Norman Marks recently published an insightful take on why internal audit fails at many organisations. Informed by a recent PwC survey.

“about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is either delivering the value it should or addressing the risks that matter.”

This is my cyber security perspective and I use the term ‘cyber’ with caveats (it is 80% buzz-word, but handily encompasses information security, plus ‘new’ risks often hyped to scare up security solution and consultancy sales).
Internal audit (and therefore the audit committee) are just as much in the dark as the rest of the world when it comes to prioritizing and scaling security related risks. It may sound like a newsflash, but it isn’t. Why don’t all but a handful of firms have a quantifiable handle on ‘cyber’ risks? Because historical quality bulk data, needed to effectively assess those risks, is only just becoming available.
You can’t predict the likelihood of rolling sixes after 10 throws of the dice and fallout from your previous car accidents (if you’ve even had one) is no help to predict how wrong things might go next time. Likewise, your local cyber incident data and what you can read about newsworthy breaches, is not enough to indicate future risk.
Yes, even for cyber insurers. They may be unwittingly offering good or bad deals at the moment. They don’t know, because they haven’t got the statistics to build even semi-accurate actuarial models as yet.
While these challenges exist, audit still has a job to do. All too often resulting in gold-plated wish lists of controls, prompted by security headlines that grabbed the board’s attention. They can’t be a ‘critical friend’ if they have no benchmark for ‘good’ or ‘low’ risk and believe me when I say, practitioners who have the wide and deep security experience to ‘do’ cyber risk, are not usually found in the audit function.
All is lost? No. Things are improving, but while we function in a world where security heads don’t have the same credibility with the board as audit, inexpertly drawn lines in the cyber risk sand, slapped with an immovable red audit rating, don’t serve anyone’s interests.
Security functions have a part to play, by improving their own risk management and relationships with the board, but audit functions need to have more humility. Just like a new manager taking over a role not directly related to their expertise, they need to work with SMEs to understand what is important before calling the shots. If it is the board pushing for answers that are not easy or currently possible to provide, expectations need to be jointly managed between both functions.
If the impossible is demanded, for whatever reason, you will probably have a political credibility war on your hands, further blocking sorely needed security education and risk mitigation progress.
Perhaps audit functions can learn from the experience of cyber insurers, another group who have traditionally had an antagonistic relationship with recipients of their services.
They are inviting collaboration to make premiums reflect clients’ cyber risk reality, as discussed in this article by Natalie Lehr and Nick Fearon.

“This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.

For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk”.

What do you think?

Originally posted on LinkedIn where you can find comments to date