Given the intense focus on corporate culture in the last few years as an important component in risk management, more companies are looking to behavioral science to get a better understanding of what drives human behaviors, both good and bad.
Advancing performance
through knowledge
Latest Content From MISTI
WANT MORE? View our full collection of articles.
Given the intense focus on corporate culture in the last few years as an important component in risk management, more companies are looking to behavioral science to get a better understanding of what drives human behaviors, both good and bad.
Companies are rapidly finding applications for blockchain technology, meaning internal auditors will need to assess those applications. To do so will require some foundational knowledge of how blockchain works and the risks associated with its use.
Risk culture is no longer perceived to be a compliance box to be ticked. Companies are lifting the lid on cultural and behavioral issues that affect the way people make decisions and manage risks as part of their day-to-day work.
Internal audit departments that pursue data analytics without fear will soon be expanding their capabilities and unlocking the powerful potential of what it can do.
A slew of new studies and reports find that companies still struggle mightily to get a handle on IT-related risks, such as cybersecurity, data governance, and digital privacy.
HR audits have evolved from a simple checklist of dos and don’ts or periodic affirmative action plans to a comprehensive, sustainable process that is an integral part of the organization’s internal controls, due diligence, and risk management function.
Ten things that internal audit can do when working with compliance to leverage the qualities of both functions and create value for the organization.
Internal audit leaders must be more resourceful in acquiring needed skills and capabilities to conduct audits in areas of emerging risk and new technologies.
Many internal audit shops are adopting Agile principles in an attempt to create a more flexible and customer-oriented audit function. And while the results have been promising, expect a few bumps along the way.
Many internal audit departments are struggling to keep up with fast-moving technologies and widespread change in the profession. Staying on track will require more than adopting new technology, it will involve adopting a new mindset.
Could a decades-old management strategy that helped U.S. and European companies respond to the gains in quality made by Japanese manufacturers in the 1980s somehow help internal audit shops improve their game?
A definitive guide to producing, using, and improving a risk heat map at your organization.
In this Internal Audit Insights interview, MISTI's Dr. Hernan Murdock discusses how the internal audit function can benefit from the Three Lines of Defense Model.
In the full video interview below, MISTI's Director of Instructional Technologies and Innovation, Shawna Flanders, discusses where internal audit stands today as it relates to cybersecurity, and offers up some tips on increasing collaboration between the audit and information security functions.
In this video interview with MISTI's Dr. Hernan Murdock, he explains why micro-managing is a big problem in internal audit and offers up advice on how audit leaders can overcome it.
It's not only the information security department that needs to stay on top of cybersecurity regulations. Internal audit also plays a big role. In this interview with MISTI's Shawna Flanders, she discusses the regulations internal audit should keep top of mind.
People choose a line of work for a variety of reasons. Sometimes it is because it pays very well, or it is what our parents steered us towards. It could be because it is the only job in town or because it is glamorous. Regardless of the circumstances and career path that brought you to internal audit, an important question begging for an answer is: Why do you stay?
Traditionally, internal auditing was done retroactively. While our methodology has relied on this practice and it has been used widely for a long time, one of the issues with this after-the-event approach is that the actions have already occurred. It is based on auditors focusing on issue detection.
Are you familiar with code signing? If not, in this full video interview Venafi's Senior Threat Intelligence Researcher Jing Xie provides us with a breakdown.
Doug Barbin, principal at Schellman and Company, discusses the challenges that security professionals face when it comes to security and privacy assessments, but also provides tips on which assessments bring in the most return on investment.
Receiving feedback is an essential element in every internal auditors’ development. In this feature article, MISTI's Dr. Hernan Murdock provides seven key practices that should be part of this process to make it most effective.
In this interview with Kelly York, security awareness manager at the McDonald's Corporation, she discusses the state of attracting and retaining talent in information security and also provides some helpful tips that could get you and your business over the hump when it comes to the topic.
Updating your risk management program is a critical component of becoming a successful security leader. InfoSec Insider caught up with Argo AI's CSO Summer Craze Fowler who shared her thoughts on the topic, as well as some proven tips.
