As the digital landscape continues to transform, internal audit is playing an increasingly important role as the third line of defense to help ensure that organizations are cyber secure. Discover four key areas that internal auditors can focus on to make an impact.

Data has become every organization’s most valuable asset — but is also its most vulnerable. Cyber criminals are continually targeting potential weaknesses in your security stance. The consequences of a successful attack can result in costly or irreparable operational, financial, and reputational damage to your organization.

In previous years, we saw a large consumer financial information business suffer a major data breach, which impacted millions of people and resulted in the resignation of both its CEO and CISO. These breaches often result in legal, legislative, financial, and operational implications for financial institutions and other organizations alike. It is becoming extremely apparent that risk management professionals and internal auditors will need support to face the challenge of managing cyber risks.

Here are four key areas that internal auditors can focus on to make an impact as the third line of defense within an organization after management and information security.

Organizations are increasingly recognizing the need for an independent review of security measures and performances.

“Internal audit is one of the few voices that is purposely positioned to go across the entire organization, and it is able to look at how the different parts work with each other and make sure the right information is getting to the right people.” – Internal Auditor Magazine

Internal audit activity can provide senior management with independent and objective assurance on governance, risk management, and controls pertaining to cyber security. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defense (management and information security, respectively) in managing and mitigating cyber security risks.

Focus areas for internal audit should include the relationship between cyber security and operational risk, prioritizing responses and control activities, and performing audits for cyber security risk mitigation across the organization.

Internal audit can help improve the organization’s security posture by looking to:

• Be aware of the board of directors and management’s approach to cyber security policy.
• Identify and act on opportunities to improve the organization’s ability to identify, assess, and mitigate cyber security risk to an acceptable level.
• Ensure cyber security risk is integrated into the organization’s internal audit plan.
• Evaluate the organization’s cyber security program against an industry-acknowledged framework.

When it comes to selecting a cyber security control framework, companies don’t need to reinvent the wheel. Organizations should select a framework that works for them — possibly amalgamating several as one may not fully meet your needs. This is because organizations have differing levels of maturity within their information security program. It is important to adopt a framework which allows an organization to meet some standards but also has room for growth.

Frameworks and compliance standards involving international regulations such as the North American Electric Reliability Corporation (NERC), NIST, ISO 27001, and Payment Card Industry Data Security Standards (PCI DSS) are required to be met in full for an organization to market itself as being compliant. It is often difficult to accomplish this across an entire enterprise network and many security frameworks are not generalized enough to apply to all organizations.

An example of a flexible framework is the Centre for Internet Security’s 18 Critical Security Controls. This framework was originally intended to provide a roadmap for organizations to help protect against cyber attacks. The framework uses 18 different categories, each of which provide increasing levels of controls — from foundational safeguards to advanced security controls and processes. This allows organizations to adopt a framework to a degree which matches their risk appetite.

The following are key questions which internal audit should try to answer to gain an understanding of an organization’s current security posture, risk appetite, and its ability to manage and mitigate any potential cyber threats:

• Who has access to the organization’s most valuable information?
• Which assets are most likely to be targeted?
• Which systems would cause the most significant impact to the organization should they be compromised?
• Which data, if stolen, would cause financial or competitive advantage, legal ramifications, and/or reputational damage?
• Is management prepared to react in a timely manner should a cyber security incident occur?
• Is senior management aware of risks relating to cyber security?
• Are cyber security policies and procedures in place, understood, and followed?
• Has management performed risk assessments to quantify their risk exposure?

An organization’s governance and culture play an important role in managing cyber security risks and influencing cyber resilience. For many boards and regulators, creating a culture of risk management has become an area of emphasis as cyber threats continue to evolve with the digital landscape.

Building cyber resiliency into an organization involves aligning its governance and culture to manage risks and enhance security. This includes creating a governance framework that outlines reporting structures, roles and responsibilities, and accountabilities for cyber security. Organizational culture should align with this governance framework through awareness training, employee behaviours, and active commitment from leadership.

Internal audit can evaluate the alignment of governance and culture through reviewing organizational policies and procedures, assessing employee training programs, and conducting a culture assessment of the organization. This helps to reveal whether the organization’s leadership, structure, policies, and employee behaviours are working together in alignment to create a strong cyber security posture.