Given the numerous data breaches and the revelation of the Heartbleed Bug over the course of the last few months, I want to revisit a topic we discussed back in February: information security risk. In today's all-digital world, information security is a risk that threatens firms of all sizes.
To an auditor, "information security" generally refers to the safeguarding of information and information systems against both deliberate and unintentional unauthorised access, disruption, modification, and destruction by external or internal actors. This definition excludes examination of how often a firm's systems are unavailable, and the integrity of the firm's data.
While this has been a critical risk for the world's firms for a long time, several recent trends have made this much more urgent:
• Increasing use of digital data: 64% of employees regularly use personal technologies for work. And 76% of employees now spend more time than they did three years ago accessing and reviewing corporate information.
• Increasing importance of digital data: 79% of senior executives report that new uses of digital information are important to growth. They also say that a 60% increase in operating margins is possible through better use of information.
• Central IT's waning influence: 37% of technology budgets are now controlled outside of the IT department - this is called "shadow" IT or "business led" IT. And separately, 68% of IT executives claim responsibility for technology usage and security but lack the authority to manage these effectively.
• Ceaseless attacks on company systems: 69% of executives believe that their companies can't keep up with the increasing pace and sophistication of attacks on their digital information. Further, 23% of successful attacks can now be attributed to third-party negligence.
Most audit teams spend a lot of their time working on the audit of technical controls. CEB data shows that:
• 69% plan to allocate more time in their 2014 audit plan to information security compared to 2013.
• 64% of audit hours dedicated to information security are allocated to technology centric controls, such as access authorisation, password management, reviews of firewalls etc.
• 90% expect assurance demands relating to information security to rise in the next 12-24 months.
However that same research by CEB shows that the impact of this focus and activity by audit is limited, because:
• 77% of chief auditors report significant issues related to information security in 2013, while 57% report an increase in significant issues compared to 2012.
• 40% of chief auditors report an increase in information security incidents between 2012 and 2013.
While audit cannot ignore the effectiveness of technology controls, they will provide their firms with stronger assurance-and a better service-if they widen their focus to examine a broader concept of information security risk management.
At CEB, we advocate a different approach, and suggest that audit time should focus on 3 additional areas:
1. Ensure proper information security oversight: This should include proper governance standards that evaluate the strength of the second line of defence and clarify risk ownership,
2. Assess the information security mindset: This should cover the concept of "people as a perimeter", including their awareness of information risks and what they do to identify and mitigate those risks (ie action and not just attendance at training), and how aware managers are of information risk when making important decisions.
3. Improve emerging threat sensing and response: This should include reviewing the quality of emerging risk-sensing and the adaptability of security controls to include those new risks.
CEB is working on this topic and will be sharing innovative practices, case studies, guidance and other tactics and techniques in meetings with member organisations throughout 2014.
Ian Beale is a London-based senior director in CEB's Legal, Risk & Compliance practice. CEB, the leading member-based advisory company, equips more than 10,000 organisations around the world with best-practice insights and solutions to transform enterprise performance. Read our "Risk Intelligence Quarterly," which provides the latest insights and peer-led recommendations for managing enterprise risks.