Is cyber really a top-ten risk? In order to know, each organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.
Many misguided consultants look to internal audit to perform the risk assessment. When will people get it?
Assessing Risk and Updating the Assessment when it Changes is a Management Responsibility!
The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.
Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.
Yet, one major consulting firm states:
“You need to begin with a thorough and independent assessment of cybersecurity risk.” If management has not completed that thorough and reliable assessment of cyber security risk, within the context of enterprise risk and the achievement of enterprise objectives, report a serious risk and control deficiency to top management and the board.”
My response?
One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities. If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.
The consulting firm made another serious error when they said: “You need a dedicated multi-year plan that is part of your broader audit plan.”
My response?
Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less! How can you have a multi-year audit plan these days? Even an annual plan needs to be updated at the speed of risk and the business.
My Approach to Auditing Cyber Includes:
- Has management completed and properly maintained an assessment of cyber risk?
- Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
- Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed?
-
- Do they report at a level that enables them to get management attention and action as appropriate?
- Do they have a sufficient budget and tools?
- Do they talk in business language or in technobabble that management and the board cannot translate into business language?
- If one or more of the above are answered “no”, determine the value of further audit activity.
-
- A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk.
- Report the cyber risk assessment deficiency immediately to senior management and the board as a serious issue.
- Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
- Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
- Over time, help management build and maintain an acceptable information security activity and practices.
- Ensure management and the board remains informed of the level of risk to enterprise objectives.
In conclusion, internal audit should not be assessing cyber or other sources of risk to drive management decisions. They should be facilitating management’s assessment.
Let me know what you think.
Recommend0 recommendationsPublished in IT Availability & Security
Leave A Comment
You must be logged in to post a comment.