One of the challenges internal auditors encounter when analyzing a finding is identifying the root cause of the problem. This is where the Cause and Effect Diagram can help. In this featured post, MISTI's Dr. Hernan Murdock explains how and why.

In audit report writing, we’re all pretty well tethered to writing the 5C’s of an audit issue, namely the criteria, condition, cause, consequence, and corrective action. In this edition of the Audit Writer's Hub, MISTI instructor Sarah Swanson focuses on criteria.

Forcepoint’s Dr. Richard Ford discusses the impact that the 2016 election meddling had on the cybersecurity community, and the lessons learned that security practitioners should take note of, but most importantly, act on.

Internal auditors do not always come into the profession knowing how to write well. That's why there's so much material available on writing clearly. But what if there was an alternative perceptive that would transform an internal auditor's written and spoken communication?

At the end of the day, PowerShell is an enormously flexible, valuable, and helpful tool in any enterprise administrator’s toolbox, so “turning it off” isn’t really a viable option for most shops. In this informative feature, subject matter expert Ed Moyle explains why.

Tripwire's Tim Erlin chats with InfoSec Insider on the state of cyber hygiene in 2018, where we are, why we're there, and highlights different areas that security practitioners are failing to cover as it relates to securing the business.

Rapidly accelerating pressures are fueling the need for the internal audit profession to transform its thinking from being financial controls-centric to shareholder value-centric. Here's how internal auditors can adapt to this "new normal."

For consumers looking for an easier-to-use login experience, there is a solution: push authentication. This approach is a vast improvement over sending a one-time passcode via SMS and is truly the most secure method of 2FA.

Effectively closing the audit plan and landing on specific action items to pursue can be a challenge. In this contributed article, Workiva's Ernest Anunciacion provides three steps to close this year's audit plan and prepare for next year.

Cybrary COO Kathie Miley pinpoints the real issues organizations face when it comes to the cybersecurity talent shortage, why employers are doing a good job of finding the right talent only in certain circumstances, and the impact the cybersecurity solutions market is having on the talent shortage.

As internal auditors increase their use of data analytics to better understand process characteristics, isolate issues and perform more accurate root cause analysis, the Pareto Diagram continues to grow as a useful tool for them.

The rise of IoT has introduced new challenges to security in the enterprise. Like most security challenges, protecting against threats is the basic work of good IT hygiene. Organizations can adopt existing identity management best practices to meet this new challenge.

IT audit expert Mark Thomas, president of Escoute Consulting, chats with Internal Audit Insights on the impact that cloud migration has had on the business, and shares the major Dos and Don'ts that IT auditors should know about GRC in the cloud.

What is the bottom line from a security perspective when it comes to mobile payments? In the current state of the ecosystem, mobile security expert Aaron Turner offers up his take and advice on the topic.

The idea that all internal networks should be considered trusted while external networks should be trusted was fundamentally wrong. This featured article describes why the move to the cloud has also accelerated the movement to Zero Trust.

The balanced scorecard is a system used for planning and management to make sure business operations are aligned with the organization’s mission, vision, and strategy. In this  featured article, MISTI's Dr. Hernan Murdock explains how you can use it to your advantage.

The context around security events is essential to qualify if those events are false positives or worthy of a security response. However, today security operations are predominantly focused on event monitoring and rely on security analysts to reconstruct context.

As the business world changes at an accelerating rate, auditors need to keep up or risk becoming irrelevant and unable to provide the insight that will allow their organizations to succeed. That means they’ll need to continually add to their skills and knowledge.

As organizations continue to evolve and innovate, new risks arise. Meanwhile, the larger business environment continues to change, often rapidly and in unexpected ways. This places new demands on the internal audit function.

GDPR was a major focus for many organizations this year. Whether it has been extensive business process mapping, understanding the purposes of personal data, or defining its scope. But now that it's here, what should security professionals focus on next?

Organizations are accumulating large amounts of data and internal auditors are rapidly increasing their mining for, and use of, these sizable data sets. This proliferation of data raises the question of how to extract meaning from it all.

Threat intelligence expert Dave Ockwell-Jenner discusses how organizations have changed the way they approach threat intelligence, and provides the primary Dos and Don’ts associated with developing a successful threat intelligence program.

