One of the commenters on my last post on audits of cybersecurity said that providing assurance on such a technical area is beyond the ability of internal auditors.
He has a point!
- First, I don’t have a lot of confidence that InfoSec practitioners have the right cybersecurity in place for their organizations as few seem to be focused on enterprise business risk. They are following guidance from NIST, ISO, and others that treat information security in a silo.
Business executives and boards appear reluctant to give InfoSec practitioners all the support and resources they desire, and in my opinion it is because the case has not been made that the funds and attention are needed on business grounds. The only case being made is in technobabble, based on a list of high-risk information assets instead of the result of an analysis of how the business might be adversely affected.
If those in charge, with all the training and experience in the world, are having trouble implementing and maintaining systems and processes they and top management believe are fully effective, then why should we expect internal auditors to know whether information security is adequate?
- Then, there aren’t enough internal auditors who both have a deep understanding of the business (essential for everyone) and have more than a basic…
