Editor’s note: The ISACA Now blog is featuring a weeklong series providing tips for success in 2023 for practitioners in various digital trust fields. Today, we begin with a look ahead to 2023 for audit and assurance professionals.
Information technology in general, and specifically the discipline of cybersecurity, is undoubtedly one of the most dynamic career professions out there. More recently, since the COVID-19 pandemic took effect, most organizations have accelerated their digital transformation journeys, especially focusing on rapidly implemented cloud adoption strategies.
In parallel, the increasing importance given to cybersecurity is an obvious trend that cannot be missed. Most companies perceive cybersecurity as a key business risk and look to build, maintain or operate products and services in a secure way to safeguard their systems and data. A rapidly evolving threat landscape and rise in number of newly discovered vulnerabilities have required practitioners to keep innovating and looking for creative ways to monitor, detect and protect our digital assets. To add to the complexity, we have a crowded marketplace filled with a plethora of cybersecurity-based tools, utilities and platforms.
However, the biggest grievance for many core information security professionals has been that the IT audit community has failed to keep pace with this rapidly changing environment and has yet to completely upskill and adapt. As we look to 2023, traditional audit approaches that were used to evaluate legacy IT environments will not make sense for the decoupled cloud native architecture of today’s world.
It’s important to clearly understand the implementation of various security-related processes and interconnection between the different platforms and services in the environment and, subsequently, identify relevant and unique risks. Auditors, too, must be creative and tailor test procedures to assess controls in a multi-cloud environment and gain confidence that the underlying risks are addressed.
Here are five key areas of focus for IT audit and assurance professionals to be able to thrive and progress in 2023 – an era of technology transformations:
1. Cloud Native DevOps
This concept simply refers to the management of cloud-native applications, including microservices and containers running in the cloud and built using DevOps principles. The familiar testing strategy to inspect change tickets from service management tools with a set of sequential approvals will no longer be valid. The way companies structure their software engineering practices and methods are different and it is not possible to create a one-size-fits-all checklist for auditors.
Prior to devising the optimal testing strategy, auditors must look to understand the entire process, from how a line of code is deployed on workloads running in the cloud, to calling out which pieces are manual and automated, and discovering the controls built into the flow. Though the individual components within the toolchain may vary, CI/CD pipelines are largely built based on a similar framework to facilitate the release of features to customers at a high velocity. Further to enable this, the actual deployment of changes to production may be completely automated or initiated by the developer who made the change. Therefore, the old ways of testing segregation of duties will not be right and one must look for the appropriate checks and balances to ensure the associated risks are covered.
2. Cloud Security Posture Management (CSPM)
Gartner first introduced this term to describe a category of security solutions that automates security and provides compliance assurance by identifying and helping to remediate misconfigurations in the cloud. This marketspace is growing at a strong rate as organizations continue to rely on and leverage these tools to improve their security and compliance posture.
There are myriad CSPM vendors offering a suite of solutions with a range of capabilities. Auditors need to understand the specific purpose and functionality of CSPM tools and how they are set up in a cloud environment. Important audit considerations should include looking at which elements in the cloud are monitored, how data is ingested from the source to CSPM and how the risks and alerts identified by the tool are handled. Typically, a mix of automated and manual controls could be used to effectively evaluate the use of CSPMs.
3. Privacy Engineering
Privacy is no longer an optional, nice-to-have attribute – with an increase in privacy regulations around the world, companies must look to integrate privacy practices in their routine operations to achieve compliance. Privacy engineering is an emerging function within companies and, essentially, refers to a cross-functional group of professionals from product management, engineering, legal and GRC who are tasked with the mission to operationalize privacy by design principles and bake in the privacy requirements of applicable laws and regulations into the product or service. These are achieved by a combination of techniques including data isolation, multi-tenancy and automation.
From an audit perspective, evaluating privacy compliance has always been a challenging proposition. Some of the crucial requirements, like data minimization, tracking of consent and handling of data subject requests, may be easy to explain and follow in theory but difficult to implement and test in practice. Using a programmatic approach, including privacy-as-a-code and automation concepts, privacy can be rolled out in an efficient and cost-effective manner. Auditors should follow the mechanics of the implementation of various mandatory requirements and formulate appropriate test steps to ensure the relevant privacy principles are met.
4. Vulnerability Management
Vulnerability management is broadly defined as the ongoing process of identifying, assessing, managing and reporting of security vulnerabilities across the IT environment. This is not only a foundational building block of security programs but also a requirement in most control frameworks and standards (including but not limited to NIST800-53, SOC 2, CMMC and ISO 27001). Yet, this topic finds little or no mention in IT auditor training programs and is not talked about often. IT auditors are often unclear on which attributes to focus on and what evidence to really evaluate.
In addition to typical network and infrastructure-level vulnerability scans and periodic pen tests, companies with mature vulnerability programs employ multiple other techniques like static and dynamic application scans, bug bounty and red teams to uncover system vulnerabilities. It is important to understand the scope of each type of vulnerability scan type and ensure all possible environments (clouds and on-prem) are adequately included and assessed. Further, it is important to understand how the identified vulnerabilities are handled in terms of evaluation, prioritization and remediation processes with defined timelines. Audit considerations must include the steps for risk ranking of vulnerabilities, logging, and tracking reporting and resolutions within a defined SLA.
5. Emotional Intelligence (EI)
It has been widely documented and well understood by now that a strong audit (and cybersecurity) professional requires not just solid technical skills but equally good soft skills like communication and relationship-building as well. One crucial skill that needs to be consciously developed is emotional intelligence. In this line of work, one must have a fresh and alert mind to be able to think logically and exhibit professional skepticism. A popular study from Virginia Commonwealth University, titled “The Impact of Emotional Intelligence on Auditor Judgment,” is something I closely relate to and has struck a chord with me. The paper argues that EI is a key factor in dealing with emotions and pressures (client, time and budget pressure) experienced during an audit. Further, the study examines the moderating effects of EI on auditor judgement and has found a strong correlation. It is important to develop strong self-awareness and moderate one’s reactions to situations to avoid burnout or other negative reactions. I will not provide specific resources on how one should improve their EI (as different techniques work for different individuals) but highlight it as an key competency one must work on and keep improving over time.
Cybersecurity is identified as the number one hot topic by executives in various studies. In the prevailing geopolitical climate, bad actors are looking to use cyberthreats as a potent force to cripple economies and cause catastrophic impact. Organizations are perennially innovating and transforming to stay competitive and resilient, and look to compliance and audit professionals to provide assurance that risks are sufficiently managed and compliance with applicable regulations and standards is achieved. Therefore, it is important to develop a culture of continuous learning – pick a favorite blog, podcast or newsletter pertaining to a topic that interests you to follow and inculcate a habit of keeping up with the content to improve your awareness and understanding of the changing dynamics in cybersecurity and IT audit.
“The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” – Alvin Toffler