Audit, Compliance and Risk: The Charlie’s Angels of cyber security
Cyber security is one of the largest and most critical risks facing businesses. It has had continued and increasing attention not only from within the IT security function itself but from the wider business at board level.
There are numerous studies available on the scale of risks, the increasing size of fines, the increasing awareness at board level and for consumers. Within “the security industry” there is ample research on the threats, the levels of technical sophistication of attackers and the ways in which systems and processes can be breached leading to a loss of data.
Keeping cyber RISKS in perspective
However important cyber security is, there are other business imperatives. As the chair of ISACA recently said:
Security no longer king says ISACA chair
Digital transformation knocks cyber-security off its perch, staff incentives not working, the skills gap impacts maturity & business’ ability to quantify security risk
Brennan P Baybeck, ISACA board chair
Businesses have priorities and face a wide range of risks, and security risks need to be considered accordingly.
An example is reputational risk. A business involved in activities unpopular with some groups; in terms of environmental impact, or the use of cheaper overseas labour, or single use plastics, or climate change, or payment of “fair” taxes can find itself at the mercy of the press, consumers and politicians. Nowadays security and privacy are a part of this – being a responsible “information custodian”, treating data in a “fair” way, protecting privacy and, when a breach occurs, being quick to own up and take responsibility. These all matter to consumers and hence the politicians and media outlets that they link with. Customer boycotts and social media campaigns are now a risk for a business that upsets its target market.
If a board is worried about reputation or is using a proud ethical/responsible stance as a competitive differentiator, then a big part of the business case for good cyber security (or at least getting the basics right for good “cyber hygiene”) is already in place. The reputation is just as much at risk from a failure in this area as any other.
Risk management – whether it’s quantitative risk based on the regulatory fines, the business value of reputation, or the need to pursue Digital Transformation to drive the business forward plays more of a role than ever.
Certainly, it is necessary to have an intelligent conversation about it with the business in risk terms.
The role of COMPLIANCE
The importance of compliance goes hand-in-hand with risk.
Adopting, aligning or embedding a standard in the cyber security approach helps manage risk. Many standards entail a requirement – stated or otherwise – to have assessed the risks faced. In some cases, this is explicitly to choose the controls that you actually deploy from the standard itself.
Certainly, compliance to laws and regulations has a big part to play. The rise of GDPR as a driver for requirements and the scale of fines it can entail has focused attention on privacy and security in a major way.
The breach notification laws in the US as well as FTC imposed fines for security and privacy breaches likewise. For listed companies the need to declare risks in SEC filings means having continuous sight of security risks and breaches.
Besides that which is enforced by governments and regulators are the standards that relate to specific sectors and business practices –examples being HIPAA that pertains to PII and healthcare data, PCI-DSS for credit card information and EBA or FCA rules for banking institutions – these are critical to enable the business to operate, so are “laws” in all but name.
Then there are the standards that businesses can “choose” to follow – they comprise everything from large frameworks like Cobit or ISO27001, to specific standards that are perhaps easier to adopt like the SANS or OWASP guides. Then at the lowest end there is a range of “high level”, smaller standards designed for cyber security in smaller businesses.
UK’s NCSC publish “10 Steps” and in Australia the ACSC equivalent is the Essential 8. Businesses may not be able to justify the expense and rigour of a comprehensive standard or framework, but they cannot ignore less than a dozen “best practice” rules as basic cyber hygiene guidance.
The digital transformation of AUDIT
In the midst of all this is the role of audit. Cyber risks are important to the board and stakeholders, so audit must check that the selection of controls and their effectiveness is robust and resilient to ensure that the systems and data they protect can be relied upon and trusted.
Compliance drivers (or compliance failures and the associated fines) can introduce costs that the business must either manage or account for and so there is a need for the governance functions to have sight of the exposure to these and the way the business is controlling them.
As the governing body says:
The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.
“What is internal audit?”, Chartered Institute of Internal Auditors, 23 May 2019
For audit there is an increasing need to identify and understand cyber risks in the light of growing legal, financial, regulatory and consumer pressure and to reflect the nature of modern organisations with their complex web of technologies, third parties, data assets and controls that the importance of giving a view as to the effectiveness of controls and the trustworthiness of systems and data is paramount.
Does IT and the business have the right controls and are the controls operating properly?
The importance of this is clear in recent guidance from PCAOB around the reliability of audit evidence – in terms of how easy it is to get “telemetry” out of operational systems and controls, but also the way in which that evidence is obtained; how many people and “pairs of hands” need to gather, collate, analyse, access and interpret it before the final results are available. The need to report on these means recognising the probability of incidents that go unnoticed or for misstatements to be made is well and truly on the audit agenda. Cyber security is not the only area of concern for this, but it may well be one of the least mature in addressing it.
The cyber security challenge facing Audit, Risk and Compliance
As these challenges combine there are some things that are self-evident. Certainly, all three areas need each other in a fundamental way. And all are important to cyber security.
Enter Regtech, the automation of compliance and risk management using technology to provide safer and faster outcomes and higher levels of visibility and assurance.
Compliance is routinely used to justify security purchases, either directly in the form of controls or through spend on auditing and assessing the controls in place. There have even been anecdotal cases of “compliance” being used to justify spend on solutions that were desired by security teams but not necessarily the best or only way to deliver a compliance objective.
Regtech is an area of innovation that aims to deliver compliance by monitoring and gathering the necessary data so that algorithms in the technology itself can make judgements, rate risks, analyse the context and then seamlessly report or act to perform the necessary checks, control changes or corrections.
Risk assessment is an accepted way, within a compliance regime, to identify the defences needed and highlight the ones that are more important and should be given highest priority in deployment, operation and oversight.
This brings the role of audit into sharp focus.
Regtech and Cyber Security Audit
Are security controls present, are they appropriate to the compliance obligations and the risks the business faces? Do controls provide an adequate defence so that the integrity of systems and data can be assured? Are there exposures to costs, restitutions, fines or other sanctions that could affect the business in a material way? Critically, are misstatements being made (or possibly being made) about the state of security and assurance that would never be tolerated within a finance function, simply because the technical challenges and uncertainty complicate both the answers and the understanding of them?
Requiring audits to highlight poor availability or delays in obtaining audit evidence recognises that systems that fail to provide this evidence may be less trustworthy than those that do (or at least harder to manage with any degree of certainty). We are asking audit functions to make judgments to the degree of automation and protection of evidence from human interpretation and interference likewise.
The solution to this is to maximise automation, by taking humans out of the loop for accuracy and integrity purposes, the utopia of continuous assessment and measurement can be realised.
Regtech solutions that provide continuous assessment and measurement are available. Moreover, they have the ability to link into the IT service and operations processes to enable closed-loop remediation of findings. This puts another feather in the cap of security oversight – the ability to quickly find issues that have arisen, report on them and be confident that they have been marked for the business areas or IT to resolve.