You’ve read a bazillion articles on data analytics theory (ho-hum) in auditing. And we'll be the first to say that we've written a variety on this site. But this time around, let’s focus on how to actually use those data analytics in a single audit area: risk assessments. 

In the latest installment of InfoSec Insider’s DeMISTIfying Security series, security experts Ed Moyle and Raef Meeuwisse return to review the major breaches, developments, and takeaways that you can get from information security events in 2018.

Internal Audit Insights catches up with Nancy Luquette, senior vice president and chief risk and audit executive at S&P Global, who shares her take on the state of women in internal audit in 2019 and the challenges many female practitioners face, but more importantly, how they can overcome them.

Like it or not, the digital transformation era is here. But what does that actually mean--and more importantly--what does that mean to you? We caught up with Zscaler's Business Value Consulting Leader, Jason Georgi, who broke it down for InfoSec Insider.

As business processes become more complex, information more widely dispersed, and the risk environment more complicated, the need for internal auditors to adapt to this new environment becomes imperative.

What's the state of artificial intelligence in the enterprise today? More importantly, how can the security and risk department benefit from its benefits to measurably reduce risk within the business? InfoSec Insider caught up with Neil Larkins, CTO at Egress Software, who breaks it down for us.

Internal Audit Insights caught up with Jami Shine, corporate and IT audit manager at Quiktrip Corp, who shared some proven advice on how non-technical auditors can overcome some of the challenges associated with IT risks.

InfoSec Insider catches up with the Cloud Security Alliance's Jim Reavis, who shares what security leaders should be focusing on when it comes to cloud security in 2019. You'll want to take note of these insights and predictions.

As 2018 wraps up, InfoSec Insider looks back at some of the most popular articles we've produced for our loyal audience. From communicating security metrics to the board and making sense of attack patterns, to key areas that you should focus your cybersecurity strategy on, here's a list of the top 10 articles.

And just like that, another year has gone by. We've had a blast providing you with insights all throughout the year, covering audit report writing, project management, and coverage on emerging technology. Here we've compiled a list of the most read articles.

Security practitioners that are looking to migrate their business to the cloud in a successful manner have to consider quite a lot. That's why InfoSec Insider caught up with security leader and industry veteran Mark Arnold during this video interview where he quickly breaks down what you should and shouldn't be doing when it comes to the topic.

Communication's expert Jill Schiefelbein chats with Internal Audit Insights and offers up her take on what makes audit interviews so difficult for the modern-day internal auditor, and also offers up specific advise you can use during your next audit interview to ensure you're navigating those encounters effectively. 

A CISO’s list of responsibilities are vast. They need to protect, defend, and identify any risks and potential attacks that may hit their company’s environment. However, knowing what needs protection is its own challenge.

Effectively closing the audit plan and landing on specific action items to pursue can be a challenge. In this contributed article, Workiva's Ernest Anunciacion provides three steps to close this year's audit plan and prepare for next year.

Data analytics is being leveraged more than ever by internal audit departments, but for those that haven't jumped on the bandwagon yet, this interview with CVS Health's head of data analytics explains the benefits, challenges, and misconceptions tied to the technology.

The concept of “tone” plays a key role in the control environment of the organisation. While it is set at the top, it should cascade without distortion or gaps throughout the entire organisation.

Today's IT playing field implores a higher state of alertness, not only within your enterprise but also outside of it. However, when it comes security, not all vendors are created equal. Some very likely have inferior security hygiene and practices that can affect you big time. 

InfoSec Insider catches up with Debbie Hoffman, CEO of Symmetry Blockchain Advisors at the CSA Congress event, who clarifies what blockchain means to security leaders today, and any privacy implications they should be aware of.

In this edition of the Audit Writer's Hub, we specifically tackle some of the pesky nothings – unimportant sentences, filler phrases, and negative phrasing – that creep into our writing and how to get rid of them.

The idea behind collaborative security is to change the security and threat landscape from the daunting “one vs. many” to “many vs. many,” embracing the power of knowledge and collaboration to protect valuable data.

MISTI’s Dr. Murdock shares what the status of the internal auditor is today, in addition providing some key audit leadership techniques that many up-and-coming audit leaders are commonly unaware of.

In this walkthrough, InfoSec Insider experts Ed Moyle and Raef Meeuwisse demonstrate one useful exercise that can aid security practitioners in getting a lay of the land in their organisation, serving as the perfect first step in ultimately measuring and reducing information security risks.

The government has urged the private sector to offer agencies secure cloud solutions through the FedRAMP accreditation, which establishes baseline standards for security assessment, authorization, and continuous monitoring. Here, we provide six key considerations to help guide FedRAMP accreditation efforts.

