In boardrooms all over the world, cybersecurity is viewed mostly as a financial sector issue. While financial institutions are indeed high-value targets, this narrow view overlooks the broader reality that every sector, from healthcare and education to manufacturing and beyond, is increasingly vulnerable to cyberthreats. In recent years, ransomware attacks have targeted hospitals, disrupted manufacturing, exposed sensitive academic records, and hindered government services. For example, in September 2025, Jaguar Land Rover(JLR) and Stellantis were both targeted by cyberattacks that disrupted operations and exposed vulnerabilities in the automotive supply chain.1 That same month, in the state of Pennsylvania in the United States, the Office of the Pennsylvania Attorney General suffered a ransomware attack that caused a 2-week outage affecting the office’s website, email, and phone systems.2 In the United Kingdom, a cyberincident halted online sales for 46 days in 2025 at the retailer, Marks & Spencer (M&S). M&S estimates the cyberattack will have reduce profits for 2025 by around £300 million.3 These are just a few examples, but they are becoming more common, highlighting the increasing occurrence of cyberthreats across sectors.
Cyberthreats do not discriminate by sector; they adapt to create the biggest impact. Likewise, auditors must also adapt. This requires departing from the same audit programs, methods, and techniques used time and time again. Auditors work at the crossroads of governance, risk, and strategy. They often interact with senior management and board members during key strategic discussions, granting them access to decision makers who ultimately shape risk perspectives and drive organizational culture. This interaction cannot be understated: audit evaluations provide valuable insights that influence future decisions and, depending on how the auditors' report is leveraged, could shape budgets, guide discussions in the boardroom, and connect the dots between what could be seen as technology issues, such as how cyber is viewed in certain enterprises and overall enterprise risk with serious financial, reputational, and regulatory implications.
For this reason, the role of auditors must evolve from mere risk reporters to strategic advisors who can, through their unique perspective, explain technical risk to business leaders and position cyberrisk as an enterprise issue worth discussing. By stepping into the role of strategic advisors, auditors can help executives see how cyberrisk directly affects revenue, customer trust, and regulatory compliance—turning abstract technical issues into clear business impacts that guide investment priorities, strengthen resilience, and prevent costly disruptions. There are 5 key ways auditors can shape the cybersecurity perspective of senior leaders in organizations across sectors.
Reframe Cyberrisk as Enterprise Risk
A recent report from the Health Insurance Portability and Accountability Act (HIPAA) Journal reveals that in April 2024 alone, over 15.3 million healthcare records were compromised.4 This is nearly triple the figure from April 2023. Enterprises in the nonfinancial sector need a perspective change, and auditors are uniquely positioned to drive this change.
Auditors can help leadership view cybersecurity not as an IT issue, but as a strategic risk, impacting operations, reputation, and continuity. Rather than asking siloed questions, such as what vulnerabilities does the organization have, which sounds like a technology issue, auditors can reframe that question to center the health of the enterprise—What happens if the supply chain is disrupted by ransomware; How many days of downtime will the organization suffer; what is the financial implication to the enterprise; what will be the impact on organizational delivery time to customers and service agreement commitments? Questions such as these are just one way to position cybersecurity as an enterprise risk, not a siloed technology issue. Asking meaningful questions that drives to the heart of risk decisions helps management gain a deeper understanding of the implications these issues have for enterprise security.
Integrate Cyberquestions Into Routine Audits
Malicious actors do not primarily target industries; they target vulnerabilities. This attack method involves targeting low- hanging fruit, such as unpatched software, weak or reused passwords, and misconfigured cloud services. Sometimes, the motivation for the attack is not only financial theft but also organizational disruption. The 2021 Colonial Pipeline attack that halted fuel distribution in the Southeast United States is an example of this kind of organizational disruption.5
Questions regarding data handling, identity management, access controls, and incident response are very important for any type of audit where systems are leveraged for enterprise outcomes. The answers to these questions can uncover hidden vulnerabilities in digital processes, prevent fraud and disruption, and ensure trust and resilience in core business operations. The era of conducting separate audits for enterprise processes and technology is fading away. These lines are blurring because enterprises routinely leverage technology to meet business outcomes. Because of this, audits, such as third-party, order-to-cash, procure-to-pay, supply chain, and payroll, should have cyberquestions embedded in audit walkthroughs. There are several questions auditors must integrate into routine audits:
- How is sensitive enterprise data (e.g., customer, supplier, payroll) classified and protected across systems and third-party platforms?
- What access management controls are in place to prevent unauthorized access to systems supporting this process?
- How are third-party vendors assessed for cybersecurity posture before onboarding, how is that cyberposture monitored, and by whom?
These questions help ensure that data handling aligns with confidentiality and integrity requirements. These questions provide auditors with a roadmap to verify whether sensitive data and vendor relationships are effectively safeguarded. They also help reduce supply chain risk and validate role-based access, segregation of duties, and resilience against insider threats or credential misuse. These questions ultimately help auditors recommend remediation steps that close identified issues before they are exploited by malicious actors or result in regulatory breaches.
