Internal Audit – Shifting the Cyber Security Focus

By Ken Urish, February 19, 2016 – According to the 2016 North American Pulse of Internal Audit report published by the Institute of Internal Auditors (IIA) Audit Executive Center, internal audit leadership lacks confidence in its staff’s cyber security capabilities. 52% of respondents felt that lack of cyber security expertise had a detrimental effect on the ability of auditors to address cyber security risk. The survey results indicate that internal audit departments are playing catch-up in their approach to cyber security, even as damaging and impactful cyber-attacks continue to rise.

The survey findings highlight the need for corporate cyber security training and for a cultural shift from focusing on prevention to developing cyber resiliency. 53% of respondents reported their belief that prevention is the most effective method to address a cyber-attack. As IIA President and CEO Richard Chambers noted, “the IIA has been promoting cyber resiliency – the concept of addressing the full spectrum of prevention, detection, reaction and restoration – for some time, so these findings are particularly alarming.”

Mr. Chambers’ comments are spot on. As the number of hackers and malware grows daily, “not if, but when” is the appropriate mentality. IA departments need to add incident response and remediation strategies to their security plans, as well as avail themselves of the excellent cyber security education resources available today. A well-trained staff is a key component of a resilient organization.