teissTalk: Can internal audit boost your cyber security?

On 11 January, teissTalk host Tom Langford was joined by Veselin Monev, Information Security Officer, Pilatus Aircraft Ltd; Daniel G. Dresner, Professor of Cybersecurity, University of Manchester; Deborah Haworth, Director of Information Security, Penguin Random House.

Views on news

Some of the items on the list, such as MFA, can be a huge impact if done right. But there are cyber security basics lists with 50+ items as well. However, an incident response plan must certainly be on the top of such a list. Ideally, this is what must get done first with the rest built around it. But for incident response to work well, you need to build the capabilities that the business can respond with, as well as a framework. Meanwhile, all awareness campaigns should start with some honest discussions about the weaknesses of a cyber security posture. Training employees is hard, but their attitudes to cyber security, as well as the culture can be changed, and making cyber security front and centre of employees’ thinking is the key element.  

Internal v. external audit and finding the right terminology

Although self-assessments and checks are common, internal audits are relatively rarely used. The point of internal audits is to check whether the company has the controls defined in the cyber security framework in place. Therefore, the framework must be well designed for internal audits to make a difference. Internal auditors must understand the organisational context and what the business is trying to achieve with its cyber security controls, while and its checklist should reflect the priorities of the Board. 

Cyber security professionals should focus on the controls that nobody wants to comply with. Internal audits pointing out the need for these controls can help drive an investment plan in these controls through the resistance of senior leadership. Internal audits are also great tools for adjusting different cyber control regimes to the unique operation and features of a business. However, as there is the danger that those carrying out the internal audit have no full understanding of how cybersecurity in the business works, there may be a case for skipping the internal audit and wait until an external one has come. The internal audit function is only up to scratch if it understands the inner workings of the business including its defences. A company can have a separate internal audit function, or it’s auditors can do this activity as a secondary job, in which case a lot of cross-pollination of ideas can take place between them.

Using the right language when communicating what the top cyber security concerns are is key. While business language is about money and opportunity, security language is primarily about cost and is full of TLAs. But even the board level and the senior management level languages are somewhat different from each other. As few companies have so far gone under as a result of a cyber incident, it may make more sense to talk about the human cost of a breach on employees including all the work and finger-pointing and stress. It must also be mentioned that a percentage of cyber incidents is a result of defective software. 

The panel’s advice

An internal audit can help people do the right thing that they always wanted to do but no one was listening to them.

• As a cyber security professional, make sure you can always answer the “so what?” question coming from those you want to convince. Don’t just talk about a risk but explain what causes it, as well as what the cost would be if it materialises - called jokingly as RoI or the risk of incarceration.
• Consider having a cyber-NED (non-executive director) on the board that can bring their expertise to the table.
• Think of who your target audience is and adjust the language and terminology you use with them accordingly.
• Leverage internal auditing following a cyber event to get the business into a better position than it was before it.