Auditors Have a Role in Cyberresilience

The new corporate and business environment in general more depending on technology and yet requires auditors to be more emotionally intelligent, more understanding of Cyberrisk and the key security technical skills than just be skilled on auditing process. Implementing a successful IT control environment and cyberresilience in an organization is no longer the responsibility of IT departments only. Whereas BoD and the entire organizations’ staff have a responsibility for the adequate survival. Here Auditors role is to some extent more focus on defense-in-depth strategies and working on cyberresilience by continuous and progressive process of tasks. To achieve the cyberresilience task Auditors are the main players in changing the attitude and working culture of the organizations.
I believe that the following critical layers should be considered during Audit engagement to get optimum security audit result and the auditor must have a hands-on experience on each layers’ in depth. Those layers and its Functional mapping in terms of required Audit Expertise skill, Focus Area, Activity, Policy, Strategy, tools/ resource, audit approach and educational readiness should be established well.
1.     Govern and manage – Giving assurance on ongoing oversight of cybersecurity. This stage is the first and the most critical level which also encirclement the remaining three layers by creating best environment for Comply, Educate, manage risk. Reviewing Information security program, strategy and plan development, implementation and maintenance is also the focus area.
2.     Prevent- Examine proactive operation. We start from evaluating risk identification technique and then check security expert performance how they apply the required and best methods to shield, defend, protect the identified vulnerabilities, before exploitation or before cybercrime happened.
3.      Detect- Review ongoing operation monitoring. We have also guided organizations toward the improvement of the monitoring and hunting practices they carry out. Evaluate how organization detect, analyse, eliminate malicious code and System Monitoring.
4.     Recover- Consult quick return to operation. We should evaluate how rapidly organizations develop improvement plan to Sustain in case of disaster and respond as fast as possible without creating other interrelated harm.
I believe that the above four layers functional mapping can help you and your organization not only properly assessing Cybersecurity practice, but also establishing a strategy to implement and improve the processes and practices that carried out. This will benefit your work as security professionals and auditors, making the entire audit and control process simpler and more complete, and it will help organizations achieve better results in cyberresilience.
Please be advised that for your further reading, Journal online-exclusive article has posted on the ISACA website at. Read More