Norman Marks on Governance, Risk Management, and Internal Audit

One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an “IT risk”. No. It’s a business risk.

That is easy to say, and it makes all the sense in the world.

However, people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.

The truth is that cybersecurity MUST be seen within the context of the whole business, not in a silo.

What is the potential effect of a breach on the achievement of the enterprise’s objectives?

If we are to assess cyber-related business risk, we have to have the answer to that question.

That requires the involvement in the assessment process of both business and technical personnel.

Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer.

Yet, the most widely accepted cyber risk standards are written by information security personnel, for (in my opinion) other information security practitioners.

 

If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to that question: “What is the potential effect of a breach on the achievement of the enterprise’s objectives?”

An audit should probably include the participation of financial and operational auditors, not be limited to the infosec experts.

 

In fact, the first step in any audit should be to determine whether management knows the answer! Then see whether they continue to know the answer as the business, technology, and the environment (including the hackers’ tools, techniques, and favorite targets) change.

If management has not completed and then maintained a business risk-oriented risk assessment that is integrated with enterprise risk management and decision-making, the audit team should consider calling the audit to a halt.

If management doesn’t know where the risks are, what assurance does it have and what assurance can internal audit provide, that the right controls and security are in place?

 

The next step, the one I favor, is to determine whether the information security team has the necessary capabilities, position, and authority to address those risks.

 

Only then would I consider assessing whether the measures in place are sufficient and effective.

 

The IIA had different ideas when it published one of their newer pieces of ‘supplemental guidance[1]’ in their 2020 Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk.

The GTAG has some good and some not-so-good advice for auditors wishing to provide assurance, advice, and insight on cyber-related business risks.

This GTAG seems to fall into the trap of assessing risks to information assets, rather than risks to the business, IT risks (whatever they are, absent the context of what the business os trying to achieve) vs. risks to the success of the business.

Let’s look and comment first at some excerpts.

• Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.

(Later…)

Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete,

(Later still)

The complexity of cybersecurity requires added layers of controls, such as monitoring for risk, detecting exploits as they happen, and prompting corrective action.

Comment: I couldn’t disagree more on the first two of these excerpts. ITGC includes information security, which includes cybersecurity. Cyber is no different from what I was responsible for when Information Security reported to me at two financial institutions; what I evaluated as an IT auditor; or what my various Internal Audit teams assessed after I became a CAE.

The third quote is fine, although every source of significant risk needs to be monitored and the assessment updated at the speed of risk.

• Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access.

Comment: In other words, IT Information Security.

• Cybersecurity risks are notably more dynamic than most traditional risks and necessitate a timely response.

Comments:

1. 1. More dynamic (volatile) than currency or commodity prices? I doubt it.
   2. All risks require more than just a timely response, they require timely identification and assessment.

• Cybersecurity is relevant to the systems that support an organization’s objectives related to the effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations. An organization typically designs and implements cybersecurity controls across the organization to protect the integrity, confidentiality, and availability of information.

Comment: The GTAG has correctly listed all the categories of objectives identified in the COSO Internal Control Framework. Nothing new here. But the controls need to be designed to address risks to the achievement of those objectives, a different dimension to “the integrity, confidentiality, and availability of information”.

• Because assurance based on traditional, separate evaluations is not sufficient to keep up with the pace of cybersecurity risk, an innovative assurance strategy is required. Increasingly, continuous auditing techniques are needed to evaluate changes to security configurations, emerging risk outliers and trends, response times, and remediation activities.

Comment: 100% disagree, and this is one of my primary problems with the GTAG. I will explain shortly.

• The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering: Who has access to the organization’s most valuable information? · Which assets are the likeliest targets for cyberattacks? · Which systems would cause the most significant disruption if compromised? · Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization? · Is management prepared to react quickly if a cybersecurity incident occurred?

