Less than half of the survey respondents said their teams were doing an adequate job at:
The respondents blamed the situation on lack of cybersecurity expertise among internal auditors, lack of communication and cooperation with IT staff and lack of support from executive membership.
The IIA report recommended that auditors
Those are fine steps, but in our experience, there’s a root cause to the problems the auditors are experiencing that will never be addressed entirely by investing more time in talking to IT or learning more about cybersecurity frameworks.
What’s also needed is
Going back to those three points above that auditors rated themselves poorly on, a risk-based approach clarifies which threats are worth the readiness and response effort...and a common language helps with working collaboratively with IT and coordinating with the rest of the business.
Of course, it can be a mind shift for some auditors to move away from the principle that security = controls and compliance. But auditors are finding that life gets easier when they can talk about risk and have the data to back up their position. For more insight, take a look at these blog posts by RiskLens professional services team members who came to FAIR from audit backgrounds:
What I Learned Leaving Internal Audit for Risk Management by Rachel Slabotsky
How to Explain FAIR to Auditors by Taylor Maze
RiskLens is the only risk quantification solution purpose built on FAIR, an international standard promoted by the non-profit FAIR Institute. The Institute was named one of the three Most Important Industry Organizations of the Last 30 Years at the prestigious SC Awards 2019.