Cyber Risk Is Ever Present

Cybersecurity is defined by ISACA as protecting information assets by addressing threats (risks) to information processed, stored, and transported by internetworked information systems. Cyber risks are risks that occur due to the interconnectivity of information and communications technology (ICT) systems. For modern organizations, these connections are present within the organization, between it and its suppliers and customers, and with its employees or on employee own devices. In addition, there are operations technology systems in the form of process control systems or industrial control systems. In some cases these are connected to the organization’s computer network for remote maintenance and monitoring. These industrial control systems are used in the production of products and services such as electricity, production of food, cars, and present in hospital equipment, nuclear plants, and aviation controls. The Internet of Things (IoT) provides many benefits to organizations at large as well as individuals, but requires adequate controls of the risks that come with it.

The key challenge is ensuring digital service availability while maintaining integrity and confidentiality of your systems. The key characteristic of cyber risks is that they require ongoing and continuously monitoring of the effectiveness of the risk-mitigating controls. Your systems are online and interconnected 24/7. This, combined with increased threats from more organized and highly skilled professional adversaries, makes the efforts required to protect your systems extremely demanding. Thus, protection must be a combined effort by different parties of the organization, or different Lines of Defense, to be further explained in the following.

Risk Assessment Expected by Internal Audit

Risk assessment(s) starts by recording the vulnerabilities and potential threats to each of the components behind each digital service once we know which digital services are important and critical for achieving organization objectives. This work must be done properly and must be comprehensive. Focus on what is critical to the organization and score the inherent risk accordingly. Then develop the risk treatments (including mitigating controls) in line with organization risk appetite and tolerance and to the cost/benefit of the organization. A complete implementation of the treatments must aim to reduce the residual risk to an acceptable level. Of course, the cybersecurity domain has its own technical vocabulary where threats are described in more detail (i.e., threats, threat sources, threat events, threat agents, and attack vectors). This risk assessment is the responsibility of the management.

The Case for Combined Assurance Model

The auditor will also look critically at the governance structure set up to manage the cyber risks, and who is doing what. Given the characteristics of cyber risks, there must be evidence of a set of layered management controls in place to ensure that cyber risk treatments are effective now, now, and now—continuously 24/7. These require a set of combined efforts by different organization functional units to accomplish the required comfort in order to provide assurance to the CEO and the board that these controls are working.

One popular model of achieving reasonable assurance is the Combined Assurance framework. This was developed initially by the European Confederation of Institute of the Internal Auditors (ECIIA) and Federation of European Risk Management Associations (FERMA) as guidance to the 8th EU Company Law Directive. Figure 18.1 is an adaptation of the combined assurance approach. This approach centers on different functions to provide different lines of defense to protect the organization. Figure 18.1 includes three lines of defense where the first two are the responsibility of the CEO to apply and manage, while the third is left to an independent assurance by internal audit.

The number of lines is not so important as long as the full range of protections are in place, are well managed and the appropriate level of overall combined assurance is provided. The combined assurance approach and its lines of defense should be understood as a conceptual view for presentation purposes. In reality, the lines are not clear-cut because there will be organization functional units with responsibilities and activities overlapping the lines. Moreover, different organizations will have different ways of structuring this. What is critical is that an orchestrated effort is required between different units (lines of defense) and between assurance activities around cyber risk treatments being systematically executed (while minimizing duplicated work efforts) such that they can be input into one combined assurance report to the CEO and the board. The three-lines-of-defense model is intended to clarify who is doing what, while maintaining the cooperation and coordination of the different functions to ensure the processes work effectively (and to avoid silos).

The Role for an Information, Communication, and Technology (ICT) Unit

In terms of “who does what” in managing cyber risk reiterative assessment and treatments, the ICT unit is typically best placed to implement technical cyber risk treatments, including controls. The ICT-managerial controls in organization or business operations should ensure that subordinates complete the work as instructed and adhere to policies and procedures. ICT operations will deploy tools to monitor any security threats and have a process in place to resolve security incidents. Moreover, they will deploy and maintain escalation mechanisms for severe security incidents.

The Role for a Cybersecurity-Specific Line of Defense

A cyber (and information) security unit would be another line of defense responsible for conducting the cyber risk assessments. They must operate in close collaboration with the ICT operations unit, the enterprise-wide risk management (ERM) unit, and organization strategy unit. The organization strategy unit and/or ERM unit would provide the full set of organizational objectives, and ICT would provide the list of digital services and assets to support the organization’s functions. ERM, in collaboration with cybersecurity team, will capture the outcome of cyber risk assessments and record them for the tracking of the risks and the implementation of the treatments. In practice, a more detailed and technical tracking of cyber risks may be done by the security unit, while the ERM unit tracks and monitors these risks in more generic terms.