To understand the cyber threats relevant to an organization, it is important to determine what information would be valuable to outsiders or cause significant disruption if unavailable or corrupted. Also, it is important to identify what information may cause financial or competitive loss or reputational damage to the organization if it were acquired by others or made public.

Comment: While the GTAG focuses on the protection of information assets, that is IT-centric and siloed and not a business-centric view. I will come back to that as well.

• Management should consider performing a business impact analysis (BIA).

Comment: if management hasn’t done a BIA that identifies how a cyber incident could affect the achievement of its objectives, Internal Audit should immediately bring that to the attention of senior management and the board as a serious issue. Any risk assessment is likely to be wrong. If they have done one that only helps them prioritize information assets and does not enable multiple sources of risk (i.e., not only cyber but also compliance, human resources, etc.) to be considered together when making a decision, the issue remains serious – but is easier to remedy. See discussion later.

The GTAG includes eight questions that a CAE to consider.

It also has a Cybersecurity Risk Assessment Framework that has six components.

1. Cybersecurity Governance
2. Inventory of Information Assets
3. Standard Security Configurations
4. Information Access Management
5. Prompt Response and Remediation
6. Ongoing Monitoring

I will let you read and think about them. Instead, I want to be constructive. I will explain my two major issues and then suggest a far better approach (IMHO[2]).

 

It’s not about information assets.

One of the problems I have with the NIST, ISO, and FAIR standards and guidance is that they focus on ‘information assets’ and not on the business..

While the business cannot be considered absent IT-related risks and opportunities, those IT-related risks and opportunities cannot be considered absent the context of running the business and achieving objectives.

Cyber (and other IT-related risks) should not be considered in a silo.

Cyber (and other IT-related risks) is just one source of risk that needs to be considered in decision-making.[3]

In fact, a cyber incident can create a supply-chain, compliance, operational, financial, or other risk – because risk is inter-related.

Similarly, a change in the supply chain such as the use of a new logistics company, or a change in operations or financial advisor, can change cybersecurity-related risks.

Cybersecurity risk assessment and treatment should be an integral part of the organization’s enterprise risk management program (ERM) and decision-making, not a siloed operation.

If cybersecurity is not fully integrated, then Internal Audit should be reporting that to the board.

We need to be concerned with risk to the ability of the organization to achieve its objectives, its purpose over time.

That is what a BIA should do, and it’s why the absence of one that is continually updated is a major issue that needs to be reported to the board and fixed.

Internal Audit needs to rise above the silo and use its ability to see the whole, not just individual parts.

Audit what might affect the organization, and that is likely to result in assessing cyber differently.

 

It’s not about doing it ourselves

There’s too much focus on assessing what defenses are in place, and not nearly enough about whether management knows they have the right level of cybersecurity in place all the time.

Note the ‘all the time’ qualifier in that sentence.

We shouldn’t be looking at continuously auditing cybersecurity (as suggested by the GTAG). Instead, we should be seeing if management not only has the right defenses at the time of our review, but will adapt them properly as risks change in the future.

Not only do we review their processes for cyber risk assessment (as an integral part of ERM), but review whether that assessment is continuously updated.

 

Provide forward-looking assurance, advice, and insight

Any audit should provide our professional opinion on whether management’s processes and controls provide reasonable assurance that there is a low (i.e., acceptable) likelihood of a breach with an unacceptable effect on the organization and the achievement of its objectives.

Auditing what is in place today and whether it is sufficient to address today’s known risks is of limited value.

Audit whether management has the right capabilities in place today and is reasonably likely to have in the future.

 

I welcome your thoughts.

[1] The IIA says “Supplemental Guidance provides additional information, advice, and best practices for providing internal audit services. It supports the Standards by addressing topical areas and sector-specific issues in more detail than Implementation Guidance and is endorsed by The IIA through formal review and approval processes”.

[2] Maybe not so humble.

[3] This is the focus of my book, Making Business Sense of Technology Risk.