The new Global Internal Audit Standards may be in full effect, but many organizations are still preparing to incorporate these new best practices. Forward-thinking organizations are focusing on how to break out of silos and forge stronger working bonds between internal audit and security teams to achieve audit quality and consistency under the new standards. Here are some tips for following in their footsteps to achieve a more united front in cyber defense.
Get a cross-organizational view of perceived risks.
The first step in breaking down silos is to avoid defining the top security risks in a vacuum. Instead, take a broad cross-section of perspectives and participants from across the company to understand the top perceived risks, examine other external sources, and consolidate those different data points to ascertain the top risks. However, this list isn’t static. Ultimately, what a business develops today will not look the same as 12 months from now, so it must be open to change. As velocity increases in certain risks, they should rise on the risk list.
Solicit feedback on your audits.
It is critical to understand how internal audits can add value. In addition to the perceived risks, discuss what’s coming next year and what keeps everyone up at night. Use this information and the rest of your risk assessment approach to help drive your audit plan. When you develop your audit plan, consider publishing it back in draft form to all the IT and security leaders for feedback on audit timing, areas, and scope.
Share data to get real-time visibility.
Silos lead to siloed information. Organizations can be too protective of their data and technology to the point where they only share bits and pieces of information—whether you’re an audit or a risk professional—which translates to a lack of real-time data. Individuals don’t need to be technical experts to understand security or help manage risk, said Mike Levy, CEO at Cherry Hill Advisory.
“As a risk professional, when you’re able to get real-time visibility into what’s happening within your organization, especially on the security front, it lets you better manage those risks and articulate those risks so that there’s visibility across the organization,” he said.
This can include daily interactions and activities or ensuring risk is considered part of a project during implementation or a new strategy within the business. Work products, like assessment reports, evidence collected, and audit findings, should be shared across teams working on similar risk management goals to maximize re-use and optimize the impact of finite resources. These small, incremental changes drive a lot of value within organizations and help them not just protect and defend against risk but also understand it and ensure they can take risks—key to any business’s success.
Double down on communication.
Brand-new standards explicitly address better communication, such as Standard 11.1 (Building Relationships and Communicating with Stakeholders). These standards include more stringent expectations surrounding communications with an organization’s board and senior leadership, with specific requirements for discussing certain matters.
It’s critical to tell the business ‘the story’ by showing them how security is making a difference and progressing within the organization. When people better understand the security reasons and what it achieves, they’ll be more open to partnership. Building relationships early on is key to setting a strong tone at the top for communication throughout the organization. Everyone will better understand security priorities and outcomes if leadership supports more transparent, consistent, and frequent communication via email or a quick five minutes at the weekly company standup.
Collaborate better.
Better communication opens the door for better collaboration. With a more consultative partnership, silos will dissolve. A deeper cooperation with security can help IA teams better pinpoint areas of vulnerability they must further explore. Not all auditors have experience assessing security controls, and not all security engineers have audit experience. These standards represent a great opportunity to partner, share, or embed cross-team resources into projects where you might have skill or knowledge gaps – while building trust and relationships.
Put together a defined framework.
If you can better define your organization’s strategy and decision-making framework for cyber defense, you can accelerate the speed of change and improve its management. After establishing your organization’s key risks or threat vectors, develop five controls you think matter the most. Assign proper owners and define what it means to own each control. Then, determine how to measure those controls effectively and show the measurement and progress to your senior leadership team. Organizations that can get aligned, put together frameworks and controls, and drill down on which controls matter the most to them, can accelerate their security maturity.
Richard Marcus, CISA, CRISC, CISM, TPECS, is the CISO at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.