Cybersecurity risks seem to be expanding exponentially. Business Email Compromise schemes are among the fastest-growing financial crimes. Ransomware attacks are crippling hospital systems, disrupting manufacturing and retail operations and supply chains and threatening our critical infrastructure. Personal identifying information is being harvested millions of records at a time from credit bureaus, government agencies, financial services companies and others. And our displaced workforce has created new vulnerabilities in which the lines between network security and the softer targets comprising the many millions of home offices have forever been blurred.
Cybersecurity is at the top of most organization’s list of critical risks and is often cited by C-suite executives and board members as their biggest concern. Threats this complex and amorphous require strong partnerships inside of the organization. At first glance, cybersecurity and internal audit would seem to have very little in common or little need to interact with one another. Indeed, that’s probably still the case in many organizations.
FTI’s Head of Cybersecurity for the Americas Jordan Rae Kelly and I recently spoke with chief audit executive Karen Albert and chief information security officer Stephen Davis who have taken a different approach.
Increasingly boards and audit committees have been looking to internal audit to play a leading role in managing cyber risks by helping the board and the audit committee to assess digital risks and the sufficiency of the organizations mitigating cyber risk. I asked Karen to explain how she and Stephen ending up forging such a cohesive working relationship.
As it turned out, Karen participated in the process of interviewing and selecting the next CSO. She took the opportunity to understand each candidate’s perspective and relationship with the internal audit function at other organizations. Steven answered those questions very well, and when he joined the company, he and Karen immediately began to work closely with one another.
What helped propel that collaboration was the board and audit committee’s requirement for visibility and regular status updates about the cybersecurity program.
Risk assessments are the foundation of a broad spectrum of risk mitigation efforts. Stephen explained that his team uses cyber risk assessment to establish benchmarks and program objectives for both cyber and internal audit. Given the importance of cybersecurity to the board and the audit committee, it was critical for cybersecurity and internal audit to be working in lockstep. There was a time when CSOs and Chief Audit Executives operated independently of one another, but times have changed.
CSOs need to have the same trusting, mutual relationship with the internal audit function as they do with their vendors because whether a CISO understands it or not, internal audit is a critical line of defense for the business.
Stephen and Karen explained that their partnership has thrived because they have maintained open lines of communication that are transparent and collaborative. The two consider their partnership to be central to the success that the cybersecurity program has experienced in their organization.
Internal audit is somewhat of an enigma in every organization. They are critically important partners to the business and yet must remain independent from other parts of the organization so they can maintain their objectivity. Karen explained that they have established an ongoing assurance program that entails continuously monitoring the strategy and operating effectiveness of the cyber program. Part of how she has maintained that independence is through the use of an external, co-sourcing relationship for internal audit professionals who have cybersecurity subject matter expertise. Stephen sees the value in the work and how important it is for internal audits to remain independent and credible. He sees it as an enabling process that can help identify and remove any obstacles that may inhibit the program’s success.
Auditing cybersecurity is not without its challenges. One challenge is that internal audit is often called upon to audit highly technical areas that may be outside of the typical internal auditor’s skillset. This is why many internal audit departments have open-ended co-sourcing agreements with consulting firms. These relationships enable internal audit departments to leverage the deep expertise of cyber professionals and avoid the challenges of having to hire and train those resources. The use of this strategy extends well beyond cybersecurity and includes manufacturing reviews, and other complex operational and compliance audits.
It used to be that many network intrusions and data breaches were committed by trusted and sometimes unwitting insiders. External hacking has matured, and technological exploits have become far more sophisticated. The axis has shifted towards external threat actors. The world has seen a fair share of downstream exploits because of weak procedures, technological or security controls from third-party vendors. Some of the recent, high-profile data breaches have exploited vendor vulnerabilities that have a downstream impact on consumers. There is no hundred percent bulletproof solution that will prevent these types of exploits, but cybersecurity programs can leverage internal audits to enhance SOC reviews and design and implement third-party vendor risk management oversight programs. These initiatives provide some assurances and enhanced visibility into the cybersecurity programs of critical vendors.
Not that long ago, we went from never talking about the three lines of defense to the point now when we never stop talking about the three lines. As a reminder, internal audit is the third line. The CISO is part of the second line along with other IT and risk management functions. And the first line is the business itself and IT operations It is critical to capture the hearts and minds of colleagues within the business to raise awareness. Not just of the existence of the cybersecurity program but the evolving threats and each individual’s role within the first line of defense in identifying and responding to those threats. This is another area for internal audit and cybersecurity to collaborate toward a common goal of reduced cybersecurity vulnerability. Without that collaboration, any awareness program is far less likely to be successful. Global awareness programs, cybersecurity training and phishing simulation exercises are all important components of an effective cyber awareness program.
Chief Audit Executives who work in partnership with their Chief Information Security Officer counterparts are a proven formula for improved cyber resiliency, board transparency and an organizational culture that is aware of the rapidly changing cyber threats pose dangers to the organization and the important role that each of us plays in keeping those risks out.
To hear the full Fraud Eats Strategy podcast episode with Karen Albert, Stephen Davis and Jordan Rae Kelly, click here.
Note: The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies, or opinions