There’s a big difference between a few butterflies and paralyzing fear when it comes to public speaking. When it comes to giving a great presentation, it’s not just what you say, it’s not just how you say it, but it’s the combination of those two things along with the experience you provide and the feeling you leave your audience with that creates results.
Those entering the internal audit and compliance professions often wonder what they need to do to succeed in their new careers. There is a lot to learn. In fact, the general advice is to become lifelong learners. But there is also the constant pressure from within the department. Here, MISTI's Dr. Hernan Murdock lists nine skills and actions essential for success.
The work of internal auditors and compliance professionals is filled with frameworks, regulations, and policies and procedures documents that define the path for operational effectiveness. Follow those guidelines, manage risk effectively and the likelihood of success increases. But what about our own success?
Trend Micro's Vice President of Infrastructure Strategies William Malik shares his take on what simplicity looks like when it comes to cybersecurity awareness training in the business.
SyncDog CRO Brian Egenrieder discusses the current challenges that security leaders face when it comes to mobility in the enterprise and shares some important steps they can take to overcome them.
Your organization has decided to take the important step of creating an internal audit function, and you’ve been tasked to build it. Building out teams from scratch is always a challenge, but internal audit departments have an especially important role.
Security experts Raef Meeuwisse and Ed Moyle provide a breakdown of tips you up-and-coming security leaders can leverage to have a successful start in the cybersecurity field.
Here’s the truth about editing: editing is vital to producing a good audit report. It’s also tricky and time-consuming. Editing includes content changes, proofreading, grammar, wording, format, structure, and multiple revisions.
In the full video interview below, Tonia Dudley, security solutions advisor at Cofense, provides us with a glimpse into the state of phishing attacks in 2019, and more importantly, what security professionals should be doing about it.
In part four of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with Todd Shaffer, senior vice president and chief risk officer at Johnson Financial Group, who discussed how internal audit leaders are approaching cybersecurity issues today.
DeMISTIfying Security experts Ed Moyle and Raef Meeuwisse discuss recruitment and retention challenges in cybersecurity and offer up some advice for security leaders on the topic.
In part three of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with Patti Puccinelli, vice president of audit advisory services at ManpowerGroup, who discussed why it’s so important for internal audit leaders to continually keep pace with the latest skills and competencies required for the function to achieve its objectives.
In the full video interview below, Ted Harrington, keynote speaker and executive partner at Independent Security Evaluators, provides his take on application security and shares tips on the subject with up-and-coming security leaders.
In part two of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with David Holland, director of internal audit at Modine Manufacturing, who shared his thoughts on the state of resources for the modern-day internal auditor.
In part one of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with David Cook, managing director of internal audit at Robert W. Baird, who shared his thoughts and advice on how audit leaders today can realign their resources effectively.
InfoSec Insider caught up with Trustwave SpiderLabs Principal Security Consultant Matt Lorentzen, who discussed the open source pentesting tool and provided us with a demo.
The modern-day CISO faces a multitude of challenges they must face head-on to build a sense of leadership and vision within the security and risk department. InfoSec Insider caught up with CISO Spotlight's Todd Fitzgerald, who offered up concrete tips up-and-coming security leaders can leverage when it comes to achieving organizational effectiveness.
Management is responsible for setting the organization’s structure, allocating resources throughout the entity, overseeing the programs and processes, and monitoring the related objectives, risks, and controls. Yet, when business managers are asked about risks and controls, a troublingly high number of them at many organizations are unaware of these responsibilities.
Knowing how to approach buying cybersecurity vendors is a difficult task. There’s a lot to manage internally (budget, needs, fit) and it’s hard to know what kind of vendors or solutions would serve your organization best. The fear, uncertainty, and doubt (FUD) experienced by cybersecurity vendors are especially troubling.
In this feature article, communications expert Jill Schiefelbein provides internal auditors with three simple, important rules to help you communicate in a way that will position you as a more confident communicator within the business.
Rapid7’s Director of Research Tod Beardsley highlights what you should know about voting machine security and what more needs to be done for the approaching 2020 elections.
In this follow-up episode, the DeMISTIfying Security experts provide you with proven tips that you can leverage to boost the cybersecurity budget within the business. Don't miss out on this episode.
