The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a whistleblowing program.  But, how do we know if the program is effective? This article should help get you on your way.

When salary is fixed and the perks are what a Gen Xer would like but maybe not a millennial (i.e., catered lunches, unlimited paid time off, yoga hour), how does an audit shop change their philosophy to cater to the younger crew? Below we explore different ways to motivate a millennial auditor.

Bugcrowd’s Keith Hoodlet outlines the importance of attack driven development and offers up the key steps security practitioners should take for this approach to have a positive impact on their overall security strategy.

Media communication in the face of a cybersecurity incident often gets the shaft in favor of incident handling, but what you don't handle can come back to haunt you.

To continually operate more efficiently and add greater value to the business, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.

We recently discussed the intersection of emotional intelligence and strategic intelligence. Here are some more common strategic areas to look at. One of these may be similar to your company, or maybe you have some additional strategic areas too. We’d love to hear about them.

Uber’s Melanie Ensign discusses the relationship between the communications function and infosec teams and offers up some uncommon communication tips for security leaders that may have a skewed view of the communications department within their organization.

Enterprise security practitioners can greatly improve their network security posture, if only they would take the time to right-size mobile security policies.

Infusing an audit with strategic intelligence can be a little uncomfortable. But a little stretch does an auditor (and the company) good. Here, we've provided a few tips to articulate the big picture to your team and your auditee.

If continuous auditing doesn’t strictly mean automated data analytics or fancy software, then it means a larger group of internal audit shops can employ continuous auditing. This article highlights five ways you can continuously audit your business without all the software and by just using your brain.

Given the troves of education information, training, and technology available to security professionals, you’d think they’d be a step ahead of malicious actors. But this overabundance of information may actually be causing more harm than good. Here’s what one expert had to say about the “fog of more.”

Cybersecurity staffing requires more than simply finding enough people to accomplish tasks.

As an Internal Auditor what you do is NOT your title. It's NOT your longevity in the field. It's NOT a credential. However, as an internal auditor the question "What do you do?" typically doesn't receive a straightforward answer. Here we provide you with an activity that will get you thinking about what you DO, and help you communicate it effectively.

Are you taking the right approach when it comes to threat intelligence? We caught up with one subject matter expert that provides some uncommon tips on developing a successful threat intelligence program.

Even if you’re a dollar-menu writer now, that does not mean you always will be. Anyone can become a gourmet audit report writer. Over the next few weeks, Audit Writer’s Hub articles will focus on specific writing tips to help you begin crafting your gourmet issues. This week, we look at passive voice.

Cybersecurity conferences often lead to inbox overload, but they don't have to if the onsite experience is managed correctly.

Developing a strong working relationship with audit clients goes a long way, but that can be a lot easier said than done. In this post, we examine 7 areas that internal auditors can focus on that will help them improve their relationships with audit clients.

We caught up with one CISO that shares his advice on what security leaders can do to ensure they're taking the right approach to budgeting as it relates to their overall security strategy.

Cybersecurity teams seem to understand their biggest areas of challenge, yet the action to put effort behind remediating those problems falls short.

Internal audit is positioned to help evaluate risk that arises from working with vendors. Here we outline steps for determining which vendors to audit and what to focus on during the audit.

InfoSec Insider catches up with one threat expert who discusses why security professionals should consider a proactive threat hunting model, and outlines how they can take that approach.

 Today, most reputable cloud service providers are security conscious, yet users remain responsible over many—but varying—aspects of information security. Here, we take a look at the three most common public cloud models that should be on your radar.

Effective communication, teamwork, and accountability are key ingredients of efficient programs, processes, and projects. Unfortunately, many organizations suffer due to a misunderstanding of who’s responsible for what. Here, Dr. Hernan Murdock details how RACI Charts can help internal auditors overcome these challenges.

Auditors in search of a great decision-making tool to identify the forces for and against a course of action should look no further than Force Field Analysis. In this feature by MISTI's own Dr. Hernan Murdock, he details how internal audit can leverage this technique.

If internal auditors are auditing people, then they need to have a humane approach. And to audit humanely, they need to show a degree of emotional intelligence. Here are five skills that can get you on your way.

Today's threat landscape is like a tentacled sea monster that security practitioners have to battle on a daily basis. In this feature story, we highlight the top five most likely cyber risks to organizations today.

If you're looking to ensure that your cyber incident response plan doesn't turn into shelfware, here are five ways to make it actionable. 

There is no question that the cybersecurity job market is hot, but not any old recruiter is suited to help you with your hiring needs.

Threat modeling is essential to becoming proactive and strategic in your operational and application security. 

Learn why the virtual CISO is quickly becoming an attractive option for enterprises.