Heads of Internal Audit Virtual Forum

3 March 2021

Please note:

• All Institute responses are boxed and highlighted blue.
• Where the chair comments in that capacity, this box is highlighted in yellow.
• Comments from the President/CEO of IIA Global are highlighted in heather.
• For confidentiality, the identities of all delegates/attendees are anonymised.

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: John Wood - CEO, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Institute: Gavin Hayes - Head of Policy and External Affairs, Chartered IIA
Speaker: Magdalena Skorupa - Cyber Risk, Assurance & Compliance Director, Reckitt Benckiser

Key takeaways

The Institute’s research highlights three actions for internal audit, as shared by Gavin Hayes:

1. Internal audit is best placed within the organisation to assess and ensure that cyber security risk is widely understood by all employees, which would mitigate the likelihood of policies and procedures being circumvented during times of increased stress and competing priorities.
2. Internal audit must have a thorough understanding of what influences cyber security culture and be able to share this with the management and the board in order to influence the organisation’s cyber resilience.
3. Internal audit has a role to play in promoting cyber security awareness across the organisation and providing assurance that a robust cyber security awareness culture has been established and is operating effectively.

Cyber risk has been the top risk in our annual Risk in Focus report for the last three years. We encourage you to report the report for the key highlights and to understand why these actions are more important than ever in 2021.

A view from Magdelana Skorupa - Cyber Risk, Assurance & Compliance Director at Reckitt Benckiser

• The results of the research are spot on.The report shows the gaps in cyber culture, employee awareness and the role of internal audit.

• There needs to be a close two-way relationship between the CAE and the CISO.

• Introducing a cyber culture is a long process. It builds over time and measures need to be in place to monitor success.

• Internal audit has an important role in providing assurance throughout the journey.

• Human factors are always the weakest link in any organisation's cyber defence.

• Cyber risk is owned by all employees at all levels. It is not simply an IT risk.

• Psychologically, we know that if employees are good at managing cyber risk in their personal life then it is likely that this will be mirrored in their attitude in the workplace. Organisations reap the benefits of personal awareness and training. 

• Training needs to be innovative and creative. Repetitive webinars and tests tick a box, but people get bored. Gamification works well along with competitions, etc.

• Cyber awareness is critical with so many employees working remotely; phishing is a key risk. 

• Cyber culture needs to be embedded in an organisation’s DNA not a bolted on.

Future meetings

14 April | ESG - including climate change

12 May | Board governance and the role of internal audit

09 June | Inspiring leadership

Poll results

Q1 Have you read the IIA’s new cyber research report yet?

      Yes 25% | No 75% 

Q2 How do you rate your organisation's cyber culture?

      Strong 31% | Adequate 42% | Requires enhancement 23% | Weak 2% | Unsure 2%

Q3 Have you undertaken work in the area of cyber security in the last 6 months?

      Yes 65% | No 35%

Q4 Has your organisation experienced a cyber incident in the last 12 months that has interrupted service and/or caused loss?

      Yes 17% | No 83%

Chat box comments and Q&A

Q   How do our organisations stay ahead of the bad guys?
A   Be prepared, do not wait for a cyber event or crisis to put the resources in. The aim of the cyber team is to spot a weakness early or be able to mitigate the damage. There is no easy answer. It is a game of cat and mouse. Cloud security (and internal audit assurance) is important. And think about new technology, such as automated bots, our own technology and advances also increases the risk.

• Comment I meet with my CISO bi-weekly and get updates on a weekly basis. We look at monitoring data and actions, training and awareness impact, discuss risks and controls and stay connected. Having a good working relationship means I know what is happening when the audit committee ask questions.
• Comment It is likely that some cyber-criminals will always be one step ahead - so having robust disaster recovery/business continuity processes in place are just as important. Human error will always play a part - someone will click on a link at some point.
• Comment I think one good indicator of how cyber mature an organisation is in practice, is the extent to which their policies and environment need to change with the increase in remote working.

Q   Do we recruit auditors who understand cyber risk, or should we be recruiting cyber experts who understand internal audit?
A   Internal auditors are analytical, logical and curious. It is about asking questions, if you do not understand it chances are the cyber team do not either. There are some basics to understand but definitely not a specialism. Cyber teams benefit from diverse thinking and perspectives.

• Comment Cyber specialists co-sourced bring credibility and can transfer knowledge to in-house team.

Q   Does anyone else here have a leadership team who do not seem to learn unless there is a crisis? How do you keep people engaged without overloading, rather than only learn from crises? 
A   You need to keep momentum going, a solid programme, not just another x, y, z - people get bored. We need to be careful that cyber does not become a checkbox exercise. We need to be innovative and creative.

