Cybersecurity is not just another name for Information Security, it’s a new paradigm that has resulted from the emergence of ubiquitous access. It is of critical importance with the rapid digital transformation of businesses as is the Cybersecurity Auditor.
Information Security as we know it, based around the ISO 27000 standards, started its life in the days of mainframes and minicomputers and focused on ensuring controls are in place to stop fraudulent use of applications. While the standard has evolved to take account of network borne attacks, it is still very much a control-based approach. The Information Security mindset is IT-focused, takes an “Assume Safe” start point, and applies an ISO 27000-style Information Security Management System.
The Cybersecurity paradigm is one of technical attacks, often network borne and, while it includes preventative controls, it is strongly focused on detection and response to attacks which penetrate the systems defences. These attacks are often considered in the context of the Lockheed-Martin Cyber Kill Chain, which addresses the end-to-end lifecycle of the attack. The Cybersecurity mindset is Cyber focused, takes an “Assume Breached” mindset, and applies a NIST Cyber Security Framework style Management System.
The traditional cybersecurity audit role has developed around the IT General Controls audit approach, in which a standard is referenced, the required controls identified, and testing is undertaken to ensure control effectiveness. This approach has worked for Information Security, but it does not provide an effective approach for Cybersecurity. Evidence from data breaches indicates that cyber attacks, and particularly those associated with advanced persistent threats, can exist on systems for many months before they are detected. Even then, detection often comes from outside alerts rather than audit.
Cybersecurity Audit requires a new approach, and such an approach is beginning to emerge from the Certified Public Accountant (CPA) community to address digital transformation. The Digital Cybersecurity Auditor will need to address organisational parameters such as business goals and risk; governance issues covering policies, procedures, reporting and audit; Cybersecurity Principles aligned with the NIST Cyber Security Framework; and assurance of integrated defences.
The audit process requires a more operational mindset, starting with a good understanding of cyber and its weaknesses. The auditor then needs to determine the cyber risk profile – a significant effort based on the understanding of current and emerging cyber threats. Control testing still plays a part, with an increased focus on operational detection capabilities, both staff skills and tools. Then in the event of anomalies being detected by this testing, cyber deep dives are required to determine the possibility of a breach having taken place. If so, this is followed by a breach investigation and finally a determination of the impact on financial reporting.
SABSA is an Enterprise Security Architecture framework that addresses all aspects of the new approach to cybersecurity audit. It is a valuable tool for auditors in managing a Cybersecurity audit, and for businesses in preparing for the Cybersecurity Auditor.