Home > Risk > Can you manage technology risk in today’s environment?

Can you manage technology risk in today’s environment?

October 28, 2017 Leave a comment Go to comments

While this post starts with an internal audit perspective, I close with how the board and top management should address the issue of information/cyber risk.

Protiviti believes, in An Involved and Agile IT Audit Function Is Key to Cybersecurity, that the internal audit team can add significant value when it comes to technology risk.

I tend to agree, but not in the same way that Protiviti suggests.

I do agree with these statements:

High-functioning audit teams help organizations look ahead to identify dangers and opportunities that lie on the road ahead. Getting ahead of the threats, rather than constantly reacting to their consequences, is what it’s all about.

There is a growing recognition that IT auditors need to be involved in the investment, planning, design and implementation phases of new technology projects as well as other, non-technology projects that have the potential to impact an organization’s security risk profile. Additionally, IT auditors should be considering whether their approach to cybersecurity risk assessments (often an annual, point-in-time activity) is sufficient given the rapidly evolving technology and threat landscapes.

I strongly agree with this:

Develop a view of cybersecurity risks focused on business services and outcomes rather than being viewed exclusively through a technology lens.

However, this should not (as implied by Protiviti) be an internal audit responsibility.

In fact, what is missing from the Protiviti piece is any assessment of management’s ability to understand technology-related business risks. Protiviti is marketing their own technology risk assessment methodology, which is a blend of top-down (i.e., considering the effect on the business and achievement of enterprise objectives of a failure relating to technology) and bottoms-up (the more traditional IT approach, starting with technology threats and vulnerabilities). I like the Protiviti approach (which is not at all new and should not be presented as such), but I don’t see it reflected sufficiently here.

Protiviti errs further, IMHO, when they say:

IT audit functions should ensure their cybersecurity risk assessments and supporting toolkits are designed and deployed to provide timely identification of key risks in an environment of rapidly evolving threats and technologies.

Internal audit should help management do this, with advice and insight, but should NEVER take on this responsibility themselves – or even consider it.

Frankly, I am concerned that most IT and information security functions don’t have the capability to:

  • Understand all the cyber risks their organization faces today and tomorrow in this dynamic and turbulent environment, especially how it could affect the organization, its business, and its enterprise objectives
  • Provide a reasonable level of prevention against cyber-attacks, whether internal or external
  • Ensure breaches are detected PROMPTLY
  • Ensure intruders are expelled PROMPTLY
  • Ensure that they know what the intruders did and can mitigate any damage PROMPTLY
  • Respond to the external stakeholders PROMPTLY and effectively

In the ‘old days’, when I was at times an IT auditor, responsible for information security, and then responsible for the internal audit function, I might have taken a different approach. I was fond of assessing the foundation for information security, including its resources (money and people) and positioning within the organization, policies, and acceptance by the rest of the organization. Then, I and my team would focus on the more significant areas of concern.

But today I would take a different approach.

These are the critical questions I would ask as a member of the board, as CEO, CIO, or as CFO.

  1. Do you (person responsible for information/cyber security, which should include the CEO and CIO) believe we have reasonable security? Is the risk at acceptable levels?
  2. If the answer is yes (which should rarely be the case):
    1. Why? What gives you this assurance? Would you bet your job on it?
    2. How do you know your risk assessment is reliable?
    3. How would the business and our objectives be affected?
    4. What confidence do you have that breaches would be prevented? Why? Is that an acceptable level of confidence?
    5. Do you believe you can keep out the most sophisticated attackers, such as from nation states’ cyber warfare teams? If yes, how? If not, why do you say risk is at acceptable levels?
    6. What confidence do you have that breaches would be detected on a timely basis so damage (including to our reputation) could be mitigated? How quickly would they be detected?
    7. Do you believe our response plan is effective? Why?
    8. Do you believe that we will continue to have effective information/cyber security as threats and techniques change, which they do?
    9. How and when will you communicate any change in the above or any successful intrusion?
  3. If the answer is no:
    1. What are you doing about it?
    2. Do you believe we will have effective information/cyber security within a very short time? If not, why not?
    3. Can we afford to try to do this in-house? Should we go to an external service provider?
    4. How are we addressing the risks this represents to the enterprise and its objectives? Do you know what they all are and do business leaders know?

