Estimated Reading Time: 7 Minutes
Welcome to part 5 of our content series on Managing Technology Risk and Governance. In this chapter, we will investigate how to prepare for a Cyber Security audit and prepare comprehensive reports for the board. These are recommendations based on our audit and board reporting experience over 15 years. Being ready for it is key to saving time and effort.
If you are only picking this up now, we have already discussed a lot of crucial steps to get here. In the previous stages, we have addressed:
Some of the content is available on our website and the rest you can obtain via email by Subscribing to our Content Series or talking to us. We’ll be happy to assist and provide more information and guidance on this significant topic.
A cybersecurity audit is a vital process for identifying fundamental weaknesses in your company’s cybersecurity architecture. These assessments help you verify what lives inside your network, what needs to be protected, and how to improve protection. Auditors are looking for proof that you are doing the right thing and improving. It is not a name and shame process; audits exist to help you grow.
However, as relevant as cybersecurity audits are, many companies are not very well prepared for them. So, how can you prepare for a cyber security audit so that it can be completed quickly and efficiently? Here is a short list of the main tips to help you get ready:
While part of the goal of any audit is to identify potentially unknown assets on your business network, giving your auditor a network diagram can help them save time and get a head start on their assessment. A network diagram outlines the overall structure of your network—what assets are present, how they’re connected, and how they are linked. Many tools exist today that can provide a real-time view of your network assets. These make the process of gathering data simpler than drawing diagrams that go out of date as you finish them.
At one point, the auditor will need to speak to subject matter experts within your organisation to get a complete picture of your cybersecurity policies and architecture. So, before the audit begins, ask the auditor which of your key stakeholders they will need to talk to during their inspection, and set aside some time for these stakeholders to attend a meeting and what tools or access they may need during their audit.
While your auditor will likely conduct interviews of your staff to get a feel for their grasp of security, it can be helpful for them to have access to your cybersecurity policies during their audit. Here, taking all of the documentation regarding your business’ cybersecurity policies and procedures and organising them into a single book can be massively helpful.
Spector provides a book of 20+ cyber security policies as well as other key business documents that we build into a single policy book. We also include evidence in these documents – which will likely be asked for. Some examples include:
This policy book helps the auditor understand your organisation’s overall cybersecurity awareness as well as spot potential gaps in your security policies and procedures that need to be addressed.
Most organisations have one or more compliance or regulatory standards that they strive to meet, such as PCI DSS, GDPR etc. In 2016 the Central Bank of Ireland released the “Cross-Industry Guidance in respect of Information Security and Cybersecurity Risk”. It is a fantastic resource – albeit a little dated – on recommendations of what may be expected at audit time.
By educating yourself about your compliance requirements, you can put yourself in a position to work more collaboratively with your cybersecurity audit & compliance team as well as verify that the suggestions they make are realistic and positive.
One of the most vexing problems companies face is determining the scope of an audit and how to prepare for the review. Without a scope, lags are inevitable because there are always unforeseen events that can disrupt outcomes, your time and costs. An experienced auditor should be able to anticipate these events to some extent and inform you (to some degree) of their requirements in advance.
When discussing project scope for an audit, be sure to ask questions about why the auditor needs certain resources, or if there are any resources they require that you haven’t provided yet. Get details about why specific assessment steps are necessary and what they entail. Be confident!
When the auditor begins making their assessment of your organisation’s cybersecurity infrastructure, be sure to ask them to bring any significant issues to your attention as soon as possible. No-one needs surprises at the conclusion of the audit. This also gives you a chance to start remediating these issues as soon as you can.
Also, be sure to take any alerts from the auditor seriously and ask for suggestions about how you can fix these issues. Many experienced auditors are familiar with numerous cybersecurity tools and quick fixes for common problems that you can implement very quickly. However, they may want to complete their full audit before making some recommendations so they can suggest the most comprehensive solution possible.
Concerning the board, our advice is to keep it simple. There are often over 20 items to be discussed at a board meeting. You have a short time window in which to get your point across – and possibly ask for investment.
Educating the board about the relevance and role of the tech infrastructure of your business is a good place to start. We recommend reading the document mentioned above; the Central Bank Guidelines in respect of IT and Cybersecurity Risks. The report is easy to read and highlights the main requirements and risks of a regulated firm.
After introducing them to the topic effectively, your job will be much more straightforward. The following insights will also be valuable in transmitting your message in the best way possible.
What metrics do we have that indicate risk to the organisation? Boards need to know that the organisation’s critical assets are being protected.
Organisations need to understand their current and future cyber security needs before they decide what investments will drive down risk. Useful questions include:
Board-level metrics should highlight changes, trends and patterns over time, show relative performance, and indicate impact. External cybersecurity specialists may be able to provide useful comparisons within industry sectors.
This metric will inform conversations about trends, patterns and root causes. Remember to reinforce the fact that incidents are bound to happen – it’s not a matter of “if”, but “when”. How effectively the organisation reacts to these incidents is the primary point of discussion.
Supply chain relationships typically pose increased risk for organisations given the degree of system interconnectivity and data-sharing that is now part of everyday business operations. Useful questions include:
People are often the biggest cybersecurity threat for many organisations. Data about policy compliance and the implementation and completion of training programmes will help inform conversations about insider risks.
Throughout this content series, we have provided you with the tools and knowledge you will need to perform much better in this stage. This knowledge is based on years of experience operating in many regulated industries and having internal lead-auditing capabilities. It is the material we wish we had when we were starting.
The pieces of content you have will aid you in assessing your vulnerabilities, understanding your risks, prioritising and acting on them. The material can give your business a significant edge in this aspect, and you should use it as a competitive advantage.
If your objective is to get audit-ready and increase your organisational maturity, you must be in a much better place by now. However, to have your business ready for the future and secured against evolving risks, you still have to develop an evolving system.
Our next step in this series will talk about how we have developed our system and how you can leverage this knowledge to take your business to the next level. To receive the last part, subscribe to our series. Stay tuned and talk to us if you have any doubts.