Cyber Transformation Programmes Thrive with Audit Support
By Simon Lawrence, Director at i-confidential
Over the last 10 years, i-confidential has been instrumental in developing cyber transformation programmes for many of its clients. Along the way, we have seen the chief security officers (CSOs) who own these programmes face a similar set of pitfalls and challenges.
One of these is the impact of audit teams on the transformation approach. In businesses where cyber security has not been a priority, it is often left up to auditors to point out what is wrong. This is necessary because audit is the last line of defence and often serves as an organisation’s conscience. This can, however, lead to a narrow focus on a set of spot issues.
The wider impact of not having an effective cyber security strategy in place can be overlooked. Investment priorities can end up being based on management’s natural aversion to open audit issues, rather than on a fully assessed, risk-based approach to addressing cyber weaknesses. This can lead to long delays in addressing the most serious security problems.
At i-confidential, we help our clients address this challenge with two complementary in-house products. We use i-Assess, which includes over 1000 security requirements, to determine our clients’ true cyber risk position. We then use i-Decide to convert this understanding into a costed, multi-year security improvement programme. This shows how the investment will move each material cyber risk from a red or amber position to green. We call these risk reduction journeys. They allow organisations to make much better ‘cost vs. cyber risk’ decisions. Crucially, they also enable them to determine how long certain risks will be accepted.
Audit are included in this risk acceptance plan and can therefore focus on validating the overall strategy and the current year’s specific risk reduction deliverables. This approach ensures the most important risks are addressed first, while others are agreed as accepted until they are remediated, during a later phase of the programme.
Using i-Assess and i-Decide, CSOs can be sure that their cyber programmes are complete in terms of required activities and costs. What gets the buy-in from the audit and risk committees, however, is the clear articulation of risk reduction over time as these programmes deliver. Gaining this wide support allows the delivery teams to focus on achieving their security transformation goals.