Blockchain has become the new buzzword of choice across a wide spectrum of industries, such as finance, tech, and the information security industry. However, what blockchain is and what its applications are still seem to be unclear. This article sets the record straight.

With distributed workforces and flexible workstyles, virtual team meetings are becoming commonplace in the internal audit function. Many times, though, virtual meetings aren’t taken with the same level of seriousness as in-person meetings are.

Phishing attacks aren't going anywhere any time soon. In fact, these scams have only grown in popularity among attackers. This helpful article dispels the four common phishing myths to help employees and outside partners be even more adept at identifying these crimes.

Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.

As the number of blockchain implementations continues to grow, internal auditors will need to learn about both the promise and risk this technology offers. So what exactly is blockchain technology and what does it mean to you as an internal auditor? This article answers that question.

Bugcrowd Founder Case Ellis discusses the evolution of bug bounty programs and their impact on information security, in addition to providing tips on the key areas to focus on when it comes to developing a bug bounty program at your organization.

If you’ve ever read or written a sentence along the lines of “Financial misstatement could lead to financial loss,” or “Non-compliance with policies” (what does that even mean anyway?), then read on for some tips to improve the risk statement.

Given the skills gap in information security, it's important for cybersecurity managers to diversify and expand the skill base of their team members. Here, we highlight how they can do it from a practical point of view.

The Cyber Threat Alliance’s Chief Analytic Officer Neil Jenkins provides update on the state of information sharing in 2018 and provides some insight on the steps security practitioners can take if they’re interested in sharing their threat data.

Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.

A CISO’s list of responsibilities are vast. They need to protect, defend, and identify any risks and potential attacks that may hit their company’s environment. However, knowing what needs protection is its own challenge.

If you're a government contractor or a government entity hiring contractors, you need to know the ins and outs of the new FAR and DAR Councils' cybersecurity rules for government contractors.

When is it time for your organization to share cybersecurity information with its competitors and how much should you be sharing? We interview two industry experts that provided us with their take on the topic in this featured video interview.

The European Union’s GDPR is officially in effect, but that’s likely not the last regulation that will be implemented that has an impact on the internal audit function. Here’s what you should consider five years from now.

The presentation skills that you were likely taught in high school and college in no way prepared you for the reality of delivering reports in front of boards and audit committees. This article is your crash-course in small group presentations and gives you two key areas to consider.

Creativity is the use of imagination or original ideas, but it's not that important for internal auditing. Given that reporting rules and regulations are non-negotiable, there is little room for creativity and original ideas, right? Wrong! Here's what you can do to be creative while conducting audits.

Cybereason’s Israel Barak discusses the approach that far too many businesses take when it comes to their security strategy and highlights the steps that security professionals should be seeking to rethink the programs and challenges they face tied to measurably reducing risk within the business.

Rotational auditing has been a fishing hole for years. The pros and cons have been fished around too. And then fished around some more. Auditors have a way of fishing. But paddling deeper into audit's consulting water, rotational auditing could provide a venue for teaching risk awareness.

Developing a threat hunting program may be challenging, but it doesn’t have to be. In this feature article, one subject matter expert provides us with a glimpse into her experience on the topic and what you can expect. 

Threat modeling is essential to becoming proactive and strategic in your operational and application security. 

TalaTek’s Baan Alsinawi provides an update on the state of third-party risk management as it relates to IT auditors and sheds light on the hidden traps they should look out for as it relates to trusted business partners.

CA Veracode’s Chris Wysopal discusses how the 2016 presidential election hack broadened the horizon on how security warriors think about defending their data and offers up advice on what they should consider when it comes to protecting sensitive information.

Escoute Consulting President Mark Thomas dives into the topic of communication challenges within the enterprise, why they exist among IT audit and cybersecurity, and the steps you can take to ensure those silos are broken down.

Cylance’s Colt Blackmore discusses why leveraging AI isn’t limited to purchasing an out-of-the-box solution and details the critical steps that security practitioners should take to successfully utilizing the technology to their organization’s advantage.

In this age of vendors offering simple solutions to complex problems, defenders need the ability to see past the glamour of marketing. That's where attack simulation technology can help, enabling use cases in the market that help answer pressing questions in enterprise security.

