Senior IT audit leaders met to discuss a wide variety of topics, including audit analytics, IT audit’s role in cybersecurity and incident management, and agile/DevOps shops, at the recent IT Audit Leaders Summit in Geneva, Switzerland, as part of EuroCACS/CSX 2019. Participants shared opinions and best practices, and strategized on the path forward with new technologies and business practices.
The Summit kicked off with a session on Audit Analytics in a World of Change. Moderator Dietmar Hinkel noted the benefits of using analytics in audit, including:
In turn, this:
- Creates value
- Increases insights
- Reduces costs
- Mitigates risk
- Enhances efficiency and effectiveness
Regardless if the data came from sampling or from automation, Hinkel noted that at the core, the auditor is looking at data and synthesizing it. And, this synthesis of data is where the auditor really adds value.
Ira Winkler presented a session on “Advanced Persistent Security” with much discussion on what exactly constitutes a “sophisticated attack.” Winkler said that attackers are successful not because they are advanced or sophisticated, but because they are adaptive and persistent.
In preparing to combat the adaptive and persistent attackers, Winkler noted that IT audit has a role to play – specifically, to “stop cyber hygiene failings” and mitigate security failures.
Following up on Winkler’s session, Andrew Neal led a discussion on IT audit’s role in cyberattack investigations. Neal noted that often urgency tends to override risk management in the face of a cyberattack. Neal suggested taking a philosophical approach in incident planning through understanding an enterprise’s risk tolerance, its culture, and what its goals should be at the end of an incident (e.g., internal communications, timing to resolve an incident, etc.). Enterprises can then apply various scenarios within the backdrop of the philosophy to provide more robust and flexible incident plans. When an actual incident happens, the enterprise can take that philosophical approach and pivot to the incident at hand.
Neal also noted that IT audit plays an important role in incident management. Audit can translate the incident in business terms to senior management. Audit’s organizational familiarity, involvement in IT and security, understanding of processes and maturation and its objectivity are particularly germane in performing this role.
Vilius Benetis spoke next on the importance of security operation centers (SOCs) as part of a larger presentation on what IT auditors should know about cybersecurity. He walked through the most successful SOCs; it isn’t the technology, but the creative, energetic teams that monitor and mitigate cyber risk. As cybersecurity is human vs. human, not human vs. machine, building a team that understands core business objectives while also performing cybersecurity strategy is key. “We must convert risk into value,” he said.
Closing out the Summit, Guy Herbert led a discussion on agile, DevOps and continuous integration/continuous development. “Saying no is easier than suggesting a better way,” said Herbert, who believes that utilizing continuous development processes is the future of work.
In lieu of “agile,” Herbert prefers the term “agility” and says that means small, frequent and fast change to gain feedback and make adjustments, allowing for being adaptive and course correction before you have invested time and resources into a failed path. “When work is open, we unleash the full potential of all teams,” he said. Open work means a shared context, direct feedback and access to information.
Internal audit can change to adopt this work model by focusing on outcomes, not output. Security must be part of the design and control objectives.
Editor’s note: For more insights and IT audit industry trends see the 2019 IT Audit Global Benchmarking Study from ISACA and Protiviti.