business-audit

Security Audits, Cyberattacks and other Potential Front Line Issues

Defending the Organization

When people talk about security audits in an organization, thoughts immediately go to malware, cyberattacks and other front line issues. These appear as the most obvious types of threats and are consequently given the greatest attention. As essential as these responses are, companies need additional layers of audit and defence further up the hierarchy if they are to build a culture of perpetual and successful self-governance. The problem is, internal compliance and control – the key elements of self-governance – are falling woefully behind the times thanks to traditions that have not yet received a full overhaul. This is bad news for business in the private and public sectors, since the enemies they face have already stepped up to the speed of “now.”

Traditionally, businesses have relied upon three lines of defence for standing up against risk. Called the “Combined Assurance Model,” it relies first on line managers to watch over the business processes. The second line belongs to internal risk managers and assurance providers, and then thirdly comes the internal and external auditors.

Security Audits

Such a structure has not always proven to be reliable. In 2013, Financial Times journalist Howard Davies quoted British lawmakers as suggesting the model “promoted a wholly misplaced sense of security.” He added, “Far from complementing each other as happy teammates, they think the second and third lines are in the chocolate teapot category of uselessness, with “the front line, remunerated for revenue generation, dominant over the compliance risk and audit apparatus.” 

These are the types of issues that worry Shrikant Deshpande, senior banking technology, risk and assurance professional and (ISC)2 Certified Cloud Security Professional. He suggests there seems to be a gap between Internal Audit, GRC (Governance, Risk management, and Compliance) and Cyber Security in terms of formalized methods of defining risks, monitoring and assurance. “There is certainly a meeting of minds and policy level agreement on objectives,” he states, “however a formal process of risk mapping and traceability of assurance outcomes to agreed high level risk needs to improve.

What this means in the most straightforward terms is that audit and GRC education must keep up with the times, and with the new technologies now impacting business globally, like cloud, big data and IoT. There needs to be greater investment in security monitoring technologies and in internal education, and this requires getting through to executive decision makers in a way that effectively conveys both urgency and importance.

Shrikant highlights the recommendations of a 2010 research paper published by the Institute of Chartered Accountants in Australia, outlining a process of continuous assurance for the digital world. Central to its thesis was the notion of “better matching internal and external auditing practices to the reality of the IT-enabled world, to provide stakeholders with more timely assurance.” The authors advocate “audit automation,” to move the audit process away from a “manual, periodic paradigm” to something more real-time.

Shrikant points out that a variety of cloud technology neutral assurance methods and processes already exist, such as COBIT, ISO 27k , ISO 30k, and NIST. The challenge is that audit and GRC professionals need to mature their skills and knowledge to apply these in specific technology environments like the cloud.

This is where a combination of techniques like assurance mapping, combined assurance and continuous auditing can coexist and assist.

He adds, “the gap between risk management stakeholders and those who are actually monitoring risk and creating assurance continues to exist. There is a legacy of division that must be overcome if businesses and organizations hope to thrive in the extremely fast-paced world of cyber-connected business.” His advice: formally engage. Organizations need formal programs, formal assurance mapping and an up-to-speed monitoring program. The luxury of waiting no longer exists.

For more on the CCSP certification from (ISC)2, please visit their website. Sponsored by (ISC)2.

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.

View Website
Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

The Automakers iPhone Moment Remember Blackberry? How about Nokia or Motorola? Vaguely you say. Will we one day state the ...
Contrary to popular belief, a pro-privacy stance is good for business

Contrary to popular belief, a pro-privacy stance is good for business

Pro-Privacy Stance Right now privacy is a hot topic on LinkedIn posts, especially as it pertains to compliance with the ...
Four Trends and Realities Confronting Security Today

Four Trends and Realities Confronting Security Today

Realities Confronting Security Today, the number of attempted data breaches, cyber attacks, and other bad behavior by bad actors continues ...
Six Major Data Breach Trends From 2017

Six Major Data Breach Trends From 2017

Major Data Breach Trends It seems like the moment the security industry collectively comes to grips with the latest publicly ...
5 Ways To Ensure Your Cloud Solution Is Always Operational

5 Ways To Ensure Your Cloud Solution Is Always Operational

Ensure Your Cloud Is Always Operational We have become so accustomed to being online that we take for granted the ...
53% Of Companies Are Adopting Big Data Analytics

53% Of Companies Are Adopting Big Data Analytics

Adopting Big Data Analytics Big data adoption reached 53% in 2017 for all companies interviewed, up from 17% in 2015, with ...
Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing ...
The Path Of Cloud Computing Is Paved With Collaboration

The Path Of Cloud Computing Is Paved With Collaboration

Cloud Computing Collaboration Cloud computing ushers in a new age of collaboration, one that allows an organization to excel at ...
Using No Electronics, 3D-Printed Objects Can Now Connect to Wi-Fi

Using No Electronics, 3D-Printed Objects Can Now Connect to Wi-Fi

3D-Printed Objects Can Connect to Wi-Fi The vast collection of 3-D-printed products in existence is impressive enough to inspire people ...
Have you Heard? The Chinese Cloud Is Coming!

Have you Heard? The Chinese Cloud Is Coming!

Alibaba challenges Amazon “Alibaba challenges Amazon in the Cloud marketplace!” Analysts are almost breathless in their commentary. What’s the real ...