Information drives modern organizations, so it is imperative that metrics be used that give management objective information. In this instructive article by MISTI's Dr. Hernan Murdock, he advises on how internal auditors can do just that.

Trustwave’s Karl Sigler discusses the state of cyber threats in 2018 and suggests what areas of your security strategy you should focus on to take proactive steps in measurably reducing risk within the business.

Fastpath’s Keith Goldschmidt discusses who the real owners of risk are within the enterprise, but also offers up insight on what IT audit can do to help streamline communication and do their part in creating a “risk culture” within the business.

When designing continuous auditing procedures, auditors and management must think through what the metrics are, and what thresholds would trigger the auditors’ desire to gain a better understanding of operational issues.

It's up to security professionals to infer security significance of all the events security solutions report. The first step to arriving at an answer to this intractable problem is teaching our security tools to understand us. Advancements in Natural Language Processing could help.

XebiaLabs’ Robert Stroud highlights what it is that IT audit needs to know about DevOps, why they should care, and offers up ways in which they can approach DevOps in a constructive manner that ultimately reduces risk in the organization.

After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.

SAP CSO Justin Somaini discusses how the role of the CISO has evolved into what it is today, and what up and coming security leaders should prepare for once they take charge of a security program at a major organization.

In the last Audit Writer’s Hub, we talked about crafting gourmet audit issues, instead of mass-produced, dollar-menu issues. This week, we focus on mumbling words and long-winded sentences.

The dark web is one of those elusive subjects that can often get misinterpreted. We spoke to Reclamere's Connie Mastovich to get her expert take on what the dark web is, what risk it poses to companies, and how to protect yourself from it.

Onspring’s Jason Rohlf discusses how technology has impacted the internal auditor of today, but also offers tips on how auditors can stay ahead of the curve, rather than play catchup.

Farsight CTO Merike Kaeo discusses why DNS is still be underutilized as a security tool today, shares some examples of lessons-learned that could apply to you, and provides steps you can take to ensure you’re taking advantage of your DNS infrastructure.

In this featured post, we speak to TrustedSec Founder Dave Kennedy who offers up advice on how you can set up your security department’s defenses to respond and defend against common attacks.

The internal audit function is not immune to the challenges that come with acquiring and retaining talented individuals in the department. In this article, we identify several strategies that can help you recruit talented internal audit candidates.

According to MISTI’s annual Internal Audit Priorities Report, internal audit leaders are in need of hiring outside assistance for challenges they face surrounding IT security. Here, we share a few tips to help you find the best IT consultant for your needs.

When reading the annual statements of an organisation and the typically clean accompanying external auditor’s report one tends to believe that there has been no fraud that year. The typical reaction is “excellent, nothing bad here.” But be warned, positive audit reports are anything but clean bills of health.  

Numbers and fancy charts are only able to tell part of the story for internal auditors. If you want your reports and your data to come alive for your clients, you need to make your words matter. Words, when it comes to driving action, are your most valuable currency. Here's why.

Is your organization adequately equipped to identify anomalous patterns across the network? If you're doubtful, it may be time to try out alternative models that will help you detect previously unknown attacks.

Cisco's Edna Conway shares her insight on what infosec leaders can do to ensure that security becomes an active discussion about the way you operate within the business, rather than an added bolt-on feature.

Internal auditors have been working toward shedding the "corporate cop" label given to them within the enterprise. But what is a trusted advisor? What do they do and what behaviors are necessary to become a trusted advisor?

If you work in security, you've heard of AI and the "game-changing" promises of its models. How secure is AI, though, and what can organizations do to ensure AI isn't another breachable vulnerability?

The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a whistleblowing program.  But, how do we know if the program is effective? This article should help get you on your way.

When salary is fixed and the perks are what a Gen Xer would like but maybe not a millennial (i.e., catered lunches, unlimited paid time off, yoga hour), how does an audit shop change their philosophy to cater to the younger crew? Below we explore different ways to motivate a millennial auditor.

Bugcrowd’s Keith Hoodlet outlines the importance of attack driven development and offers up the key steps security practitioners should take for this approach to have a positive impact on their overall security strategy.

