Cyber-security testing controls are more accessible than ever, making it an opportune time for IT audit teams to adopt their own techniques and become more independent rather than continuing to depend on outside penetration testers.

During the IIA’s General Audit Management virtual conference held last week, Nathan Anderson, senior director of internal audit at fast food chain McDonald’s, discussed common cyber-security questions leadership often asks and how to answer them; the tools and knowledge internal audit needs to test cyber-security controls; and the most effective methods for internal audit to adopt to become an independent cyber-security testing function.

Citing findings from the National Association of Corporate Directors’ (NACD) 2019-20 “Public Company Governance Survey,” Anderson noted new board appointments continue to pull largely from executive leadership (60 percent) and finance (40 percent), while skills that support growing business needs—including cyber-security—often are neglected. According to the NACD, skills and backgrounds in cyber-security were present in just 2 percent of new directors.

Often, boards will lean on senior management and the chief information security officer (CISO) for answers to common questions they have, including:

  • How secure is the organization from a cyber-security standpoint, and how do we know that?
  • What is the organization’s overall cyber-security strategy/roadmap?
  • What are the biggest risks and threats facing the organization right now?
  • Is the organization’s cyber-security spend appropriate, and what is it getting in return?

The answers boards receive in response often are presented at a high level, Anderson noted, perhaps in the form of a “three-year roadmap on cyber-security” from management. The CISO might also present a cyber-risk map.

Additionally, more times than not, management will have an overly confident take on the company’s coverage of cyber-security risks. “That’s the kind of reassuring message you often want to give to a board, but in many cases … the level of confidence might be above what is justified,” Anderson said.

All of this is to say that “there is an opportunity here for audit to send a clear and independent message to the board about our thoughts on the risk,” Anderson said. “That helps the board have an accurate view of what their real cyber-security risk is and hopefully avoid unnecessary security incidents.”

To become more relevant to the business in mitigating cyber-security risks, internal audit must start with asking good questions, Anderson said, including:

  • Have we identified all our crown jewels, and how do we know?
  • Do we know where those crown jewels are located?
  • Have we identified all the ways cyber-attackers can reach those crown jewels?
  • Have we mapped high probability signals of cyber-attackers trying to get to each of the crown jewels?
  • Are we sifting through all the noise to detect signals early?
  • Are we reporting to the CEO and board in a dashboard-style report for timely oversight?

Answers to many of these questions come down to a few key steps:

Know the enemy. “Who is threatening the organization, and how? What do they want, and how are they likely to attack?” Anderson asked. “As audit, we have to have some point of view on this. We have to understand what is common, what is predictable, what’s expected, and what’s happening to our peers and industry.”

Know the organization. Questions to ask might include, “‘How well prepared are we to face the threats that we expect may be coming our way? Do we have a risk and controls matrix that gives us theoretical risks and theoretical controls, or can we more confidently talk about threats that are happening in the industry and real ways to manage those risks?” Anderson suggested.

Test controls from the viewpoint of an attacker. There will always be hackers who are going to bypass or circumvent some security controls. “Don’t take the bait and spend time studying the sophisticated information security controls you have in place,” Anderson said. “Instead, we need to spend time testing those controls.”

Internal audit can either perform simulation cyber-attacks itself or hire external partners to help get there. “A lot of us are going to need some kind of help,” he said. It is important to just start somewhere.

“There is an opportunity here for audit to send a clear and independent message to the board about our thoughts on the risk. That helps the board have an accurate view of what their real cyber-security risk is and hopefully avoid unnecessary security incidents.”

Nathan Anderson, Senior Director of Internal Audit, McDonald’s

For its part, McDonald’s partnered with Crowe to perform penetration testing assessments for the company. “Eventually, we grew in confidence and started taking part in these penetration tests, and eventually we evolved beyond that to where we do our own penetration tests,” Anderson said.

“By testing our company’s defenses, by being creative, and by searching for weaknesses,” Anderson said, “we can finally begin to answer the questions for ourselves and then share intelligently with the board: ‘Are we safe? How do we know if we’re safe?’”

Internal audit should begin by looking at what testing the organization already does. “Your information security team might hire penetration testers,” Anderson said. In some cases, you might find gaps in testing or that there is no testing happening in certain areas at all—for example, with business partners or an overseas operation. “So, you want to ask whether the penetration testing currently being done covers all those areas,” he said.

Through the simulation of effective cyber-attacks and penetration testing, internal audit should be able to quickly identify where cyber-security weaknesses might lurk. As those weaknesses get fixed, continue to perform more testing, and keep using current and innovative attack techniques and evolving just as attackers do, Anderson said.

“There is always going to be new attacks, new techniques, and we’re always going to have to turn to the experts,” Anderson said. However, by internal audit picking up cyber-security skills and taking a more active role, “it’s going to make us more aware of the threats, make us more aware of how effective our controls are, and it going to make us more effective.”