TEAMING UP TO STOP CYBERCRIME
Cross-functional collaboration between internal audit, IT, and other key functions can help combat cybersecurity risk.
Joy Chacko, Mark Delong, and Sridhar Ramamoorti
In the constantly shifting landscape. of emerging risks, cybersecurity is becoming the fixed point of danger to corporations globally. By 2031, it is expected that TEE a Cybersecurity against a business, consumer, or device will occur every two seconds. Further, global ransomware will cost victims $266 billion, based on the ‘Who’s Ransome: 2022 Report, conducted by Cybersecurity Ventures. Internal auditors are well aware of the implications of cybersecurity risk. CAES rated cybersecurity among their top three risks in both The II’s 2022 and 2023 North American Pulse of Internal Audit surveys. CAEs also named IT and third-party relationships as among the most significant risks facing their organizations — both of which have cybersecurity nuances. Clearly, all players in the organization see the cybersecurity threat growing in severity. Ransomware attacks and other incidents become more pervasive.
Timely decision-making is crucial before, during, and immediately after a cyber incident and involves deterrence, detection, and swift response. A lack of clarity regarding roles and responsibilities can delay prompt action and waste precious time. Cybersecurity readiness thus presumes high levels of collaboration, coordination, and cooperation among disparate organizational groups.
A COORDINATED RESPONSE
Recently, a synthesis of 39 studies shout cybersecurity threats and responses — published in the Manage rial Auditing Journal article “Cybersecurity in Accounting Research” — underscored the importance of cooperation and information sharing between the internal audit and cybersecurity functions.
Specifically, these studies emphasize that cooperation between internal audit and information security should be uncomplicated and smooth. Cordial organizational relationships create environments capable of addressing cybersecurity risks most effectively and are an integral part of the organization’s culture.
Organizations are a collective learning system. Vital collaboration across functions greatly enhances internal audit efficiency and the quality of cybersecurity risk management. In today’s dynamic and complex environment, CAE and audit ‘committees should approach- actively promote cross-functional collaboration efforts by encouraging cultural change at the board and executive management level, Helping to form securing committees, incorporating the Thee Lines Model, and reframing internal audit as a function that upholds good governance. By promoting collaboration, internal audits an help move organizations toward strategies that sup pore cyber resilience.
ROADBLOCKS TO COOPERATION
While cross-functional collaboration sounds like an obvious way forward, it’s not easy to achieve, Today’s teams are more diverse, dispersed, digital, and dynamic. Effective teamwork does not just happen. There may be constraints limiting collaboration, such as the inability to manage uncertainties among team members.
Relationship challenges may exist among the principal stakeholders, with each holding different priorities and expectations. “There may be ambiguity in roles, responsibilities, and accountability, and differences in knowledge and specialization. The inherent power structure and struggles within the organization may impede cooperation and decision-making. There may be concern over who gets the credit or who gets the blame ance decisions are made. All of these reasons may be involved as part of the politics of organizational operations — specifically in the distribution of power, decision rights, and the resulting allocation of resources.
Patrick Lencioni famously examined why effective teams are rare in this book, The Five Dysfunctions of Team, which identified the causes of team dysfunctionality as:
1. Absence of trust or the fear of being vulnerable with team members.
2. Fear of conflict and a desire to preserve artificial harmony, which stifles productive, ideological confit.
3. Lack of commitment, created by a lack of clarity or buy in.
4. Avoidance of accountability;
5. Inattention to results, due to a focus on the pursuit of individual goals and personal status rather than collective success.
Lenciont’s thoughts on team dysfunctionality can be useful to leaders looking to make their teams more cohesive and effective.
As with all aspects of governance, the top echelons of power must set the tone. when it comes to both cybersecurity and collaboration. Cybersecurity governance needs organization-wide cybersecurity efforts, as well as oversight structures at the board level. Good leadership enables effective collaboration and drives accountability across the organization.
Therefore, it is important for the organization to signal that cybersecurity risk management is a key focus area. Such emphasis will permit internal auditors to take the initiative as business partners and trusted advisors to seek out all avenues for collaboration. Internal audit can proactively advise executive management, the audit ‘committee, and the board on how to set the right tone from the top to promote collaboration and achieve desirable governance outcomes.
Good cybersecurity risk management starts with clearly defined roles, responsibilities, and accountability. Bringing together an interdisciplinary team of talented professionals to form a steering committee, with internal audit providing a proactive and supporting role, is the first step. This can lead to trust building and better relationships, communication, and delineation of roles.
On the other hand, confusion over who owns cybersecurity risk can be highly problematic. It can further accentuate organizational barriers, hinder efficiency, and decrease team morale in combating cyber security risks.