InfoSec Insider SMEs Ed Moyle and Raef Meeuwisse are back, but this time they're talking fundamentals. If you're an up-and-coming security warrior, you'll definitely want to heed this advice from the two infosec experts.

With increased access to cost-effective and user-efficient digital communication technologies that allow people to intentionally or spontaneously connect from any place, at any time, we have opportunities to collaborate like never before.

Professional scepticism is a critical component of an internal auditor's duty of care that applies throughout any engagement.  It's an attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence. Here are the three key elements of scepticism you should know

.

In this video interview with Internal Audit Insights, Constance Snelling, director of IT risk at Jackson National Life, offers up the essential skills that are needed to be a successful IT auditor today and how this ties into performing an integrated audit.

RPA, robotics, robots, bots … as internal auditors you have undoubtedly been hearing this terminology tossed around more and more. What exactly is it? Why is it such a hot topic? Here we answer those questions.

As a security practitioner, we're sure you've heard of the benefits that open source intelligence (OSINT). But what exactly is it and how can you leverage it as it relates to your current security strategy? This article answers that question and more.

Internal Audit Insights catches up with Ford Winslow, CEO of ICE Cybersecurity, to discuss what the “speed of business” has had on GRC controls, and what IT auditors should prepare for.

The balanced scorecard is a system used to make sure business operations are aligned with the organization’s mission, vision, and strategy. Since it uses several measures to determine success, it helps those involved to balance what is achieved with how it is achieved. Here's how.

This will probably be a contentious point for some, but there are situations where a penetration test isn’t the best use of an organization’s resources. Here, we examine what is (and isn't) a pentest, and what its goals should be depending on your organization's needs.

Cyber threats are top of mind for board members, but communicating cyber threat intelligence may not be the easiest task for security leaders. In this recent interview with Tim Callahan, senior vice president and global security officer at Aflac provides some helpful tips that could go a long way.

There tends to be a fair amount of confusion when it comes to a fraud risk identification approach versus an experience-based approach but here we set out to create a list of universal definitions intended to clarify how and why you might use this approach.

IT audit is only beginning to familiarize itself with DevOps as more organizations begin to deploy successful programs. But is it fair to say that DevOps and compliance go hand in hand? In this video interview with Atlassian Risk Futurist Guy Herbert, he gives his take on the topic.

As auditors, we all know that internal audit is uniquely positioned to understand where risks lay within an organization. But sometimes audit doesn’t get the opportunity to communicate the company’s risks to a broader audience. Here, we share a few ideas to help internal audit build bridges between knowing, communicating, and fixing risk in a company.

Threat intelligence has transformed the information security world for the better but it’s not always leveraged in the best way possible by organisations and departments. InfoSec Insider spoke to threat intel expert Karl Sigler to get a sense of how organisations can maximize threat intelligence for their organisation.

InfoSec Insider catches up with Armis co-founders Yevgeny Dibrov and Nadir Izrael who discuss the current climate as it relates to IoT security, and offer up some dos and don’ts when it comes to connected devices within the enterprise.

Many internal audit teams are not using video conferencing and virtual meetings to their advantage. When they're set up for success, research shows that virtual teams can be more effective in solving quick, simple problems than face-to-face teams.

Conducting penetration testing via simulated attacks on your organisation's network is the best way to help your business evaluate the strength of your network security protocols and identify any backdoors, weaknesses, and gaps between different security tools, and prioritise risk. This contributed article explains why.

While patching vulnerabilities seems like a “low-hanging fruit” task for many security practitioners, it seems as though many still fail to do so. In this interview with application security expert Chris Eng, he highlights the common blind spots associated with vulnerability management.

As an internal auditor, it’s not just your words, it’s the absence of words or untimely words that could still convey a message to an audit client. It’s not only your actions, but it’s also the lack of action. All of these aspects result in communication. Communications expert Jill Schiefelbein explains more.

As Dirty Money Constellations continue to move from the “Islands of Shame” to the re-emerging epicentres of power, should we just be passive observers or is there something we can do?

A great deal has changed over the years when it comes to risk, including the willingness and interest of CAE’s, Audit Committees and Boards to talk about risk. As part of the increase in dialogue relating to risk and risks on the horizon much has been written and discussed. Here, Experis's Alec Arons consolidates that information.

Ntrepid Corporation’s Chief Scientist Lance Cottrell chats with InfoSec Insider and offers up the major dos and don’ts tied to password management, as well as pinpoints the significant weaknesses in some of the systems we’ve come to rely on heavily.

