Another area where ISA provides thought leadership leading to practical changes is cyber audits and assessments.
Most organizations are more concerned by the auditor than the cyber attacker. The term “audit” has a long and generally well-understood meaning. Audits were created to asses regulatory compliance within a comparatively stable environment, whereas cybersecurity is dynamic and forward-looking. Using the standards-based audit process in a cybersecurity context forces companies to divert precious resources into documenting their status and responding to information requests.
The financial sector has been hit particularly hard by application by multiple regulators of the audit model to cybersecurity:
- Some firms’ chief information security officers report spending almost 40 percent of their time just on compliance measures and audits.
- Some firms now spend 30 percent of their cybersecurity budgets on compliance.
- More than sixty various security standards/frameworks exist, just for financial institutions.
We’re doing something about it. The ISA board became the first entity to be used by the American Institute of CPAs (AICPA) as a “focus group” for the reformed models the audit community is working on to improve the cyber assessment process. You can read the comments we later submitted here (pdf).
ISA is working with the audit community and bringing in other interests, including the US Chamber of Commerce, to define a process more in tune with the forward-looking risk management process needed to address cyber threats and distinguish the process from the more backward looking financial audit model.
Simply altering the assessment and compliance process by moving it away from the “pass-fail” audit model to a more useful maturity model would create immediate improvements.
Whereas an organization may be able to determine that it’s in-or-out of compliance with regulations, there is no clear demarcation between being secure and insecure.
A maturity model avoids binary answers of yes/no and, rather, determines how well a particular security process is working. For example, audits ask whether a vulnerability management (e.g., patching process) is in place or not. They don’t (and can’t) measure how well the process is working.
A properly designed cyber assessment would use a forward-looking risk management model. For example, determining the relative adequacy of an organization’s cybersecurity cannot be assessed simply by cross-checking compliance with a pre-determined framework or set of standards. Indeed, over reliance on such backward looking methods can generate a false sense of security and detract scarce resources from more critical cybersecurity steps. Cyber defense is a much more affirmative and dynamic process than financial auditing, including anticipating potential threats and attackers, what sorts of data they may seek, and how their methods may change in light of various defenses.