Push for Cybermetrics in Board Reporting
Boards usually receive clear financial reports, operational metrics, and audit summaries; however, this reporting often lacks straightforward cybersecurity metrics. Auditors can bridge this gap by promoting easy-to-understand indicators, including:
- The enterprise’s ability to resist phishing attacks
- The frequency of system updates
- The risk associated with third-party vendors
Auditors can make these cybersecurity indicators far more impactful by presenting them in a simple, enterprise focused dashboard that mirrors the clarity of financial reporting. Use traffic light status indicators and trend visuals so board members can instantly see where risk is rising or falling. Keep the language nontechnical and then tie each indicator directly to business outcomes.
Using this information, boards can track whether the organization is sufficiently prepared for an attack, not just where risk exists. An example of this approach can be seen in the post-incident review of the 2017 Equifax data breach, which revealed that the breach occurred due to a critical vulnerability in the Apache Struts web framework. The review further found that the board had never been shown data regarding system vulnerabilities, nor were they presented with results from phishing tests conducted before the incident.6 If an organization’s board understands the link between cybersecurity vulnerabilities and business operations, reputation, and regulatory sanctions, it will demand greater accountability and ensure that management addresses these security vulnerabilities.
The role of auditors must evolve from mere risk reporters to strategic advisors who can, through their unique perspective, explain technical risk to business leaders and position cyberrisk as a business issue worth discussing.Drive Cross-Functional Collaboration
Beyond metrics, auditors possess the ability to break down silos that sometimes impede cyberresilience. An auditor’s broad perspective across departments allows them to cultivate collaboration among legal, human resources (HR), privacy, and compliance teams, particularly regarding issues related to third-party risk that require multiple functional collaborations. Auditors can, for example, bring legal, HR, privacy, and compliance teams together to create a single, shared view of thirdparty risk so all teams are working from the same assumptions. Creating a shared view of risk across the organization allows teams from different areas to collaborate and align their controls.
Encourage Scenario-Based Risk Discussions
Real-world scenarios are valuable to organizations because they prepare employees for potential attacks. Similarly, auditors can improve auditing methodologies by simulating real-world scenarios. Auditors can strengthen their methodologies by incorporating scenario testing, such as simulated phishing attempts or mock incident response exercises, to evaluate how well controls and teams perform under real pressure. This shift from checklist reviews to practical simulations gives the organization earlier visibility into weaknesses, improves coordination across functions, and ultimately boosts overall cyberresilience. Audits focusing on ransomware readiness, third-party compromises, cloud resilience, and independent penetration testing should be encouraged. Additionally, reports on these audits should reference recent breaches in nonfinancial sectors to make the associated risk relatable to the functions of the enterprise. Auditors can also translate the findings from these scenarios into measurable resilience benchmarks, demonstrating progress against industry standards, such as ISO/IEC 27001 and the National Institute of Standards and Technology (NIST),7 as well as those of peer organizations. Evidence-based reporting encourages leadership to view security as a continuous journey rather than a one-time audit exercise.
Conclusion
The future belongs to organizations that regard cyberrisk as an enterprise risk and build resilience with this perspective. Auditors can lead this transformation with one insightful report, one strategic conversation. This approach not only transforms audits into strategic enablers of resilience but also equips organizations with foresight to anticipate threats and the agility to respond effectively. The result is not just reduced exposure but a competitive edge in demonstrating responsible governance and digital trust.
Endnotes
1 Cyber Management Alliance, Biggest Cyber Attacks, Ransomware Attacks and Data Breaches, 1 October 2025
2 Security Work Network, Pennsylvania Attorney General Confirms Ransomware Behind Weeks-Long Outage, 3 September 2025
3 Edwards, C.; M&S Click and Collect Returns 15 Weeks After Cyber Attack, BBC, 11 August 2025
4 Alder, S.; April 2024 Healthcare Data Breach Report, HIPPA Journal, 20 May 2024
5 Homeland Security Digital Library, “Timeline—2021 Colonial Pipeline Ransomware Attack”
6 U.S. House of Representatives Committee on Oversight and Government Reform, The Equifax Data Breach, 115th Congress, USA December 2018
7 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee on Information Technology (ISO/IEC JTC 1), ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements, Edition 3, 2022
Fene Osakwe, Ph.D., CISA, CISM, CRISC, CCISO
Is a multiaward-winning global cybersecurity and digital assurance professional, international conference speaker, Amazon best-selling author, and Forbes-published thought leader. He has more than a decade of experience working on the first, second, and third lines of defense. He has worked for multibillion-dollar enterprises and consulted for financial institutions, telecom, and fintech organizations, state governments, and universities. Osakwe has created security functions for several organizations from the ground up. In a previous role at the largest telecom infrastructure company in Africa and the Middle East, he established security and governance, risk, and compliance (GRC) functions. He was recognized as the Cybersecurity Personality of the year in 2025, in the United Kingdom and was named one of the 100 inspiring global personalities of 2022 by Hoinser Magazine. He received the Cybersecurity Excellence award (Middle East and Africa) from Ibento Global in 2022 and was named the Cyber Educator of the Year, in the United Kingdom in 2023. Osakwe is an advisory board member on the EC-Council Global Penetration Testing Board and mentors cybersecurity students at the University of Aberdeen (Aberdeen, United Kingdom).