“Cybersecurity in 2022, Part 2: Critical Partners — Internal Audit and the CISO” examines the benefits of a strong relationship between heads of internal audit and their information security counterparts, looks at paths to establishing and nurturing such relationships while ensuring internal audit independence, and assesses how these partnerships can add value to the organization.
The details and sophistication of such partnerships can vary depending on the size of the organization, the level of regulation in each industry, and an organization’s cybersecurity risk profile. However, five areas emerge where collaboration and cooperation can create clear benefits, no matter the size of the organization or the industry in which it operates:
- Understanding and aligning on the organization’s cyber risk profile.
- Establishing roles.
- Recognizing relevance.
- Communicating to the board and executive management.
- Protecting and respecting independence.
What’s more, a sound relationship can enhance resilience and agility should the organization need to respond to cyber incidents, changes in factors that influence cybersecurity, or the evolving regulatory landscape. It helps provide consistent and unified messaging to the C-suite and board about cybersecurity needs, priorities, and health. Internal audit independence can be successfully protected, even enhanced, when both sides develop deeper understanding and appreciation of roles, approaches, and duties. Ultimately, a solid relationship between heads of audit and CISOs can strengthen cybersecurity by supporting an enterprisewide approach to cybersecurity.
In conclusion, a healthy relationship between internal audit and information security offers multiple benefits to the organization, primarily in aligning and understanding the organization’s cyber risk profile — from vulnerabilities and opportunities to maturity and penetration testing.