When we surveyed hundreds of risk professionals, a staggering 72% considered their company to be most vulnerable in cybersecurity. So, it’s no surprise that auditors are frustrated evaluating the effectiveness of cybersecurity programs across industries when their mandate is entirely about assurance.
However, assurance in-and-of-itself is no small task. Given the sheer volume of data companies are collecting every day, it’s almost impossible for auditors to get their hands around all of the information they need from across their organizations – let alone make sense of that data. How can auditors verify their organizations are protected by internal controls when they can’t make sense of such disparate data?
On October 23 of 2018, I was honored to have been invited to speak at the 2018 All Star Conference hosted by The Institute of Internal Auditors in Las Vegas. In my presentation, I discussed how auditors can succeed in cybersecurity. Effective cybersecurity simply doesn’t require massive technology investments, and all cyber-attacks are preventable.
Of course, a robust cybersecurity program should incorporate technology, but that technology will only properly function with good governance and a proactive mindset at all levels and departments. Technology can fail, patches can be left undeployed, upgrades can go unscheduled. This is where the auditors come in.
Operationalizing a risk-based approach to cybersecurity audits is the only way to ensure processes and policies are being followed. Doing so helps ensure that your company’s technology doesn’t fall short, the people in your organization are following procedures, and your business is fully protected.