Should Your Business Consider Conducting a Cyber Security Audit?

It's been a couple of years since the National Initiative for Cybersecurity Education (NICE) Working Group Subgroup on Workforce Management at the National Institute of Standards and Technology (NIST) published "Cybersecurity is Everyone's Job," but the message remains relevant today and beyond as organizations in every industry are overwhelmed by cybersecurity.

The notion that the CEO is responsible for a missing software patch and the proceeding data breach may seem incomprehensible to many individuals since the CEO is not personally responsible for selecting technology or performing the maintenance, including auditing, vulnerability testing, system updates, and security patches.

It is true that the scope of day-to-day responsibilities of a CEO does not contain vulnerability monitoring and network security, but in today's cyberattack threat filled landscape, the senior management of all organizations are expected to be involved and have oversight in the information security program of the organization. Richard Smith will forever be known as one of the first high-profile CEO and executives held accountable for an organization's data breach. When he was "retired" following the cybersecurity incident at credit reporting bureau Equifax, it was the first high-profile event of its kind, and it changed the way boards and executives oversaw cybersecurity.

There is no more important exercise to perform for organizations and management teams than an annual Cybersecurity Risk Assessment. A Risk Assessment, also known as an Audit, is not only a regulatory requirement in many industries, it's also a top recommendation from the United State Cybersecurity & Infrastructure Security Agency (CISA), and the assessments are so critical the agency provides no-cost evaluation tools so organizations can perform self-assessments. For organizations without the resources and knowledgeable internal staff capable of accomplishing a cybersecurity self-assessment, there are other options available that utilize technology and people to assist with cybersecurity audits.

Let's face the facts, cybersecurity is complicated, and performing a holistic risk assessment of an organization's cybersecurity posture can be overwhelming, requires extensive resources, and must have executive support to succeed. Luckily, the demand for audit and risk assessment resources has created a Batman-like utility belt of auditing tools, services, and platforms to reduce the workload and streamline the auditing process.

The market is inundated with Governance, Risk and Compliance (GRC), Integrated Risk Management (IRM) platforms, and countless other web-based software and cloud-hosted services that promise to simplify the complex, time-consuming, and resource-intense audit process. Claims of automating a lengthy audit such as the AICPA's SOC 2® - SOC for Service Organizations and collecting evidence faster than you can read this is good for a quick laugh while attempting to figure out the differences between GRC and IRM, the many types of audits and the alphabet soup of cybersecurity framework acronyms. The auditing tools are certainly helpful, and many do provide a single platform to collaborate, document, and share evidence, but just like a high-tech fighter jet or a simple paper airplane, auditing tools still require skilled people to get them off the ground and keep them in the air.

Audits and Risk Assessments are time-consuming. Some audits are ongoing for months while others are completed in a few weeks, nonetheless, audits cannot be successfully accomplished without skilled people. Utilizing external third parties to perform audits is a good practice and a recommendation in almost all cybersecurity frameworks. The regulators, clients, and demanding investors that organizations hope to appease with routine audits will also appreciate someone else "checking your homework" and issuing a certifiable "grade". Executive management teams and boards are often influenced by advisors and peer-groups which support third-party service provider "cybersecurity risk assessments", "dark web threat hunts", "vulnerability scan and penetration tests" and other types of security audits.

Engaging a third-party consultancy focused on cybersecurity auditing and testing is a likely solution for many of the organizations' challenges. Another viable and cost-effective solution is utilizing a cybersecurity subject matter expert (SME), often called a Virtual CISO (Chief Information Security Officer), to lead the audit program. A vCISO often reports to the executive management board, quickly fills the gap in resources and internal skill sets. A vCISO assists with pre-audit readiness throughout the audit, ongoing maintenance, and compliance between audits.

There is no debating, support from everyone in the organization is necessary to combat the scams, hacks, and cyberattacks that have become commonplace in today's headlines. Routine audits and cybersecurity risk assessment require buy-in from boards of directors, managers, investors, and other stakeholders of public and private organizations of all sizes. These organizations are under increasing pressure to demonstrate that they are managing threats, have reasonable controls in place, and are utilizing all available resources.

Sources:

NIST. (2018, October 22). Cybersecurity is Everyone's Job. Retrieved from https://www.nist.gov/news-events/news/2018/10/cybersecurity-everyones-job

Brewster, T. (2019, July 22). Equifax Just Got Fined Up To $700 Million For That Massive 2017 Hack. Retrieved from https://www.forbes.com/sites/thomasbrewster/2019/07/22/equifax-just-got-fined-up-to-700-million-for-that-massive-2017-hack/?sh=4ffa4ee63e96

Cybersecurity and Infrastructure Security Agency (CISA) - Assessments, The Cybersecurity Evaluation Tool (CSET®). (n.d.). Retrieved from https://us-cert.cisa.gov/ics/Assessments