​Are Companies Capitulating on Cybersecurity Risks?

The latest cyber breach is raising awareness about vulnerabilities involving cloud services, insider threats, and third-party risks, reflecting how complex and intertwined cybersecurity risks can be. It behooves all organizations to have a deep understanding of cyber risks across the enterprise, including understanding their cyber cultures.

In this blog post from 2018, I revisit the importance of internal audit’s relationship with IT leaders and the value in understanding cyber culture.

In the past dozen years or so, cybersecurity has gone from being a mysterious IT concern best left to chief security officers (CSOs) and chief information security officers (CISOs) to a top priority for boards and executive management. Yet, progress has been painfully slow for a problem everyone agrees is evolving at breakneck speed.

Reports of high-profile cyberattacks are now routine, and no sector or industry is immune to the threat. Indeed, the Privacy Rights Clearinghouse has documented more than 8,600 data breaches since 2005, including 831 in 2017. The group, located at the University of San Diego School of Law’s Center for Public Interest Law, concedes it doesn’t capture every successful cyberattack. Still, it estimates more than 11 billion records have been breached since it began keeping track.

Even so, I must admit I am troubled each time I read about cyberattacks that might have been avoided. Too often, successful hacks involve human failings, not technological ones. This is especially disturbing when one considers that cybersecurity ranks at or near the top of every management and board poll on risks.

I’m starting to wonder if the enormity of cybersecurity is feeding inaction within some organizations. I wonder if companies are simply throwing in the towel and accepting what they believe will be “inevitable.” Despite knowing that data breaches can do incredible financial and reputational damage, organizations don’t take all reasonable steps to protect themselves. Worse, a defeatist or fatalistic view about the eventuality of being hacked may be contributing to weak or ineffective controls.

Two recent surveys provide additional examples of our struggles with cybersecurity. A survey by Spencer Stuart of S&P 500 companies found that, though boards in 2017 hired the largest number of new directors (397) since 2004, a scant 19 percent of them had a background in technology or telecommunications. That suggests that, while there is growing awareness of the importance of having directors who are knowledgeable about IT and cybersecurity, that awareness hasn’t translated into greater action.

Another report, from the information security services firm IOActive, identified cybersecurity vulnerabilities in nearly all of the 40 major online stock-trading platforms it investigated. The vulnerabilities varied in severity, from storage of unencrypted passwords to promoting features that are susceptible to malware.

That reflects the continuing challenge of cybersecurity not being integrated into all areas of the organization. I’m certain none of these stock-trading platforms sought to make themselves targets, but too often the drive for convenience or customer-friendly interactions comes at the price of higher cyber vulnerability.

If management is capitulating in the face of cybersecurity risks, internal auditors can’t afford to join them. We must not only ensure we have the right talent on our staff to audit IT processes and controls, we also must be aware of how cybersecurity is viewed across the organization. In short, part of internal audit’s scope must be to assess the organization’s cyber culture and help build a culture that is cyber savvy.

Talent was among four keys for transforming internal audit that I wrote about in a blog post earlier in 2017. In short, internal audit must redefine talent, especially with regard to auditing IT.

From that blog post:

The path forward on talent may be the most challenging. For example, CAEs report significant challenges in recruiting personnel with cybersecurity and privacy/data mining and analytical skills. Still, there are clear steps we can take to make sure we have the right people in place to meet stakeholder demands, innovate, and be agile.

[The North American Pulse of Internal Audit] identifies six keys that support getting the right people in place, including developing a talent strategy, seeking candidates with different backgrounds, and including future-focused training and development. But one of the most important is to make sure internal audit’s scope drives staff competencies. Too often, the work internal audit functions take on is dictated by the skills they have on staff. This is a dangerous practice that works against innovation and agility.

Internal audit’s role in building a cyber-savvy culture goes hand in hand with having the right talent on staff. Just as internal audit functions can build culture checks into each engagement they perform, so too can they assess how culture contributes to cybersecurity successes and failures.

Internal audit should work with CSOs and CISOs to identify weaknesses in the organization’s cybersecurity controls and practices. It is especially important that the relationship between internal audit and IT leaders be a healthy and cooperative one. After all, they are working for the same goal of effective cybersecurity.

In all circumstances, internal audit must provide the board with a direct and objective assessment on how cybersecurity is carried out within the organization and whether the organization’s culture supports or works against it. Just as important, we must provide assurance on the organization’s preparedness to respond if/when cybersecurity breaches occur.

I’d like to know what you are doing to assess your organization’s cybersecurity culture. As always, I look forward to your comments.