Media communication in the face of a cybersecurity incident often gets the shaft in favor of incident handling, but what you don't handle can come back to haunt you.

To continually operate more efficiently and add greater value to the business, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.

We recently discussed the intersection of emotional intelligence and strategic intelligence. Here are some more common strategic areas to look at. One of these may be similar to your company, or maybe you have some additional strategic areas too. We’d love to hear about them.

Uber’s Melanie Ensign discusses the relationship between the communications function and infosec teams and offers up some uncommon communication tips for security leaders that may have a skewed view of the communications department within their organization.

Enterprise security practitioners can greatly improve their network security posture, if only they would take the time to right-size mobile security policies.

Infusing an audit with strategic intelligence can be a little uncomfortable. But a little stretch does an auditor (and the company) good. Here, we've provided a few tips to articulate the big picture to your team and your auditee.

If continuous auditing doesn’t strictly mean automated data analytics or fancy software, then it means a larger group of internal audit shops can employ continuous auditing. This article highlights five ways you can continuously audit your business without all the software and by just using your brain.

Given the troves of education information, training, and technology available to security professionals, you’d think they’d be a step ahead of malicious actors. But this overabundance of information may actually be causing more harm than good. Here’s what one expert had to say about the “fog of more.”

Cybersecurity staffing requires more than simply finding enough people to accomplish tasks.

As an Internal Auditor what you do is NOT your title. It's NOT your longevity in the field. It's NOT a credential. However, as an internal auditor the question "What do you do?" typically doesn't receive a straightforward answer. Here we provide you with an activity that will get you thinking about what you DO, and help you communicate it effectively.

Are you taking the right approach when it comes to threat intelligence? We caught up with one subject matter expert that provides some uncommon tips on developing a successful threat intelligence program.

Even if you’re a dollar-menu writer now, that does not mean you always will be. Anyone can become a gourmet audit report writer. Over the next few weeks, Audit Writer’s Hub articles will focus on specific writing tips to help you begin crafting your gourmet issues. This week, we look at passive voice.

Cybersecurity conferences often lead to inbox overload, but they don't have to if the onsite experience is managed correctly.

Developing a strong working relationship with audit clients goes a long way, but that can be a lot easier said than done. In this post, we examine 7 areas that internal auditors can focus on that will help them improve their relationships with audit clients.

We caught up with one CISO that shares his advice on what security leaders can do to ensure they're taking the right approach to budgeting as it relates to their overall security strategy.

Cybersecurity teams seem to understand their biggest areas of challenge, yet the action to put effort behind remediating those problems falls short.

Internal audit is positioned to help evaluate risk that arises from working with vendors. Here we outline steps for determining which vendors to audit and what to focus on during the audit.

InfoSec Insider catches up with one threat expert who discusses why security professionals should consider a proactive threat hunting model, and outlines how they can take that approach.

 Today, most reputable cloud service providers are security conscious, yet users remain responsible over many—but varying—aspects of information security. Here, we take a look at the three most common public cloud models that should be on your radar.

Effective communication, teamwork, and accountability are key ingredients of efficient programs, processes, and projects. Unfortunately, many organizations suffer due to a misunderstanding of who’s responsible for what. Here, Dr. Hernan Murdock details how RACI Charts can help internal auditors overcome these challenges.

Auditors in search of a great decision-making tool to identify the forces for and against a course of action should look no further than Force Field Analysis. In this feature by MISTI's own Dr. Hernan Murdock, he details how internal audit can leverage this technique.

If internal auditors are auditing people, then they need to have a humane approach. And to audit humanely, they need to show a degree of emotional intelligence. Here are five skills that can get you on your way.

Today's threat landscape is like a tentacled sea monster that security practitioners have to battle on a daily basis. In this feature story, we highlight the top five most likely cyber risks to organizations today.

If you're looking to ensure that your cyber incident response plan doesn't turn into shelfware, here are five ways to make it actionable. 

Jonathan Sander addresses why security teams fail at controlling privileged identities, and what they should be doing that won't upset the apple cart.

There is no question that the cybersecurity job market is hot, but not any old recruiter is suited to help you with your hiring needs.

Learn why the virtual CISO is quickly becoming an attractive option for enterprises.