Cyber Audits: The Missing Layer in Cybersecurity

Uploaded on 2018-11-02 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

Involving the audit team ensures that technology solutions are not just sitting on the shelf or being under-utilised to strategically address security risks.

There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organisations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits.

There is no question that, in many cases, earlier and expanded input from auditors would have helped organisations that have suffered high-profile cyberattacks from sifting through the financial and reputational damage that ensued.

Cybersecurity audits provide a key, additional layer of assurance to organisations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process.

The audit function is well-positioned to assess the data protection and controls around those business processes. Organisations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.

Unless organisations have robust risk management processes in place, and many do not, there are common gaps in organisations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management.

Not only can cyber audits identify these gaps, they also counteract the tendency for organisations to become complacent and reactive by assuring that risk assessments are being conducted regularly.

People, Processes & Technology

Organisations often miss the mark on cybersecurity when they focus predominantly on the technology components of their programs rather than looking at people, processes, and technology in a more overarching way.

Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks. Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.

When organisations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business. Just as the businesses that auditors support, are rapidly transforming, the audit groups must follow suit.

This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.

Here's the good news: There are many more educational and training resources available today than 20 years ago, when I began in IT audit.

Despite time and budget constraints, it is incumbent upon auditors to pursue the appropriate training and credentialing to transform their organisations, refresh their skill sets, and obtain the auditing cybersecurity acumen needed to become integral to their organisation's cyber programs.

With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value. Reliance upon effective and secure technology deployment has spread well beyond a centralised IT department.

Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy. With so much at stake, enterprises cannot afford to take any shortcuts. Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.

Dark Reading:                       Image: Nick Youngson

You Might Also Read: 

Cyber Security is Now Business Critical (£):

4 Steps Toward A GDPR Compliance Audit:

 

« Machine Learning & Big Data - Where You Least Expect It
How Cybersecurity Threats Are Growing Investments »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

HPE Aruba Networking

HPE Aruba Networking

HPE Aruba Networking, a Hewlett Packard Enterprise company, is a leading provider of next-generation network access solutions for the mobile enterprise.

British Assessment Bureau

British Assessment Bureau

The British Assessment Bureau is an ISO certification body. We check conformity and compliance of companies to recognised ISO standards including ISO 27001.

European Cybercrime Training and Education Group (ECTEG)

European Cybercrime Training and Education Group (ECTEG)

The primary aim of ECTEG is to enhance the coordination of cybercrime training, by identifying opportunities to build the capacity of countries to combat cybercrime

Argus Cyber Security

Argus Cyber Security

Argus is the world’s largest automotive cyber security company, protecting connected cars and commercial vehicles from hacking.

National Cybersecurity and Communications Integration Center (NCCIC)

National Cybersecurity and Communications Integration Center (NCCIC)

NCCIC is a cyber situational awareness, incident response, and management center for the US Government, intelligence community, and law enforcement.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

Vysk Communications

Vysk Communications

Vysk is an award-winning mobile security firm that has developed the world’s most secure system for voice communication.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

RhodeCode

RhodeCode

RhodeCode is an open source repository management platform. It provides unified security and team collaboration across Git, Subversion, and Mercurial.

SecureWorx

SecureWorx

SecureWorx are a secure multi-cloud MSP, a provider of advanced IT security services and an independent cyber security advisory.

Sovrin Foundation

Sovrin Foundation

The Sovrin Foundation is a private-sector, international non-profit that was established to govern the world's first self-sovereign identity (SSI) network.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

Prosperoware

Prosperoware

Prosperoware develop software for cybersecurity, privacy, and regulatory compliance for content systems, and financial matter management.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

Casepoint

Casepoint

Casepoint is the legal technology platform of choice for corporations, government agencies, and law firms to meet their complex eDiscovery, investigations, and compliance needs.