Something I have learned in over 20+ years of experience in the IT audit realm is simply that “a widget by another name is just a widget and the same or similar controls and security measures need to be applied to these as has been done during past IT security and control type reviews/projects/audits”. In this case we are talking about cyber widgets associated with cybersecurity. Definitely new technology has and is rapidly being developed and will continue to be developed, which will present new challenges to the audit and security community. A simple definition of cybersecurity (NISTIR 7298r2) is the ability to protect or defend the use of cyberspace from cyberattack. Words such as these make it sound like ‘Star Wars’ type of occurrences in our solar system, but these attacks are real and occur many times every day and come down to how best an entity can defend, detect, and/or recover from such occurrences.
In today’s world there is a higher demand for increased cybersecurity and for individuals who help entities be prepared in defending against such attacks. With that said, the responsibilities of a cybersecurity professional primarily include helping entities ensure that sensitive data and their associated systems/infrastructure that help process, perform file maintenance, transfer, and store sensitive data maintain their integrity, are kept secure (from attacks or other means), and accessed by only those that have a business reason for such access. This is done through assessments of critical processes and their control environments, associated documentation, and by interviewing key individuals.
Accordingly, associated risk assessments should take place prior to starting any kind of cybersecurity testing to ensure the testing is concentrating on the higher risk areas and controls are addressing any gaps. Never having the opportunity while in the corporate world to perform such risk assessments, my biggest challenge so far has been ranking cybersecurity risks according to the risk of material misstatement, which is not an exact science. In order to properly rank these risks, sometimes you need to step back and use your ‘gut feeling’ based upon all your past experience and what you know about the risk and entity being assessed.
To prepare for the ultimate journey in becoming a cybersecurity professional, a person needs to become familiar with the many frameworks (i.e., National Institute of Standards and Technology (NIST), Center for Internet Security (CIS) Controls, Health Information Trust Alliance Common Security Framework (HITRUST CSF), etc.) that are now available to help entities better protect their and others’ confidential, strategic, private, sensitive, and/or personally identifiable information (PII) and then share recommendations/suggestions on how best to satisfy any applicable control objectives associated with such frameworks based upon type and size of the entity.
Other ways to bring one up to speed is to spend time with those who have performed such engagements asking them about their experiences and also by reviewing documentation associated with past engagements performed by your respective firm. No one person has all the answers, but by networking with others in the cybersecurity field, one can become more well-rounded and knowledgeable about the many aspects of cybersecurity. Organizations such as the Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) also have a large amount of information pertaining to cybersecurity, which includes possible audit programs.
To me, becoming a cybersecurity professional is a critical and important progression step in the IT audit/security profession where we have been identified in the past as Electronic Data Processing (EDP), DP (Data Processing), Information Technology (IT), and Information Systems (IS) Auditors or Security Specialists. It is just another chapter at the end of the never-ending book of IT Audit and Security professionals.