As the level of inter-connectivity within organisations increases, it is essential that Boards pay attention to security. The complex and rapidly evolving nature of Cyber Security is becoming a topic that Boards and executives can no longer ignore.
Top level buy-in across the board is essential to ensure a Cyber Security strategy is a success. Without top level ownership, security policies and procedures will lack authority and be ignored.
So what does the best defence against a Cyber Security breach look like? Security policies and processes, a security aware culture, information governance structures and a supporting IT system. Organisations have revealed that only 20-30% of their security budget is spent on securing their networks.
So how do you know what you’re missing? The best way to demonstrate both the strengths and weaknesses of the organisation is to undergo a Cyber Security audit and implement the recommendations. The objective of a Cyber Security audit is to give an organisation a holistic view of its information security, including vulnerabilities linked to governance, culture and people. It provides an auditable capability to understand the “health” of the organisation and how information is handled within the organisation.
There is a big discussion in the industry about the importance and strength of internal vs. external audits. Ultimately an organisation wants to continuously improve their defences however, can an organisation mark their own homework? External auditors are able to provide an unbiased, independent opinion, as well as their expertise on Cyber Security issues.
Setting up an internal audit capability is a critical first step for an organisation to oversee the efficacy of the risk management controls, and Cyber Security audits should be included as part of an programme of audits. Typically the audit committee have a capacity for overseeing risk management activities; monitoring management policies and procedures, co-ordinating cyber risk initiatives and policies and confirming efficacy.
To provide assurance to the Board that the organisation has robust processes and risk management practices in place, a balanced programme of work that includes both internal and external Cyber Security audits is needed.