As cyberattacks worsen, Internal Audit is becoming a critical player in enterprise cybersecurity and assurance.
Cyber threats are ever-more voluminous, unrelenting, and sophisticated, scaling in complexity and rapidity alongside every byte of data. From startups to the middle market to global giants, no company is immune. And while most companies understand the imperative to get cybersecurity right, the statistics suggest bad guys are still winning.
Cybercrime will cost the world $10.5 trillion a year by 2025. In recent memory, the SolarWinds attack cost affected companies an average of $12 million, while the global impact of the 2017 Wannacry attack was more than $4 billion.
Against this backdrop, Boards and the C-suite are seeking greater assurances: that the CISO is effectively managing cyber risk, that cyber defenses are keeping up with real-world threats, and that spending on cyber is resulting in materially better digital safeguards.
Enter Internal Audit
Yes, CISOs and CIOs remain in charge and accountable for cybersecurity. But business executives are asking for another layer of meaningful validation, insight, and recommendations. That ask is hitting Chief Audit Executives’ inboxes.
To fulfill the C-Suite and Board’s thirst for greater cyber assurance, Internal Auditors must be positioned to execute more nuanced, complex, and technical cyber audits. That can be challenging for many audit teams due to several barriers:
- Cyber Knowledge and Skills: Internal Audit may not include staff with technical, frontline cybersecurity experience.
- Understanding of Digital Risks and Threats: Audit may not have a clear, cyber-specific picture of what digital assets, systems, and networks need protecting, and from what types of cybersecurity threats.
- Independent Cyber Assessment Capabilities: Audit may not have its own cyber-specific tools, technologies, and methods to properly test and verify the CISO’s cyber controls (i.e., may be overly dependent on CISO team capability and capacity).
- “Cyber-Business Translation”: Audit may not have experience converting complex cyber concepts and jargon into actionable, Board-level, and business-relevant findings. When the Internal Audit department can leverage the practical, tested cyber lexicon that resonates with non-Audit and non-Cyber leaders, both functions win.
Audit leaders have their work cut out. Without deep, technical, and truly independent insight into the cybersecurity program’s capabilities and controls, Internal Audit can’t provide the rigorous assurances the CEO, Audit Committee, and Board demand.
It's time to level-up.
Arming Internal Audit With New Cyber Audit Tools and Approaches
To meet its growing cyber responsibilities, Internal Audit needs approaches that are realistic, technical, and comprehensive – that help audit leaders move from simply checking compliance (do my cyber controls meet generic, prescribed, paper-based attributes?) to evaluating effectiveness (do my cyber controls protect my unique digital assets against the actual threats I face)?
Contrast a basic cyber audit with a leveled-up approach:
Progressive audit leaders are starting to leverage advanced, technical approaches – all rooted in understanding and acting as an adversary – to uncover critical cyber risks and stress-test the effectiveness of cyber programs, capabilities, and controls.
These approaches activate new levels of realism, comprehensiveness, actionability, and defensibility in cyber audits. As such, they help Audit executives confidently communicate cyber findings to the business and Board. They level-up Internal Audit on cyber. The result is stronger, more collaborative security teams, more effective security controls, and better enterprise cyber risk management.
Cyber Audit Sophistication Spectrum
So what are these leveled-up cyber audits, exactly? There are several approaches, which range from less to more technical depth:
- Cyber Controls Diagnostics generate clarity around top-priority cyber gaps by blending open-source cyber threat intelligence, a picture of the business’s “crown jewel” assets, and an inquiry-based review of existing cyber controls.
- Threat Modeling reveals new, actionable insights into a corporation’s threat surface and ability to detect, prevent, and respond to specific, known cyber threats via scenario-based tabletops.
- Penetration Testing is a hands-on-keyboard effort that identifies “low-hanging fruit” vulnerabilities in an organization’s systems, networks, devices, and applications.
- Adversary Simulations emulate known threat actors’ tactics, techniques, and procedures in an attempt to hack the company without its knowledge – revealing how defenses perform against the most realistic of cyberattacks.
The progression of these audits can be visualized as the below illustration:
Individually and collectively, these cyber audits are transformative: from compliance to effectiveness, and from generalized frameworks to specific, real-world insight. By applying these approaches, the Internal Audit team will be ready to provide the CEO, Board, and business with substantially greater cyber assurance.
A Pioneer in Leveled-Up Cyber Audits
From large financial institutions to high-growth tech companies, CrossCountry Consulting is on the leading edge of delivering transformative cyber audits – and helping Audit leaders build sustainable, high-impact cyber audit programs. We converge tip-of-the-spear cyber practitioners with experienced information technology auditors to change the cyber game for Chief Audit Executives and their teams.
To level-up your cyber assurance, contact CrossCountry Consulting today.