business-audit

Security Audits, Cyberattacks and other Potential Front Line Issues

Defending the Organization

When people talk about security audits in an organization, thoughts immediately go to malware, cyberattacks and other front line issues. These appear as the most obvious types of threats and are consequently given the greatest attention. As essential as these responses are, companies need additional layers of audit and defence further up the hierarchy if they are to build a culture of perpetual and successful self-governance. The problem is, internal compliance and control – the key elements of self-governance – are falling woefully behind the times thanks to traditions that have not yet received a full overhaul. This is bad news for business in the private and public sectors, since the enemies they face have already stepped up to the speed of “now.”

Traditionally, businesses have relied upon three lines of defence for standing up against risk. Called the “Combined Assurance Model,” it relies first on line managers to watch over the business processes. The second line belongs to internal risk managers and assurance providers, and then thirdly comes the internal and external auditors.

Security Audits

Such a structure has not always proven to be reliable. In 2013, Financial Times journalist Howard Davies quoted British lawmakers as suggesting the model “promoted a wholly misplaced sense of security.” He added, “Far from complementing each other as happy teammates, they think the second and third lines are in the chocolate teapot category of uselessness, with “the front line, remunerated for revenue generation, dominant over the compliance risk and audit apparatus.” 

These are the types of issues that worry Shrikant Deshpande, senior banking technology, risk and assurance professional and (ISC)2 Certified Cloud Security Professional. He suggests there seems to be a gap between Internal Audit, GRC (Governance, Risk management, and Compliance) and Cyber Security in terms of formalized methods of defining risks, monitoring and assurance. “There is certainly a meeting of minds and policy level agreement on objectives,” he states, “however a formal process of risk mapping and traceability of assurance outcomes to agreed high level risk needs to improve.

What this means in the most straightforward terms is that audit and GRC education must keep up with the times, and with the new technologies now impacting business globally, like cloud, big data and IoT. There needs to be greater investment in security monitoring technologies and in internal education, and this requires getting through to executive decision makers in a way that effectively conveys both urgency and importance.

Shrikant highlights the recommendations of a 2010 research paper published by the Institute of Chartered Accountants in Australia, outlining a process of continuous assurance for the digital world. Central to its thesis was the notion of “better matching internal and external auditing practices to the reality of the IT-enabled world, to provide stakeholders with more timely assurance.” The authors advocate “audit automation,” to move the audit process away from a “manual, periodic paradigm” to something more real-time.

Shrikant points out that a variety of cloud technology neutral assurance methods and processes already exist, such as COBIT, ISO 27k , ISO 30k, and NIST. The challenge is that audit and GRC professionals need to mature their skills and knowledge to apply these in specific technology environments like the cloud.

This is where a combination of techniques like assurance mapping, combined assurance and continuous auditing can coexist and assist.

He adds, “the gap between risk management stakeholders and those who are actually monitoring risk and creating assurance continues to exist. There is a legacy of division that must be overcome if businesses and organizations hope to thrive in the extremely fast-paced world of cyber-connected business.” His advice: formally engage. Organizations need formal programs, formal assurance mapping and an up-to-speed monitoring program. The luxury of waiting no longer exists.

For more on the CCSP certification from (ISC)2, please visit their website. Sponsored by (ISC)2.

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.

View Website
How Will Artificial Intelligence Really Impact Jobs?

How Will Artificial Intelligence Really Impact Jobs?

Artificial Intelligence Jobs Hamilton is my favorite Broadway musical. The show follows the life of one of America’s founding fathers, Alexander Hamilton, who went from a destitute, illegitimate child in the British West Indies to ...
OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack Private Cloud Revenues Growth of OpenStack private cloud will overtake public cloud revenue for hosting providers sooner than previously projected. OpenStack has witnessed huge rates of adoption over the past years and become the ...
Open APIs Alone Won’t Change Banking

Open APIs Alone Won’t Change Banking

Open Banking API's Most people think of banks as one monolithic entity, but they are actually made up of hundreds of independent, pseudo-integrated systems. When a bank wants to make any kind of change, it ...
Bryan Doerr

Can You Afford the Risk of Not Going to the Cloud?

Risk of Not Going to the Cloud If you’re considering a migration to a public cloud environment, you’re most likely motivated by the potential to reduce costs, while increasing capital efficiency, productivity, agility, and overall ...
The Path to the Cloud: A Look at Different Approaches to Cloud Migration

The Path to the Cloud: A Look at Different Approaches to Cloud Migration

Different Approaches to Cloud Migration The public cloud has gained considerable momentum this past decade. Concerns about cost and security have largely been put to rest as AWS, Azure and newcomers like Google have surged ...
The Lighter Side Of The Cloud - Without A Signal
The Lighter Side Of The Cloud - The Nanodegree
startup tech comic series
The Lighter Of The Cloud - Virtual Lunch Break
The Lighter Side Of The Cloud - Bottlenecking
The Lighter Side Of The Cloud - The Money Grab
The Lighter Side Of The Cloud - Hydro Cancellation
The Lighter Side Of The Cloud - YTF
The Ligther Side Of The Cloud - Speed Browsing

CLOUDBUZZ NEWS

Facebook Joins FIDO Alliance Board of Directors

Facebook Joins FIDO Alliance Board of Directors

Aligns with other leading global technology, financial services and e-commerce companies in effort to reduce world’s reliance on passwords MOUNTAIN VIEW, Calif., May 15, 2018 (GLOBE NEWSWIRE) -- The FIDO Alliance announced today that Facebook has been appointed ...
Kaspersky Lab to open Swiss data center to combat spying allegations

Kaspersky Lab to open Swiss data center to combat spying allegations

LONDON (Reuters) - Moscow-based Kaspersky Lab plans to open a data center in Switzerland by the end of next year to help address Western government concerns that Russia exploits its anti-virus software to spy on ...
Oracle Blockchain Cloud Service and Financial Services Enable Next-Gen Blockchain Innovators

Oracle Blockchain Cloud Service and Financial Services Enable Next-Gen Blockchain Innovators

Students Tackle Real Problems and Succeed in Blockchain Challenge In an effort to accelerate blockchain innovation in Financial Services and other industries, Oracle recently joined academia and banking industry leaders as part of the Carolina Fintech ...