Cybersecurity: The Internal Auditor's Unavoidable Ally - Ready or Not!
Cybersecurity has evolved from being just another IT concern to becoming a critical business issue. It is no longer a question of if a cyber attack will happen, but when. For internal auditors, this means our days of focusing solely on financial processes and compliance are over. We are now navigating a complex landscape filled with bits, bytes, and increasingly sophisticated cyber threats. Two recent reports from The IIA, Risk in Focus 2024 and Internal Audit: Vision 2035, highlight this transformation and underscore the urgent need for us to adapt to new risks and challenges. What is one of the most pressing challenges on the horizon for organisations? You guessed it - maintaining a robust cybersecurity posture.
The Good Old Days
Remember when our biggest concern was a rogue employee fudging some numbers? Those days seem simpler now. Today, we face a complex web of threats, from nation-state hackers and cybercriminals to well-meaning employees who inadvertently create vulnerabilities. The rise of phishing attacks, ransomware, and data breaches has created a cybersecurity landscape that is more treacherous than navigating a simple IT General Controls Review!
The New Normal
Cybersecurity now impacts every aspect of the organisation, requiring attention far beyond the IT department. Internal auditors are uniquely positioned to help organisations navigate this brave new world. However, let us be honest: most of us are not cybersecurity experts (yet). With terms like "SOC","SIEM", and "APT" becoming everyday jargon, it can feel like learning an entirely new language. But this is where we come in - decoding these complexities into plain language for the C-suite, helping organisations make informed decisions in a rapidly changing threat landscape.
Focus on the Fundamentals
To effectively integrate cybersecurity into our audit work, here are key areas to focus on:
Risk Assessment: Identify high-risk areas and assess your organisation’s cybersecurity risk management framework, including threat modelling, vulnerability assessments, and threat analysis. Keep an eye on the IIA’s upcoming mandatory Topical Requirement on cybersecurity, which is currently being finalised. It will cover crucial areas such as governance, risk management, and control processes – an essential read for all internal auditors.
Control Effectiveness: Evaluate the design and operating effectiveness of cybersecurity controls. This could involve reviewing areas such as network security, endpoint security, vulnerability management, data encryption, access management, and backup and recovery.
Third-Party Risk: Assess the cybersecurity risks associated with third-party vendors and service providers. After all, a chain is only as strong as its weakest link, and a thorough review can go a long way.
Governance: Think of governance as the command centre for your organisation’s cybersecurity efforts. It sets the tone and directs strategic decisions. As internal auditors, we need to ensure that the governance structure effectively manages cybersecurity risks and maintains a resilient posture.
Incident Response: Incident response is like a fire drill for your organisation’s cybersecurity team. It is the plan to follow when things go wrong. Internal auditors must evaluate whether the incident response plan is current, effective, and tested regularly.
Collaboration is Key
We cannot tackle cybersecurity alone, nor should we try. It is a team effort that requires coordination across IT, management, and the board to ensure alignment on cybersecurity objectives and strategies.
Stay Curious, Stay Current
The cybersecurity landscape evolves faster than our audit plans! To keep pace:
- Stay Informed: Keep up with the latest threats, technologies, and best practices. Consider it an essential part of your continuous professional development.
- Pursue Continuing Training: Engage in upskilling in cybersecurity domains like NIST CSF, ISO 27001, data privacy regulations, PCI DSS, and incident response plans. Broadening your expertise will help you stay ahead of emerging threats.
- Collaborate with IT: Work closely with your IT team to understand their cybersecurity practices and identify areas for improvement.
- Leverage Technology: Use audit tools to automate and streamline cybersecurity audits. Efficiency is key!
- Think Like a Hacker: Understand your organisation’s systems from a hacker’s perspective to identify vulnerabilities and mitigate risks.
Cybersecurity Is Our New Reality
Cybersecurity might not be our traditional comfort zone, but it is our new reality. By focusing on the fundamentals, collaborating with key stakeholders, and maintaining a curious mindset, we can help our organisations stay resilient against cyber threats. As we adapt to this new environment, we must also prepare for future technologies like artificial intelligence, the Internet of Things, and blockchain. These innovations will bring new challenges, but our adaptability and commitment to continuous improvement will guide us through. After all, we are internal auditors - and our dedication to protecting our organisations will always light the way forward.
Alexchandar Anbalagan is a seasoned audit and finance leader with over 20 years of experience leading high-impact teams across multinational corporations and startups in Asia Pacific. A dedicated problem-solver with a fresh perspective, Alexchandar approaches challenges with contagious enthusiasm and a collaborative spirit. He values integrity, curiosity, and authenticity, believing that meaningful relationships are key to making a real impact in the world.
