Security Think Tank: Internal audit an essential component of data security

What is the role of information security professionals in handling uncomfortable truths about data security from internal auditors?

Internal audit often undertakes a crucial assurance role in an organisation, with particular attention to risk management and control, writes Steven Babb

Given the connected world we live and conduct business in, cyber security typically holds a key spot in an organisation’s risks profile and consequently it is a key area of focus for internal audit. It should be seen – and treated – as a business partner, with increased reliance on it to make a significant contribution to governance.

Given the rapid rate of change we operate in, this requires that security professionals regularly assess and mitigate risk. The truths often uncovered can be wide ranging: from faulty processes; legacy infrastructure and end of life systems; the lack of patching and ineffective supplier management programmes; through to weaknesses in managing customer and employee data.

The industry is witnessing increased demand for information security professionals with recognised security certifications, such as CISM and CRISC, which provide a strong level of assurance that the certificate holder has an appropriate level of both professional experience and knowledge – a key differentiator for certificate holders.

Read more about best practice in responding to internal audits

Audits and the role of security professionals

The role of information security professionals continues to evolve, with increased demands placed on them to act as business leaders. The expectation is that security risks are identified, assessed and that plans are put in place to appropriately mitigate; but this requires investment, with CIOs and the board often having to balance investment in security maintenance programmes, as opposed to investment in more direct revenue generating activities. The key is to articulate these risks in clear, business-focused language.

The reality is that both functions need to work closely together, supporting each other in ensuring that key security related messages are presented appropriately and at the right level, thus ensuring the necessary levels of support and buy-in are achieved. 

The oversight role of internal audit should however not be overlooked. It has the remit, and should not shy away from holding the security function to account when it is not effectively protecting sensitive information, critical data and business assets.

Steven Babb is international vice-president of Isaca and technology risk, compliance and assurance leader at Vodafone.

Read more on IT risk management