NSS Labs CEO Vikram Phatak speaks with InfoSec Insider and offers up tips to up-and-coming security professionals on how to make smart and effective cybersecurity solution purchasing decisions. From blocking out buzzwords and marketing jargon to building a great team, here’s what you need to know.

Data privacy and protection is an often underappreciated aspect of information security, but in many ways, it provides the foundational groundwork for a well-established security environment that offers internal and external reassurance. Here's why and how you should train up your team.

Many organisations are still failing to effectively audit areas such as cloud security or even social media. So what areas should you be covering and why? This article answers questions tied to that topic. Here you'll find the top IT risks that consistently vex companies and protect your assets.

Histograms are a very powerful tool to analyze data because they show the distribution of a continuous variable in a diagram and their appearance is similar to bar graphs. In this feature article, MISTI's Dr. Hernan Murdock explains how internal auditors can leverage them.

Persuasion is an important aspect of internal auditing that doesn’t receive enough attention or coverage. Internal auditing is done to verify that conditions and practices are as expected, and to identify opportunities for improvement within organizations.

We’ve seen the rules for data security change from relatively simple policies, such as simple access controls, to much more complex policy requirements with the implementation of GDPR. This article’s intended to cover three new perspectives that will influence data protection controls in the coming years.

Is serving as an advisor and maintaining internal audit’s essential responsibility of objectivity, free of management influence, possible? Spoiler alert: Yes. And it’s both necessary and crucial to the internal audit profession’s standing in any organization.

On Tuesday InfoSec Insider kicked off a how-to video series that focuses on topics surrounding the challenges that our readers face on a daily basis. In this companion video, security expert Ed Moyle provides a deep dive on how you can protect your organization from cryptocurrency mining malware and cryptojacking.

In a perfect world, the client is receptive, understands each recommendation, and takes immediate corrective action. But we all know that perfect world doesn’t exist. In this informative feature, communications expert Jill Schiefelbein explains what internal auditors can do to make audit clients more receptive to their communication.

What's the best way to detect network risks and other vulnerabilities from cyber threats? If you guessed a pen test, then you're right. In this feature article, we've created a no-nonsense that answers pertinent questions about penetration testing.

Security experts Ed Moyle and Raef Meeuwisse dissect the topic of cryptocurrency mining malware and cryptojacking; what it means to you as a security professional and how you can protect the enterprise from it.

In this second installment of our two-part series on vendor overbilling, we look at how to use fraud data analytics designed to uncover a complex fraud scheme and the fraud audit procedures designed to provide credible evidence.

What's the best way to detect network risks and other vulnerabilities from cyber threats? If you guessed a pen test, then you're right. In this feature article, we've created a no-nonsense that answers pertinent questions about penetration testing.

Fraud expert and MISTI instructor, Leonard Vona, selected a complex corruption scheme and a complex overbilling scheme to illustrate how fraud auditing can detect even the most complex schemes.

Arctic Wolf’s Sam McLane sits with InfoSec Insider at Black Hat, a security conference in the US, to discuss the major dos and don’ts when it comes to incident response, in addition to some misconceptions that some security practitioners may have on the topic

Internal Audit Insights catches up with Yulia Gurman, Director of Internal Audit and Corporate Security at the Packaging Corporation of America on the common questions that audit committee members have tied to cybersecurity, and what IT auditors should prepare for.

InfoSec Insider catches up with Trustwave SpiderLabs Threat Intelligence Manager Karl Sigler on the company’s latest open source tool which enables penetration testers and red teasers to scrape social media data.

Internal Audit Insights catches up with Ford Winslow, CEO of ICE Cybersecurity, to discuss what the “speed of business” has had on GRC controls, and what IT auditors should prepare for.

As internal auditors increase their use of data analytics to better understand process characteristics, isolate issues and perform more accurate root cause analysis, the Pareto Diagram continues to grow as a useful tool for them.

IT audit expert Mark Thomas, president of Escoute Consulting, chats with Internal Audit Insights on the impact that cloud migration has had on the business, and shares the major Dos and Don'ts that IT auditors should know about GRC in the cloud.

What is the bottom line from a security perspective when it comes to mobile payments? In the current state of the ecosystem, mobile security expert Aaron Turner offers up his take and advice on the topic.

The balanced scorecard is a system used for planning and management to make sure business operations are aligned with the organization’s mission, vision, and strategy. In this  featured article, MISTI's Dr. Hernan Murdock explains how you can use it to your advantage.

As the business world changes at an accelerating rate, auditors need to keep up or risk becoming irrelevant and unable to provide the insight that will allow their organizations to succeed. That means they’ll need to continually add to their skills and knowledge.

