Operational resilience | Risk Management & Reporting

September 2, 2024

The Old Ways are not the Best

Traditional manual, compliance-driven audit approaches are obscuring boards’ visibility of these issues. They are failing to deliver timely, reliable and useful information. Executives are flying blind—making flawed decisions and false or outdated assurances to customers, insurers, regulators and the market. Evidence of this is clear in the torrent of news stories that continue to cover ransomware attacks, data thefts, privacy breaches and service disruptions, even in regulated industries.

Board members are not expected to be experts in cyber risks, but they do need to be aware of them. Significant fines are being levied by the SEC, privacy regulators and courts for compliance failures. The owners of the New York Times were recently fined USD$10m for failing to notify markets about a breach. The potential of sanctions for individuals is also increasing, as in the case of Solar Winds and its CISO (although charges have since been dismissed) and the personal prosecution of the Chief Security Officer at Uber.

Better visibility of system controls, internal front-line operations and partners gives greater confidence in the effectiveness of cyber defences. Businesses receive accurate, reliable and trustworthy audit outputs in other streams of activity, such as financial reporting. However, the same rigour and integrity can be found lacking in cyber security.

Ask me no questions…

Questionnaires are commonly used to assess information technology exposures, especially for third parties. However, they are dependent on the knowledge and underlying motivation of those responding. Even honest responses can contain omissions, biases and misconceptions. They are particularly onerous for organisations with many suppliers or business units, where separate questionnaires need to be “stitched together” for an adequate picture of the risk.

Interviews with front-line teams and checks on processing records are often part of manual audits, but the picture is often no clearer. Selection biases in sampling, a motivation to convey positive views, and gaps in knowledge, are common.  Worse, the workload for both auditor and auditee is not reduced.

An industry has emerged to address this. It uses similar methods to those of attackers to gather system information and find weaknesses to exploit. Using complex tools and deep expertise from specialist companies or in-house teams, delivers a high level of transparency. The technical complexity makes it costly and the results can be difficult to understand for some IT team members, and non-specialist board members.

IT teams need detail – system identifiers, configuration settings, specific changes – while executives need outputs that relate to changing business risks. These depend on many factors including system roles, business plans and legal undertakings. Long lists of technical issues and low-level findings don’t help.

These approaches, each individually flawed as they are, suffer from a further collective challenge. The effort and cost involved means they are inevitably rolled up into, too infrequent, once-off annual audits.

Cyber security is fast-moving and new weaknesses emerge all the time. Each new user account could be a risk. Each flow of data could expose sensitive information. Every system change could open a route to attack. With boards relying on audits to verify the effective management of cyber security, this situation is fraught. Inaccurate, out of date and opaque reports can quickly lead to bad decisions and false statements on behalf of the business. It is imperative that cyber security audits take place at a greater frequency. Evidence-based data reduces the duration of exposures, giving operational teams and senior managers visibility that previous weaknesses have been addressed.

The Digital Transformation of Audit

The transformation of cybersecurity audit through technology provides some hope. It enables businesses to improve the safeguards protecting data and the accuracy of reporting processes. It also hastens the transfer of audit opinions to the board.

Gathering data on configurations, settings, policies and records of operation directly from security management systems has many advantages. It avoids relying on questionnaires, interviewing operational teams or solely on direct outputs from controls. The use of audit technology is easier, more accurate and repeatable. Avoiding reliance on control outputs gives greater independence and is less intrusive than scanning every system for every possible vulnerability to detect security weaknesses.

Besides accuracy, speed, repeatability and objectivity, these technologies also allow reporting outputs to be tailored for different audiences. Operational teams need details of specific corrective actions or settings for individual systems to allow exploitable weaknesses to be rapidly addressed. Executives need high-level information on the coverage and performance of controls to have confidence in the statements they make to their stakeholders.

However, the major advantage of automating audit processes is the ability to operate more frequently; even continuously, to find issues, trigger resolutions and check progress. This avoids obsolete annual cyber audits, and hastens discovery and corrective activities.

A Business-wide Approach to Audits is Needed

The security breach at Australian health insurer Medibank is a cautionary tale. While the matter is still before the courts, one investigation alleges inadequate protection of the business and its information. According to the Office of the Australian Information Commissioner, audits were not acted upon to correct the issues identified. Whether it is enough for an audit report “to exist” for compliance purposes, or if it is to be used to improve security controls, continues to be a matter to be resolved.

Cyber security issues that are overlooked can mean that attacks are inevitable, given their nature and prevalence. Reducing the interval between assessment and mitigation means less time at risk, while continuous checks can reveal failures in remediation processes as well as in controls themselves.

Organisations must do three things:

  • The first challenge is agreeing where the responsibility for this transformation lies—agree on budgets and implement solutions.
  • The board or audit team, in their governance capacity, must drive the adoption of audit technologies to enable evidence-based reporting and understanding of risks.
  • IT functions and operational security teams must deploy tools to deliver the audit evidence and outputs they, as well as the board, auditors and external stakeholders need.

Boards and internal auditors have much to gain from effective internal audit processes. Likewise, IT operators and managers, benefit from continuous collection and tracking of configuration information and weaknesses. With the impacts and penalties for cyber security breaches becoming more meaningful, and the reputation of both organisations and executives at stake, there needs to be prompt discussion and agreement within organisations to address and manage this issue.

SmartCheck for Risk Teams, Executives and the Board

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.