The security team must establish the information security policies in line with the outcome of the cyber risk assessments. The security unit would be responsible for conducting security reviews of cyber risk treatments to obtain assurance that treatment and controls are working. Additional monitoring tools will probably be required to implement this within the ICT environment. This must be done in close collaboration with the ICT operations and follow an agreed change management process before being introduced in a production environment.

The ICT operations unit and the cybersecurity unit represent the front line of cyber defense. Ensuring quality and maturity of the processes to manage cyber threats are the key responsibility of these two units. Assurance is achieved by mature executions in ICT operations; with managerial controls reviewing that the execution is in line with requirements. These must also be supported by further reviews by the security unit, ensuring the cyber treatments are working.

Both ICT operations unit and cybersecurity unit will report on the effectiveness of the controls either directly to CEO or an executive body on a periodic basis, and immediately for any severe cybersecurity incidents. The security unit should be reporting to a different executive officer than the ICT unit. This is important to ensure security objectives are not compromised by other priorities in organization or business operations. But this also requires adequate protocols in place between security unit and the ICT operations on how to cooperate and work together. This working relationship is key to manage cyber risks effectively.

Roles for ERM and Organization Strategy to Work Closely with ICT

The ERM unit is responsible for managing risks together with the risk owners in business operations and across the organization. The ERM team works closely with both the ICT operations unit and security unit in recording and monitoring cyber risks. The ERM unit will be responsible for coordinating the combined assurance reporting to the CEO and the board (or via an audit or a risk committee of the board). Note that the ICT operations unit and Security unit is expected to have a much more detailed register of risks, including all digital assets linked to digital services as well as to organization objectives and to risk treatments.

The organization strategy unit (or its equivalent) is responsible for the business strategy and cascading business objectives down to organization or business operations, and monitoring the performance and reporting back to CEO. This reporting should capture risks related to each organization objectives, providing an improved basis for executive management to make risk-informed decisions. Note that this reporting is different from the combined assurance reporting, the latter providing assurance to the CEO and the board that treatments of, in this case, cyber risks are well implemented and working effectively.

Roles for Compliance and Quality Assurance

Another layer of assurance will be provided by the compliance unit and the quality assurance unit (or their equivalents). This layer is made up of another set of reviews. These are less frequent and focus on ensuring adherence to both regulatory requirements and internal procedural requirements. The quality assurance unit would typically be involved in any information security audits (such as internal audits of ISO 27001 on information security). The Compliance unit capture and monitors all regulatory requirements (as a minimum) and interact with the business operations to verify compliance and report status.

Both the compliance unit and quality assurance unit are managerial tools reporting to different executive officers, thus providing independence from the organization operations being reviewed/audited. This avoids conflict of interest and segregates duties.

The CEO Obtains Combined Assurance

With the application of the combined assurance model the CEO obtains assurance from the first and second line of defense. This is effective when the role of the different lines of defense are clearly defined, the processes are clear, the organization “silos” are broken in terms of a mature processes matrix, working their way across the different functional units and lines of defense.

Scenario 1: Mature Assurance

In Scenario 1, there is well-established and mature governance structure in place with well-established processes in line with the combined assurance model described previously. In this scenario, the third line of defense by way of the internal audit (IA) unit conducts audits of the processes in place and test if the controls/treatments are working effectively. IA reports this to the board, normally via an audit committee. The different lines of defense are mature and working well, both individually and in cooperation among the different units. There will typically be less assurance efforts required from the third line of defense (internal audit) in such a mature cyber risk–focused organization where strong first- and second-line defenses are working effectively. The IA unit will conduct its risk assessment; review the existing processes for managing cyber threats, the treatments/controls in place, and conduct “walk-throughs” to validate the design and the implementation of the treatments/controls. The more management has well-implemented controls working effectively, the less required of IA. In this case, IA will validate the information presented in the combined assurance report prepared by the ERM unit, and add the assurance activities conducted by IA for each of the risks.

Scenario 2: Less Mature Assurance

In Scenario 2, there is low maturity of governance structure and the processes for managing the cyber risks, and/or no concept of combined assurance is in place. Less mature organizations will have to take more conservative security approaches until adequate cyber threat–mitigating capabilities are built up. This will require IA to conduct more comprehensive audit reviews. These are likely to have strong recommendations to significantly reduce the use of internetworked solutions with external parties until better internal capabilities are built up (depending on the organization objectives and business needs). This may effectively reduce the organization’s ability to achieve the objectives if more conservative security measures are required. Assurance activities from third line of defense will be more frequent in this scenario and larger effort required.