Underwriters Lab to oversee eith responsibility to test and maintain is great as they too are most stringent. Hiring a pm with possible military background as,well as 10-20 years knowledge of ITshould all together be successful.
This is pretty much terrible. It feels completely disenfranchised from actual security, and heavy on governance of cybersecurity which really doesn’t seem like a 3rd line of defense job.