“A lot of times, you’ll see that these technical controls are not configured correctly…”
The evaluation of evaluations
To form a coordinated defense, organizations must ensure that their technical controls stay updated and effective across a range of factors. Internal audit can play an invaluable role in evaluating the risk landscape, communicating the impact of a risk materializing, performing technical audits aligned to changing risks, reviewing cybersecurity insurance coverage and ensuring board-level reporting.
Too often, organizations incorrectly assume that implementing technical controls is enough to protect against attacks, said Grant Thornton Director for IT and Cybersecurity Internal Audit Vikrant Rai.
“A lot of times, you’ll see that these technical controls are not configured correctly or are in the process of finding the right balance between protection and enabling business,” Rai said. “It’s kind of a three-legged stool: People, processes and technology. Often, what we see is that there can be some great technology, but the three-legged stool falls down on the side of configuration, overall monitoring, management and ongoing sustainability.”
One effective way to evaluate technical controls is by using a risk-based framework. Internal audit can leverage comprehensive standards such as those established by the National Institute of Standards and Testing (NIST).