IT auditors should consider attacker’s business case

When it comes to cybersecurity meeting compliance requirements is not enough. The practice shows that 100-percent protection can not be assumed. In addition to checking whether the compliance requirements are air tight, an IT auditor must think about the actual risks and in particular the business case of a possible attacker.

Image: © Nationale Beeldbank

Thus says Peter Kornelisse, who works in Risk & Compliance, Corporate Security at Booking.com and teaches at TIAS Executive Master of IT Auditing. In recent years more attention has been paid to cybersecurity in the TIAS programs.

"IT auditors must, of course, verify that companies meet compliance rules. But it is also important that the threat risk is analyzed,” says Kornelisse. Questions that need to be answered include how a company monitors what happens on its systems, how to recognize an attack, and what happens when an attacker is inside. “In other words, you need to think about the business case of a possible attacker. What good are the company’s data to him? What is the easiest way for him to gain access to this data." This could mean in practice that systems will not be 100 percent impenetrable because if it is not profitable to make use of a security gap an attacker will not do it anyway. Kornelisse: "Security is becoming more effective, it focuses on the risks that really matter."

Kornelisse notices that the increasing digitization of IT continues to become more important. "Data breaches happen more frequently. The government has also recently passed a law making it obligatory for companies to report data loss. Because of all these reasons cybersecurity is now a matter of discussion in the boardroom."

Kill chain

Martijn Dekker, CISO at ABN Amro and lecturer at TIAS, says that in order to be well prepared for this, it is important to realize that the effectiveness of a cybersecurity framework is determined by three factors: the coverage of the attack surface, the degree of disturbance of the kill chain, and the extent to which it nullifies the attacker’s business case.

The growing importance of cyber security is a specific concern in the TIAS programs. “The fifth block pays attention to the subject. We discuss the different aspects, such as technology, processes, organization, and culture." Kornelisse notes that IT auditors often focus on the processes and organization. "But the degree of security awareness – the culture – is an important aspect. And technology is becoming increasingly important due to the increasing digitization. The more an IT auditor knows about technology, the better the questions he asks."

Rob Fijneman, academic director of the TIAS Master of IT Auditing and Head of Advisory and member of the Board of Directors of KPMG, is closely involved in this initiative to improve cybersecurity in companies. KPMG is partnering with Microsoft and Shell to combine knowledge and experience in a study for a fundamentally different approach to cybersecurity. Fijneman: “We consider it important that companies share knowledge and collaborate purposefully on improving the management of knowledge of online threats and incidents. This way, cybersecurity can become an integral part of the Risk Management Framework of companies, which it is not the case now."

On September 4 TIAS will organize a meeting for participants and alumni of the Executive Master of IT Auditing. Martijn Dekker and Peter Kornelisse will speak at this event. Visit www.tias.edu for more information and registration.