It’s easy to overlook your own grammar errors. But you’ll be a better writer if you become mindful of your writing and correct your own editing mistakes. Here are five common editing mistakes we all make or might have questions about. Maybe a couple will resonate with you.
Cybereason CSO Sam Curry shares how “black propaganda” is leveraged by foreign adversaries, why 2016 was a failure of imagination from a cyber standpoint, and what we should be prepared for leading into the 2020 presidential elections.
InfoSec Insider caught up with Cylance's Chief Security and Trust Officer, Malcolm Harkins, who shared why he believes leadership in information security today is sorely lacking, but more importantly, what needs to be done in order for today's security leaders to create an "ideal state" for their departments.
Robots are having a growing influence on organizational practices and this dynamic is of great interest to internal auditors and compliance professionals who examine the impact of these technologies on organizational objectives, risks and controls. But they also present a growing concern as the work performed by internal auditors may be replaced by machines.
There are a slew of threats aimed at industrial control systems, and security warriors in that space need to constantly be on their toes. We caught up with Sergio Caltagirone, vice president of threat intelligence at Dragos, who shared how infosec pros in the ICS world can get started with threat profiling.
The work of internal auditors and compliance professionals is complex, challenging and often, unfortunately, under-appreciated by their clients. What makes matters even more stressful for these professionals is that their managers sometimes micro-manage them.
It’s no mystery that the world of cybersecurity constantly faces a massive challenge. It has to pre-empt attacks, predict how hackers will use new attack vectors, and defend their environment against all existing attacks and attacks that may not even exist yet. In this feature, we go over one of the more obscure, but dangerous and difficult attacks to defense against—airborne attacks.
Security departments have evolved tremendously over the years, but so have cyber threats. As organizations become more aware that nearly no one can be trusted, whose job is it to watch the watchers? At this year’s RSA Conference in San Francisco, InfoSec Insider caught up with Forcepoint's Dr. Richard Ford who dives into the topic.
Cybersecurity is top of mind for most executives and board members, as well as to internal audit. While the information security team may be in charge of measurably reducing cyber risk within the business, internal audit has an important role to play too.
In the latest edition of InfoSec Insider’s DeMISTIfying Security series, veteran experts Ed Moyle and Raef Meeuwisse discuss the state of cybersecurity as it relates to executive support within the business.
Evidence is something that provides proof and it proves or disproves something. It is presented as verification of the facts at issue and generally includes the testimony of witnesses, and the examination of records, documents, and objects. This feature by MISTI's Dr. Hernan Murdock, examines the qualitative elements to consider when it comes to leveraging high-quality evidence.
Cyber swindlers are continually looking to reinvent themselves, and their methods are becoming savvier. InfoSec Insider caught up with Digital Shadows CISO Rick Holland on the recent research that his team has conducted on cybercrime extortion, and how security practitioners can secure their organizations don't fall prey to these attacks.
Organizations have struggled to gain control over privileged identity management—a challenge that has tripped up many security and risk departments and has caused major cyber incidents. If the title of this article caught your eye, chances are you’re grappling with this issue and are looking for some insights that will make your life a little easier.
Performance auditing is the review of a program or process, and the systems supporting it, to determine whether it is achieving the primary goals of efficiency, effectiveness, and economy in its use of available resources. These reviews are often done in government and non-profit entities, but they are equally important in the for-profit sector.
To become trusted advisors to management it would help if we spoke the same language they do. While auditors and compliance professionals often talk in terms of controls, and increasingly in terms of risk, managers and business leaders often talk in terms of costs, benefits, revenue, reputation, and market share.
Cybersecurity remains a persistent challenge in information technology, and for IT security professionals, AI and other tools are valuable for organically managing cybersecurity without depending on vendors that might have more sophisticated tools and experience using them.
While having strong IT security in place to secure sensitive data on devices and networks is critical, ensuring your organization practices strong physical security is equally important. Organizations need to prevent attackers from being able to walk in and walking out with data, systems, physical documents, or worse – a new connection to your network as a persistent threat.
Internal auditing is a complex field of work that is undergoing significant changes. Today's internal auditors are tasked with managing their careers, so they remain relevant in the short and longer terms. Given this complex environment, it is not surprising that mentoring and coaching have emerged as essential tools to help auditors grow professionally.
