Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/18/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Audits: The Missing Layer in Cybersecurity

Involving the audit team ensures that technology solutions are not just sitting on the shelf or being underutilized to strategically address security risks.

There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organizations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits. Recent audit findings revealed gaps in the Washington Metropolitan Area Transit Authority's cybersecurity posture, while deficiencies were similarly pinpointed in an audit of the Michigan Department of Technology, Management and Budget. There is no question that, in many cases, earlier and expanded input from auditors would have helped organizations that have suffered high-profile cyberattacks from sifting through the financial and reputational damage that ensued.

Cybersecurity audits provide a key, additional layer of assurance to organizations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process. The audit function is well-positioned to assess the data protection and controls around those business processes. Organizations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.

Unless organizations have robust risk management processes in place — and many do not — there are common gaps in organizations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management. Not only can cyber audits identify these gaps, they also counteract the tendency for organizations to become complacent and reactive by assuring that risk assessments are being conducted regularly.

People, Processes & Technology
Organizations often miss the mark on cybersecurity when they focus predominantly on the technology components of their programs rather than looking at people, processes, and technology in a more overarching way. Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks. Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.

When organizations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business. Just as the businesses that auditors support are rapidly transforming, the audit groups must follow suit. This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.

Here's the good news: There are many more educational and training resources available today than 20 years ago, when I began in IT audit. Despite time and budget constraints, it is incumbent upon auditors to pursue the appropriate training and credentialing to transform their organizations, refresh their skill sets, and obtain the auditing cybersecurity acumen needed to become integral to their organization's cyber programs.

With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value. Reliance upon effective and secure technology deployment has spread well beyond a centralized IT department. Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy. With so much at stake, enterprises cannot afford to take any shortcuts. Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

ISACA Board Vice Chair Brennan P. Baybeck, CISA, CISM, CRISC, CISSP, is vice president of Global IT Risk Management for Oracle Corporation (USA). Baybeck leads IT security risk management for global customer support services at Oracle Corporation. In this role, he is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timhollebeek
50%
50%
timhollebeek,
User Rank: Author
12/18/2018 | 10:23:57 AM
Audits
A key question for determining the usefulness of a cybersecurity audit is "audit ... against what?"  Without good security requirements, the value of an audit will be inconsistent at best, and will only find what the auditor happens to notice, instead of providing evidence that the control objectives have actually been met.
hucklesinthedark
50%
50%
hucklesinthedark,
User Rank: Author
11/13/2018 | 5:35:01 PM
Defining the Process
Good points, but of course I'm saying that since I'm an auditor myself. I can vouch for internal audit's potential to help other departments stay on track and make the most of their own processes.

I find that internal audit is highly under-utilized. Many times because they don't have the technical skills (as you addressed), but also because the other departments haven't defined what they are even doing. I am constantly surprised by how often a process is left to evolve from nothing and with no clear purpose. Taking a step back and defining what a function's goal is, and defining how it will be measured to determine if it is doing its function well are things that will help those in operations as well as the auditors that must evaluate the process.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...