As organizations continue to evolve and innovate, new risks arise. Meanwhile, the larger business environment continues to change, often rapidly and in unexpected ways. This places new demands on the internal audit function.

GDPR was a major focus for many organizations this year. Whether it has been extensive business process mapping, understanding the purposes of personal data, or defining its scope. But now that it's here, what should security professionals focus on next?

Organizations are accumulating large amounts of data and internal auditors are rapidly increasing their mining for, and use of, these sizable data sets. This proliferation of data raises the question of how to extract meaning from it all.

Threat intelligence expert Dave Ockwell-Jenner discusses how organizations have changed the way they approach threat intelligence, and provides the primary Dos and Don’ts associated with developing a successful threat intelligence program.

With distributed workforces and flexible workstyles, virtual team meetings are becoming commonplace in the internal audit function. Many times, though, virtual meetings aren’t taken with the same level of seriousness as in-person meetings are.

Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.

As the number of blockchain implementations continues to grow, internal auditors will need to learn about both the promise and risk this technology offers. So what exactly is blockchain technology and what does it mean to you as an internal auditor? This article answers that question.

Given the skills gap in information security, it's important for cybersecurity managers to diversify and expand the skill base of their team members. Here, we highlight how they can do it from a practical point of view.

The Cyber Threat Alliance’s Chief Analytic Officer Neil Jenkins provides update on the state of information sharing in 2018 and provides some insight on the steps security practitioners can take if they’re interested in sharing their threat data.

Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.

The European Union’s GDPR is officially in effect, but that’s likely not the last regulation that will be implemented that has an impact on the internal audit function. Here’s what you should consider five years from now.

The presentation skills that you were likely taught in high school and college in no way prepared you for the reality of delivering reports in front of boards and audit committees. This article is your crash-course in small group presentations and gives you two key areas to consider.

Rotational auditing has been a fishing hole for years. The pros and cons have been fished around too. And then fished around some more. Auditors have a way of fishing. But paddling deeper into audit's consulting water, rotational auditing could provide a venue for teaching risk awareness.

Developing a threat hunting program may be challenging, but it doesn’t have to be. In this feature article, one subject matter expert provides us with a glimpse into her experience on the topic and what you can expect. 

Threat modeling is essential to becoming proactive and strategic in your operational and application security. 

TalaTek’s Baan Alsinawi provides an update on the state of third-party risk management as it relates to IT auditors and sheds light on the hidden traps they should look out for as it relates to trusted business partners.

CA Veracode’s Chris Wysopal discusses how the 2016 presidential election hack broadened the horizon on how security warriors think about defending their data and offers up advice on what they should consider when it comes to protecting sensitive information.

Escoute Consulting President Mark Thomas dives into the topic of communication challenges within the enterprise, why they exist among IT audit and cybersecurity, and the steps you can take to ensure those silos are broken down.

Cylance’s Colt Blackmore discusses why leveraging AI isn’t limited to purchasing an out-of-the-box solution and details the critical steps that security practitioners should take to successfully utilizing the technology to their organization’s advantage.

Information drives modern organizations, so it is imperative that metrics be used that give management objective information. In this instructive article by MISTI's Dr. Hernan Murdock, he advises on how internal auditors can do just that.

Trustwave’s Karl Sigler discusses the state of cyber threats in 2018 and suggests what areas of your security strategy you should focus on to take proactive steps in measurably reducing risk within the business.

Fastpath’s Keith Goldschmidt discusses who the real owners of risk are within the enterprise, but also offers up insight on what IT audit can do to help streamline communication and do their part in creating a “risk culture” within the business.

When designing continuous auditing procedures, auditors and management must think through what the metrics are, and what thresholds would trigger the auditors’ desire to gain a better understanding of operational issues.

It's up to security professionals to infer security significance of all the events security solutions report. The first step to arriving at an answer to this intractable problem is teaching our security tools to understand us. Advancements in Natural Language Processing could help.

XebiaLabs’ Robert Stroud highlights what it is that IT audit needs to know about DevOps, why they should care, and offers up ways in which they can approach DevOps in a constructive manner that ultimately reduces risk in the organization.

After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.

SAP CSO Justin Somaini discusses how the role of the CISO has evolved into what it is today, and what up and coming security leaders should prepare for once they take charge of a security program at a major organization.

The dark web is one of those elusive subjects that can often get misinterpreted. We spoke to Reclamere's Connie Mastovich to get her expert take on what the dark web is, what risk it poses to companies, and how to protect yourself from it.

Onspring’s Jason Rohlf discusses how technology has impacted the internal auditor of today, but also offers tips on how auditors can stay ahead of the curve, rather than play catchup.

Farsight CTO Merike Kaeo discusses why DNS is still be underutilized as a security tool today, shares some examples of lessons-learned that could apply to you, and provides steps you can take to ensure you’re taking advantage of your DNS infrastructure.

In this featured post, we speak to TrustedSec Founder Dave Kennedy who offers up advice on how you can set up your security department’s defenses to respond and defend against common attacks.

According to MISTI’s annual Internal Audit Priorities Report, internal audit leaders are in need of hiring outside assistance for challenges they face surrounding IT security. Here, we share a few tips to help you find the best IT consultant for your needs.

Numbers and fancy charts are only able to tell part of the story for internal auditors. If you want your reports and your data to come alive for your clients, you need to make your words matter. Words, when it comes to driving action, are your most valuable currency. Here's why.

Is your organization adequately equipped to identify anomalous patterns across the network? If you're doubtful, it may be time to try out alternative models that will help you detect previously unknown attacks.

Cisco's Edna Conway shares her insight on what infosec leaders can do to ensure that security becomes an active discussion about the way you operate within the business, rather than an added bolt-on feature.

Internal auditors have been working toward shedding the "corporate cop" label given to them within the enterprise. But what is a trusted advisor? What do they do and what behaviors are necessary to become a trusted advisor?

The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a whistleblowing program.  But, how do we know if the program is effective? This article should help get you on your way.

When salary is fixed and the perks are what a Gen Xer would like but maybe not a millennial (i.e., catered lunches, unlimited paid time off, yoga hour), how does an audit shop change their philosophy to cater to the younger crew? Below we explore different ways to motivate a millennial auditor.

Bugcrowd’s Keith Hoodlet outlines the importance of attack driven development and offers up the key steps security practitioners should take for this approach to have a positive impact on their overall security strategy.

Media communication in the face of a cybersecurity incident often gets the shaft in favor of incident handling, but what you don't handle can come back to haunt you.

To continually operate more efficiently and add greater value to the business, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.

We recently discussed the intersection of emotional intelligence and strategic intelligence. Here are some more common strategic areas to look at. One of these may be similar to your company, or maybe you have some additional strategic areas too. We’d love to hear about them.

Uber’s Melanie Ensign discusses the relationship between the communications function and infosec teams and offers up some uncommon communication tips for security leaders that may have a skewed view of the communications department within their organization.

Infusing an audit with strategic intelligence can be a little uncomfortable. But a little stretch does an auditor (and the company) good. Here, we've provided a few tips to articulate the big picture to your team and your auditee.

Given the troves of education information, training, and technology available to security professionals, you’d think they’d be a step ahead of malicious actors. But this overabundance of information may actually be causing more harm than good. Here’s what one expert had to say about the “fog of more.”

Cybersecurity staffing requires more than simply finding enough people to accomplish tasks.

As an Internal Auditor what you do is NOT your title. It's NOT your longevity in the field. It's NOT a credential. However, as an internal auditor the question "What do you do?" typically doesn't receive a straightforward answer. Here we provide you with an activity that will get you thinking about what you DO, and help you communicate it effectively.

Cybersecurity conferences often lead to inbox overload, but they don't have to if the onsite experience is managed correctly.

Cybersecurity teams seem to understand their biggest areas of challenge, yet the action to put effort behind remediating those problems falls short.

Internal audit is positioned to help evaluate risk that arises from working with vendors. Here we outline steps for determining which vendors to audit and what to focus on during the audit.

InfoSec Insider catches up with one threat expert who discusses why security professionals should consider a proactive threat hunting model, and outlines how they can take that approach.

Effective communication, teamwork, and accountability are key ingredients of efficient programs, processes, and projects. Unfortunately, many organizations suffer due to a misunderstanding of who’s responsible for what. Here, Dr. Hernan Murdock details how RACI Charts can help internal auditors overcome these challenges.

Auditors in search of a great decision-making tool to identify the forces for and against a course of action should look no further than Force Field Analysis. In this feature by MISTI's own Dr. Hernan Murdock, he details how internal audit can leverage this technique.

Today's threat landscape is like a tentacled sea monster that security practitioners have to battle on a daily basis. In this feature story, we highlight the top five most likely cyber risks to organizations today.

Jonathan Sander addresses why security teams fail at controlling privileged identities, and what they should be doing that won't upset the apple cart.

There is no question that the cybersecurity job market is hot, but not any old recruiter is suited to help you with your hiring needs.

Learn why the virtual CISO is quickly becoming an attractive option for enterprises.