Internal audit should always be auditing the risks of today and tomorrow – and ensuring that management knows what they are and has appropriate risk assessment and controls in place.

This is not new. Even when I started in IT audit, 40 years ago (OMG), we were performing ‘pre-implementation reviews’ and providing consulting services on major IT projects.

But, this is a new world and we need to re-examine traditional techniques for addressing technology risk.

Before assessing and testing controls, challenge management on whether they believe effective security is in place and why.

The effect of technology failures is simply too great not to.

I welcome your comments.

  1. Sarah
    October 28, 2017 at 11:44 AM

    For me, even the idea of having an IT Audit Team is anathema! IT underpins so many elements of business these days that it is the job of the BUSINESS auditor to understand the IT implications. If they can’t do that they’re not meeting the fundamental competence requirement for the job. Don’t get me wrong, I understand that there are a few extremely technical areas of audit (such as ethical hacking) and that not every auditor will have the skill for every job; but the segregation of audit teams is one of the siloing issues that contributes to inadequate audit coverage. It’s the business auditors should be asking questions (about denial of service, corporate espionage, business continuity and disaster recovery, ITGC, critical infrastructure and interfaces) of the system owners and those with whom the risk sits if it manifests… and if their response is that “IT handles it”, or worse “it’s outsourced” then serious questions should be asked about their governance, risk management and monitoring. Skilled IT Audit resources should be part of the team to ensure that the responses make sense and the operational effectiveness is there, but the vast majority of traditional IT audits can and should be performed by business auditors these days.

    • Norman Marks
      October 28, 2017 at 2:08 PM

      Excellent challenge!

    • October 30, 2017 at 3:45 AM

      Sarah, I would agree that skilled IT resources should be part of the audit team but disagree that traditional IT audits (virus checking, back-up procedures?) should be done by business auditors with no background in IT. Yes, they can ask the questions but they won’t fully understand the answers.

  2. October 30, 2017 at 2:50 AM

    I agree except about the acceptable level of risk, However if even the Western defense industry can’t protect themself against the most sophisticated attackers, such as from nation states’ cyber warfare teams (see the Chinese copiecats of F22 or F35) why would/should any other organisation? As part of the risk management proces, the organisatie should define an acceptable level of risk including threats and take the countermeassures to reacht this level.

  3. Hans Læssøe
    October 30, 2017 at 5:25 AM

    Let us agree, that cyber security is not an IT risk, but a business risk. Then – accept that the tech geeks of the IT team probably holds some of the keys to resolving or minimising the exposure – but that an organisation is also likely to need to change several standard business operating procedures to be safe in this new environment.

    IT is can be the locksmith that creates a perfect lock – you still have to remember to lock the door for it to be of any use.

    The deployment and proliferation of digitalization in any form is changing our lives as we speak – which will impact our means to safety as well.

  4. Richard Fowler
    October 30, 2017 at 5:39 AM

    Sarah, I agree that more business auditors should become more comfortable with technology. But while the business owns the process and the business systems, they do not own the infrastructure. The servers, routers, firewalls, wireless access points, etc., do not belong to finance or procurement or warehousing or manufacturing. They are “owned” by IT. If I am auditing the general ledger processes, I will ask the process owners about their financial systems and access controls. I would not expect them to know what version of the underlying database and OS, nor would I expect them to know the current patch level.

    We need to define what is included in “ownership” before we audit a process. Maybe we should include a Venn diagram to show process ownership, system ownership, and overlaps between the two as part of each business audit.

  5. November 5, 2017 at 7:44 PM

    If job safеty is excessie on your record off priorіties,
    this is another factor that is not offered by freelancing.
    Many people have to bЬe assured of stеaԀy income, at a price that they can rely on, with a view to hold their payments and on a regular basis living xpenses as much
    as dаte. Freelancing wont provide the job and earnings safety that youd
    havbe fromm being on the employees of a reguⅼation firm.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: