This article is the 11th in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Provide third-party assurance
While I know the topic of audits may not be the highest priority or the most appealing for IT leaders, you will need to embrace and own it. Yes, this does mean you are proactively asking to be audited and yes, seemingly there is something unnatural about that. However, you have to remember what Darth Vader once said: “I find your lack of documentation disturbing.” Embrace your internal audit team. And don’t get me wrong – I’m not equating auditors with the Dark Side. They are in fact a force for good.
All kidding aside, providing third-party assurance to your Board is an absolute requirement if you are to demonstrate the level of maturity on risk management that directors expect. As difficult and time-consuming as it may be to work through an assessment of this kind, it’s also invaluable to you as an IT leader and you should put the effort into doing it right.
Working with your internal audit organization will be critical as they will have the expertise and knowledge to conduct audits and provide independent assurances for your Board. Whether they do the work themselves or commission it through an outside firm, the result will be a neutral party providing an opinion on whether or not your cybersecurity related controls can be relied upon.
This adds confidence for your Board and builds upon the maturity assessment results, as I described earlier. Together, these two things demonstrate to your Board that you have things under control by allowing others to verify your own work and belief in it. The “trust but verify” rule is then satisfied.
Third-party assurances can come from two perspectives. Firstly, there is the independent assurance from your internal audit department on your cybersecurity risk management programs, and secondly, you can seek assurances from technology providers such as cloud service providers. Together, they formulate the overall independent assurance picture you will provide your Board and Executive Management.
Independent assurance of your internal cybersecurity program can be provided by your internal audit department using generally accepted frameworks such as ISO-27000 or NIST. These can be adapted to reflect the realities of your organization and right-sized to suite the risk tolerance expectations of your internal or external stakeholders. This will provide you with a current state assessment of your cybersecurity program as well as recommendations to help you address critical risk areas.
If your internal audit department doesn’t have the necessary technical expertise or resource capacity, they may choose to use an external consultant to perform a review of your cybersecurity program. Either way, your Board will expect the independent assurance provided through the involvement of your internal audit team.
The second element will be the assurances provided to your organization from the various outsourced service organizations you may deal with. It is essential that you manage the risk of third-party services by obtaining proper assurances and transparency over those services from the vendors directly.
This assurance is provided through a System and Organization Controls (SOC) report following standards developed by Canadian (CSAE), US (SSAE) or International (ISAE) audit organizations. You will need to review the reports to assess whether the controls the service provider has implemented satisfy your requirements. If your vendor can’t or won’t provide you with a SOC report at least annually, you probably should think twice about doing business with them.
As the percentage of cloud-based services increases in your technology ecosystem, having control over the assurances from your service providers will be critical. Remember, outsourcing a service does not relieve you or your organization from the risks normally associated with cybersecurity — reputational, compliance, privacy, financial or the protection of sensitive information. You still own those risks and are accountable for them so don’t take a leap of faith here. Remember the “trust but verify” rule that Boards have? You should have the same rule when it comes to your service providers.
Next article in the series: “Cybersecurity essentials – Innovation“
