A new survey by the Institute of Internal Auditors (IIA) found a high level of dissatisfaction in the ranks with how the profession meets the challenge of examining cybersecurity operations, as reported by CFO Magazine.
Less than half of the survey respondents said their teams were doing an adequate job at:
- "Providing assurance over readiness and response to cyber threats"
- "Working collaboratively with IT and other parties to build effective defenses and responses"
- "Ensuring communication and coordination with the organization regarding cyber risk"
The respondents blamed the situation on lack of cybersecurity expertise among internal auditors, lack of communication and cooperation with IT staff and lack of support from executive membership.
The IIA report recommended that auditors
- “Invest more time in building relationships/partnerships with chief information security officers and chief information officers. Lack of cooperation from IT may reflect a weak relationship or concerns about internal audit’s lack of cyber competence."
- “Invest more time in educating their teams about cybersecurity, including developing an in-depth understanding of the frameworks commonly used in cybersecurity, such as NIST CSF, NIST 800-53, and ISO/IEC 27001.”
Those are fine steps, but in our experience, there’s a root cause to the problems the auditors are experiencing that will never be addressed entirely by investing more time in talking to IT or learning more about cybersecurity frameworks.
What’s also needed is
- A focus on risk – actual loss events resulting in actual dollars lost to the organization – not an exclusive focus on frameworks compliance and controls deficiencies.
- A common language for IT and Audit to talk about risk -- in our view, based on the FAIR model, the international standard for cyber risk quantification – that gets both sides (and executive management) speaking in the financial terms that the rest of the business understands.
Going back to those three points above that auditors rated themselves poorly on, a risk-based approach clarifies which threats are worth the readiness and response effort...and a common language helps with working collaboratively with IT and coordinating with the rest of the business.
Of course, it can be a mind shift for some auditors to move away from the principle that security = controls and compliance. But auditors are finding that life gets easier when they can talk about risk and have the data to back up their position. For more insight, take a look at these blog posts by RiskLens professional services team members who came to FAIR from audit backgrounds:
What I Learned Leaving Internal Audit for Risk Management by Rachel Slabotsky
How to Explain FAIR to Auditors by Taylor Maze
RiskLens is the only risk quantification solution purpose built on FAIR, an international standard promoted by the non-profit FAIR Institute. The Institute was named one of the three Most Important Industry Organizations of the Last 30 Years at the prestigious SC Awards 2019.