When Audit Calls in the Cavalry – The Pros and Cons of Using Red Team (Ethical Hacking) as Part of an IT Audit Program – Session delivered in French
For more organizations Cyber risk is ranked first of their top risk. It is the primary concern for the Board of Director. It is also rated as a growing concern as innovative technology and AI are coming faster than anticipated and it is integrated in our organizations even though they are not prepared. Indeed, cyberspace is disruptive and the preparedness of organizations to cyber threats is key to survive through the storm. The role of IA is not only to anticipate those risks but to help management ensure they are prepared. We often hear in IT security that an organization is as strong as its weakest link. But what is your weakest link? Each of our organizations is different in that sense. If we can anticipate and identify those weaknesses, it procures a hedging advance in case of an attack. Internal audit can partner with experts to identify areas of security weaknesses. It can also serve to test the preparedness of the organization and to bring awareness when the organization is not convinced or mindful of its exposure.
However, in bringing in Ethical Hacking (or Red) Teams, are there dangers that lurk for the Internal Audit Leaders and IT? Is there such a thing as a series of tests which are “too real”? How is confronting the organization with scenarios replicated real-world dangers they are not ready to face.