Home  |  Sarah  |  Services  |  Blog  Contact

Wednesday, 17 Dec , 2014

Why Auditors Can Fail Security

Share this article

About half of internal audit’s key stakeholders do not believe that internal audit is either delivering the value it should or addressing the risks that matter

Norman Marks recently published an insightful take on why internal audit fails at many organisations. Informed by a recent PwC survey.

“about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is either delivering the value it should or addressing the risks that matter.”

This is my cyber security perspective and I use the term ‘cyber’ with caveats (it is 80% buzz-word, but handily encompasses information security, plus ‘new’ risks often hyped to scare up security solution and consultancy sales).
Internal audit (and therefore the audit committee) are just as much in the dark as the rest of the world when it comes to prioritizing and scaling security related risks. It may sound like a newsflash, but it isn’t. Why don’t all but a handful of firms have a quantifiable handle on ‘cyber’ risks? Because historical quality bulk data, needed to effectively assess those risks, is only just becoming available.
Wooden Blocks and Dice.You can’t predict the likelihood of rolling sixes after 10 throws of the dice and fallout from your previous car accidents (if you’ve even had one) is no help to predict how wrong things might go next time. Likewise, your local cyber incident data and what you can read about newsworthy breaches, is not enough to indicate future risk.
Yes, even for cyber insurers. They may be unwittingly offering good or bad deals at the moment. They don’t know, because they haven’t got the statistics to build even semi-accurate actuarial models as yet.
While these challenges exist, audit still has a job to do. All too often resulting in gold-plated wish lists of controls, prompted by security headlines that grabbed the board’s attention. They can’t be a ‘critical friend’ if they have no benchmark for ‘good’ or ‘low’ risk and believe me when I say, practitioners who have the wide and deep security experience to ‘do’ cyber risk, are not usually found in the audit function.
All is lost? No. Things are improving, but while we function in a world where security heads don’t have the same credibility with the board as audit, inexpertly drawn lines in the cyber risk sand, slapped with an immovable red audit rating, don’t serve anyone’s interests.
Security functions have a part to play, by improving their own risk management and relationships with the board, but audit functions need to have more humility. Just like a new manager taking over a role not directly related to their expertise, they need to work with SMEs to understand what is important before calling the shots. If it is the board pushing for answers that are not easy or currently possible to provide, expectations need to be jointly managed between both functions.
If the impossible is demanded, for whatever reason, you will probably have a political credibility war on your hands, further blocking sorely needed security education and risk mitigation progress.
collaboration-graphicPerhaps audit functions can learn from the experience of cyber insurers, another group who have traditionally had an antagonistic relationship with recipients of their services.
They are inviting collaboration to make premiums reflect clients’ cyber risk reality, as discussed in this article by Natalie Lehr and Nick Fearon.

“This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.

For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk”.

What do you think?

Originally posted on LinkedIn where you can find comments to date

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...