The steering committee should develop a crisis management plan to be deployed in the event of a cybersecurity incident. Without a well-documented plan, Lencioni identified five dysfunctions that could impair the cybersecurity risk management team’s effectiveness. Such a plan enables a company to anticipate and quickly assess various scenarios and then implement responsive, mitigating actions.
Steering committee members should be actively engaged with industry groups and roundtables to keep abreast of current and emerging cybersecurity threats. The steering committee should meet at least quarterly to:
1. Update the crisis management plan to reflect root-cause lessons learned from previous incidents.
2. Discuss global, industry-wide emerging cybersecurity threats
INCORPORATING THE THREE LINES MODEL
Because risks can emerge from anywhere, an enterprisewide approach is needed to address them. The IIA’s Three Lines Model focuses on business units working together to facilitate strong governance and risk management and necessitates effective collaboration among key stakeholders.
In the Three Lines Model, first-line roles maintain accountability and ownership of managing their risks to achieve objectives. As an example, the IT and information security teams perform first-line duties because they design and implement operational and oversight controls.
The enterprise risk management function, part of the second line in the Three Lines Model, establishes the risk management framework and policies and standards and is likewise critical to the success of cybersecurity defense and response efforts. Two good frameworks for effectively identifying assessing, prioritizing, and managing cyber security risks are COSO’s Enterprise Risk Management – Integrating Wit Strategy and Performance Framework and the International Organization for Sandardizatonts Standard 31000.
Internal audit, as the third line, provides stakeholders with independent and objective assurance and advice on the design adequacy, operational effectiveness, and efficiency of governance, risk management, and control processes. It also is responsible for challenging management on issues that need an immediate course correction.
Each of the three lines needs to collaborate in formulating a well-developed strategy for cybersecurity threat readiness and swift response. Such an approach should be led by an internal audit, which works alongside the ERM and cybersecurity functions, with support from the risk and audit.
ASK THE RIGHT QUESTIONS
The IIA Global Technology Audit Guide, Auditing Cybersecurity Operations: Prevention and Detection, notes that internal audit can provide independent assurance and advisory services “on the adequacy and effectiveness of IT-IS processes, including cybersecurity operations“. It also offers some high-level questions for the organization and internal audit to consider to prevent and detect cyberattacks:
1. Which resources are the likeliest targets for cyberattacks?
2. Who has access to the organization’s most valuable information?
Committees of the board. For instance, a cybersecurity incident external to the organization could initiate a series of reviews by internal audit to assess the effectiveness of the organization’s existing crisis management plan, as formulated by the steering committee.
A CULTURE OF COLLABORATION
Rainer Lenz and Kim Klarskov Jeppesen, the authors of “The Future of Internal Auditing: Gardener of Governance,” published in EDPACS in 2022, suggest that viewing internal audit as “gardeners of governance” is a promising metaphor for positioning internal audit in a way that strengthens its value proposition.
According to Lenz and Jeppesen, internal audit should promote a culture of collaboration that naturally seeps into the Three Lines Model. Specifically, the work of the internal audit activity must remain relevant and aligned with the strategic and operational needs of the organization.
The board and executive management should establish reward systems with incentives for encouraging effective team collaboration. Working with the ERM and cybersecurity functions, the internal audit and the audit committee should strive to heighten awareness of the value of maintaining a collaborative culture — and commit stakeholders to make the investments necessary o promote and support such an outcome.
CYBERSECURITY FUNCTIONS HAVE SPECIALIZED EXPERTISE BUT MAY LACK AN ENTERPRISEWIDE VIEW.
HOWEVER, THE INTERNAL AUDIT ACTIVITY DOES HAVE AN OVERARCHING VIEW OF THE ORGANIZATION,
AN ORGANIZATION-WIDE VIEW
Cybersecurity is clearly an enterprise-level risk and naturally demands an organization-wide approach. There remain multiple challenges to cross-functional collaboration, including attracting and retaining highly experienced and skilled talent, optimizing the Three Lines Model in practice, and sustaining the collaboration advantages for the long run.
Cybersecurity functions have specialized expertise but may lack an enterprise-wide view. However, the internal audit activity does have an overarching view of the organization, deriving from the nature and scope of its role in combating risks of all kinds. Accordingly, the role of internal audit, in collaboration with the first and second lines, is critical in combating cybersecurity risk.
Joy Chacko, DBA, CMA, is an independent consultant in Chandler, Ariz.
Mark A. DeLong is a special advisor at FORVIS in New York.
Sridhar Ramamoorti, Ph.D., CIA, CFSA, CRMA, is an associate professor of accounting at the University of Dayton in Ohio.
N.G. Shankar, CIA, QIAL, CA, a consultant at a professional practice in New Delhi, also contributed to this article.