Blaming Auditors for Breaches: Too Narrow a ViewData Leaks Point to Need for Security Investments
Recent data leaks, including the SBI incident that affected millions of customers, have once again stirred up a debate on the role of auditors in cybersecurity.
While some security researchers are questioning the effectiveness of the cybersecurity audit process carried out by organizations, including banks, others blame auditors for their lack of skills.
"I have seen many CISOs who are in a hurry to rush through the audit process."
A few security researchers allege that most auditors in India end up doing checkmark auditing because they lack technical knowledge.
"Certifications alone does not make one a good security auditor. Have auditors kept up with evolving technologies?" asks J. Prasanna, director of the Cybersecurity and Privacy Foundation. "There are evolving cybersecurity challenges being faced by auditors, and I am not sure of the kind of training they are undergoing to keep themselves abreast with the latest technology."
While some auditors may lack qualifications, it's wrong to paint the entire community with the same brush.
Plus, it's important to keep in mind that internal audit functions do not provide an absolute assurance of security.
Venkataraman T.V., internal audit and risk manager at automobile manufacturer Ashok Leyland, shared his views with me: "Audits are done based on historical data and current data. Tomorrow if the reference point is changed, can an auditor be blamed for lack of knowledge?"
Are Audits Rushed?
Typically, an auditor is given two to three days to conduct an audit of critical networks so as not to interrupt business processes.
"Security audits are done under [regulatory] mandate or customer pressure. Nobody does the security audit suo moto to be aware of the risk and security vulnerabilities," Rakesh Goyal, a CERT-In certified auditor, tells me. "I have seen many CISOs who are in a hurry to rush through the audit process."
Audits only provide an assurance that organizations have evaluated all risks and have effective controls in place. Effective cybersecurity audits involve challenging an organization's network, systems and mail servers through penetration tests, both internal and external.
"Attempting to compromise Wi-Fi and breaking network passwords or the firewall are part of an audit process," says Prasanna Bharatan, global head assurance and risk management at Wockhardt, a global pharmaceutical company. "Having said that, these audits are not designed to be continuous. And therefore, in the intermediate periods, any new malware or vulnerabilities may creep in that could weaken the system."
That's why continuous monitoring is essential.
Cyberattacks are so common, Bharatan contends, not because of the lack of robust audits but because of a lack of investment in appropriate security technologies as well as a failure to implement stronger policies and awareness programs.
What More Can Be Done?
For their work to be effective, Venkataraman says internal auditors must perform a risk assessment of the business landscape - not just to review operational processes but also to include risks associated with technologies adopted by the business.
"Given the rapid pace of digitization in most business sectors, it is imperative that the internal auditors equip themselves with a deeper domain understanding of the technology and associated risks such technologies carry," he tells me.
But some organizations may need to hire outside auditors with the necessary technology expertise, Venkataraman adds.
CISOs need to interface with the internal audit team to articulate the security policies for technologies that are under consideration or already have been implemented, he suggests.
"This will enable the internal audit function to evaluate the design and operational effectiveness of internal controls that have been implemented to mitigate the risks that pertain to the information technology landscape," Venkataraman says. "The internal audit function must test the adequacy of the measures implemented to evaluate if there are any residual risks that prevail."