For more than a decade, cyber-related risks have been at or near the top of all risks faced by organizations around the world. Too often, cybersecurity breaches of devastating proportions have wreaked havoc operationally, financially and reputationally for organizations, often destroying value and catching management, boards and internal auditors by complete surprise.

In this day and age, how anyone can be surprised by a cyberattack is beyond me. Yet, according to IIA research, corporate board members often maintain a misplaced level of confidence in the effectiveness of cybersecurity risk management. From my experience, internal auditors are often not much help because they struggle with adequate resources and a lack of expertise to assess the effectiveness of this critical risk.

To better equip boards and internal auditors to assess the effectiveness of cybersecurity risk management, The IIA and EY recently partnered in the publication of a timely and informative paper: The Risky Six: Key Questions to Expose Gaps in Board Understanding of Organizational Cyber Resiliency (PDF).  The document is the product of a collaboration between practitioners at The IIA and EY, and was the last project I had the privilege of working on before stepping down as IIA CEO at the end of March. As I noted in the report:

“The importance of the board having a clear-eyed view of the organization’s cyber resiliency cannot be overstated. The board exercises oversight of risk management, and I cannot think of a more pressing and pervasive risk than cybersecurity. Proper oversight requires board members to ask the right questions at the right time, and to seek independent assurance from internal audit that this risk is being properly managed.”

In the paper, we noted that the past year has yielded a number of “surprising phenomenon.” We observed in the paper’s introduction:

“The unforeseen stressors of the COVID-19 global pandemic and a forced work-from-home (WFH) model exposed cybersecurity vulnerabilities in organizations around the globe as well as board and management overconfidence in the cyber resiliency of their companies. How could this happen in an age of acute cybersecurity sensitivity when boards have made the battle against cyberattacks a top priority?

The pandemic didn’t create new vulnerabilities; it simply brought existing ones to light. It can be argued the fault is not on the boards or executive leadership alone, but in the fact every organization faces a myriad of ever-evolving risks. Yet, one thing is certain: the task of becoming and remaining cyber resilient is nearly impossible if boards do not have a clear-eyed understanding of their organizations’ cybersecurity strengths and weaknesses.”

The reason the “Risky Six” is must read material for board members and internal auditors is that it poses six critical questions that cut to the heart of effective cyber risk management. Board members (and internal auditors) are urged to ask if their organizations “can provide answers to all six with depth and understanding.” If the answer to any of the questions is “no,” the paper “delves” deeper into each question and explains how being able to answer each of them in the affirmative can help bridge gaps in understanding our organization’s true cyber resiliency.

The six questions are:

1. Has your organization conducted a recent enterprise-wide cyber risk assessment?
2. Has your organization implemented a data governance program beyond basic classification?
3. Have cyber risks and responses been incorporated distinctly into your crisis management program?
4. Has your organization conducted a recent third-party and/or joint venture cyber risk assessment?
5. Is cybersecurity included in the audit plan and/or is internal audit being leveraged as a tool to help your organization manage cyber risk?
6. Is the effectiveness of cyber controls measured and reported in a consistent, meaningful manner?

The most valuable take-aways from “Risky Six” are not simply the questions. The most informative content is in depth information, survey trends, and coaching points that accompany each question. I urge all of my readers to download a copy of this paper, digest it, and share with colleagues and board members who will undoubtedly benefit from the insight it contains.

As always, I welcome your feedback.