Cyber law is focused on bringing more clarity to privacy questions that new technology introduce. It’s important for all security professionals to have a basic understanding of current and potential future cyber law concepts in order to stay compliant and ensure sensitive data stays safe.
Password security has undergone a significant transformation over the last few years. As a reaction to the insecure form of identity verification that is logging in with a password, technologies such as two-factor authentication (2FA), multi-factor authentication (MFA), and hardware keys. This begs the question—where does that leave passwords in 2019?
Transitions are those juicy, bite-size gourmet words that connect ideas, sentences, paragraphs, and even sections. Too often, we can misuse, overuse, or omit transitions. This article covers how to use transitions to improve clarity in your reports.
Cybersecurity law is one of those responsibilities that come up in an organization when it’s too late. To get a better sense of how your organization can be equipped to tackle cybersecurity law, we spoke to Stephen Black, professor of law at the Texas Tech School of Law for his advice.
In this follow-up video, the DeMISTIfying Security experts discuss two recent containerization-related issues and how the modern-day security warrior can venture into the unknown to effectively tackle challenges such as this.
Last month in an article about setting the stage for better decision-making we learned about four elements that you should be considering before you even form the words you want to say. This month it’s all about the messaging.
Recent incidents illustrate the risks that healthcare networks are subject to in today's ever-expanding cybersecurity threat landscape. In particular, securing networked medical devices in this environment can be challenging.
One of the most overlooked, but essential, elements of the persuasive process is establishing a definite need in your to-be-persuaded-audience’s mind. In other words, how does the client know that they need what you have to offer? Here, we explore the topic.
So many vendors, so little budget. Security departments are constantly tasked to know how to properly allocate funds to staffing, resources, tools, solutions, software, vendors, third-party contractors, and more. Even an unlimited budget wouldn’t help as security departments can find themselves bloated with software or vendors, leading to an inefficiently run department.
As business processes become more complex, information more widely dispersed, and the risk environment more complicated, the need for internal auditors to adapt to this new environment becomes imperative. This is where rotation programs can really save the day.
Today, there are highly specialized training options offered both in-person and online in the form of meetups, webinars, formal courses, and in-house and external conferences. The attractiveness (cost, convenience, and specialty) of these alternative options has driven cybersecurity talent to steer towards education avenues outside of traditional academia.
The search for qualified, competent internal auditors remains a challenge for many audit departments. As internal audit leaders continue to struggle qualified additions to their teams, what areas should they be focusing on and what steps can they take? This feature story answers those questions.
When you’re talking information security among your peers, it sounds like a totally different language than the rest of your organization speaks. This puts infosec professionals in a bind. On the one hand, security vulnerabilities exist throughout the company. Yet you, alone, are carrying the burden of knowing just how serious it can get. That’s why it’s up to you to create an information security communication strategy.
Internal auditors must engage in lifelong learning. They are increasingly participating in webinars, consuming online content, and listening to podcasts. While all of these actions are conducive to learning, there is another learning opportunity that many internal auditors and compliance professionals may not be familiar with: Symposiums.
From steering clear of marketing buzz to the impact of misinformation, DeMISTIfying Security hosts Ed Moyle and Raef Meeuwisse point out the security assumptions that could be catastrophic to any security practitioner’s role.
So, what exactly does an IT auditor do? In this article, we provide a broad breakdown of an IT auditor's responsibilities, the necessary skills to become one, how an IT auditor interacts with other roles throughout their organization, and more.
In this article, we’ll go over what devices infosec departments should have an eye on and how to tackle the challenge of BYOD head-on. For an expert’s perspective, we spoke to Georgia Weidman, founder of Shevirah, a mobile and IoT testing company.
There are some common communication mistakes that junior auditors make. Lucky for you, this article is going to point these foibles out and show you how you can change the trajectory of your communication to show confidence, not self-consciousness.
Cybersecurity awareness training is a critical component to your security hygiene. The most effective training programs are offered frequently and use available frameworks, focus points, tools, and tactics to build a culture where cybersecurity is embraced, not avoided or shunned.