Questions answered after the event

Q What would you say the symptoms are of an organisation where cyber security culture is not strong (adequate but not strong)? 
A Good question. First of all, the number of security tools you are using is not necessarily telling you if you are having strong cyber culture or not. Tools are one and important but not all. You need to have strong cyber controls in place (cyber governance), but then the key question is: how do you involve people in all of that? How do we measure whether our cyber awareness activities are working? You can run phishing simulations, use quizzes and reward systems, and then measure the state of cyber awareness before and after. What works well is having an ambassador programme for example, as it involves the entire company and you sort of ‘evangelise’ your employees by using other resources than just cyber people. You can also measure how many times people report potential phishing attacks. It's important that you report a phishmbecause it means that they are careful and do not click on everything. You have to observe and measure people's behaviours. This is a giant topic and, honestly, it might be a few hours training. What you need to remember is to measure all your activities and results to spot a trend and see if you are enforcing cyber culture. The important mark here is that this never ends. This has to be ongoing effort as, in the end, changing culture takes years not months. And whole company must be involved – bottom up and top down – with lots of support from leadership including the board. Internal audit has an important role to play here too as we discussed today. Last thing, remember to onboard well your new employees and ensure you have right people on board.

Q Would you say it’s important to define 'cyber security'? I've had conversations where non-IT personnel seem to be discussing disaster recovery or resilience as cyber.
A Yes absolutely. For me it is a must have to be called successful and to cover all important stakeholders. In my organisation, we have a cyber resilience person in place who is engaged in disaster recovery testing.

Q Do you need to have a degree in IT in order to effectively provide assurance on cyber security risks?
A No, you do not need a degree to start your journey with cyber. Frankly, the only thing you need is brains and some internal drive. I am the best example of this as after over 10 years of my career in internal audit I made a drastic shift to IT and then cyber. You do not need to have a degree, but of course you will have to take some courses (SANS courses are the best in my opinion. I've taken many.). I am continuing my professional journey by taking a number of cyber certifications. It helps a lot to understand a bigger picture and see how cyber and then IT make an impact on the business and how to support it to its best.

Q Would you resource a cyber audit using in-house generalists supported by SME or fully outsource? And what would the benefits be of using security specialists to carry out a review versus general professional services practice?
A Personally, I would do with internal resources first because you need to know and understand the company; but, external consulting/assessment of function or process is always beneficial as well and we use it a lot.

Q What is the end game/objectives of those committing the cyber-attacks - disruption, financial gain, data theft?
A It depends. It might be purely financial - and very often is - but can also be reputational and cover business disruption, ideology, state attacks paid by state actors (foreign governments). Also data is a new money, this is how I call it; data is something you can trade and data is very precious. Eventually it goes down to reputation or financial gains.

Q What do we think about cyber exposure through the back door ie suppliers. And how much work should we be assessing third party cyber exposure? And again?
A Excellent question. This has to be watched very carefully. In my organisation we do run a lot of 3^rd party vendor security assessments, comprising extensive c200 questions, followed by the call and then repeated on an agreed basis. It is super important especially for tier 1/priority 1 vendors – not just IT or cyber but all. Personally, I work super close with global group procurement. Apart from the questionnaires we also use some additional tools; internal and external to scan security posture of the vendor and making use of publicly available data.

Q When did you first hear the term cyber used (outside of Dr Who)? I first started hearing about cyber in c2008 and have been interested to see it become so prevalent.
A In my case probably around 2006/2008 when I started working for a big American company where the cyber department was very well established. Until then cyber was there of course but mixed with IT.

Comment Add danger-to-life to objectives (motivations) of attacks such as the recent cyberattack on the Florida Water Company to contaminate supply.
Reply Correct - this is why you cannot forget about importance of operational threats, technological security as well as product security. These are the weakest links nowadays.

Comment It is likely that some cyber-criminals will always be one step ahead - so having robust disaster recovery/business continuity processes in place are just as important. Human error will always play a part - someone will click on a link at some point.
Reply Yes, that’s why cyber awareness is very important. Cyber awareness covers human errors and also help you to speed up reaction in case of threat/attack/data breach. Especially a data breach where we know time matters and clock keeps ticking.

Comment One good indicator of how cyber mature an organisation is, is the degree to which their policies and environment need to change with the increase in remote working.
Reply True - in our case, a number of operational policies and procedures had to be adjusted with a very strong push on education, webinars, cyber awareness.