ITAC could provide the spark for acquiring needed cybersecurity skills, knowledge, and tools

new survey out from the Institute of Internal Auditors finds that many internal audit departments either outsource cybersecurity audits, or worse, they don't do them at all. What's more, when asked why they don't do them, the top reasons provided by respondents were that their internal audit departments lack the skills and knowledge necessary to provide audit services related to cybersecurity or that they lack the proper tools to conduct such audits.

While it's hard to imagine a company that doesn't feel the need to conduct cybersecurity audits, it's understandable that internal audit may feel lacking in cybersecurity competency. We all know that good IT auditors are a rare find, and it's also pretty clear from the volume of cybersecurity breaches—big and small—that lots of companies haven't quite figured it out yet, even if they are conducting cybersecurity audits.

The IIA report is thin on providing recommended fixes. Its top piece of advice? "First, it all starts with having or obtaining the requisite competencies and tools to audit cybersecurity." Now there's an idea.

Of course, obtaining those competencies and tools is the hard part. One solution is to send internal audit staffers for training, and MISTI has plenty of options for IT audit training courses or in-house programs that you can find in our seminars listings.

Another, more immediate, option is to attend this year's IT Audit & Controls conference taking place in New Orleans on December 6-8. Time is running out to register, but the conference will offer several sessions and discussions on auditing cybersecurity. Among those is a keynote address from risk expert Norman Marks, who will look at "How Much Cyber-Risk Should We Take?" Marks will discuss how organizations must balance limited resources with the ever-present threat and make smart decisions about where to invest resources.

Other sessions addressing cybersecurity audits and cyber-risk include, "The Nuts and Bolts of Cybersecurity from an Internal Audit Perspective," "How Did Cybersecurity Go So Horribly Wrong and How Do We Get It Back on Track?" and "Will Modern-Day Pirates Discover a Treasure Trove in Your Data?"