Internal Audit Conference: building and defending your digital fortress with Sarah Armstrong-Smith

We are moving from a world of disruption to destruction – is your culture working for you or against you? This is the key question in managing cybersecurity. 

“We need to see cybersecurity under different lenses, not just technology,” Sarah Armstrong-Smith, Chief Security Adviser to Microsoft, will tell attendees at this year’s Internal Audit Conference. Armstrong-Smith believes that we are seeing a crisis of leadership, fuelled by global uncertainty, increasing regulation and greater director liability and the evolution of cyberattacks and the people behind them.  

“The threat actors are joining together become more aggressive. They are targeting everyone and anyone – 90% of targets are small and medium-sized enterprises,” Armstrong-Smith warns.  

Spot the pattern and break the cycle

Organisations cannot prevent all attacks, or even breaches. This is why culture, leadership and preparation are critical. You must build resilience to help you prepare for, and survive an attack – and internal audit is more important in this than ever.

“The debate is moving out of the tech sphere. It has to be a board-level discussion about all areas of the business,” Armstrong-Smith says. “Directors know that AI and cybersecurity are a risk, but they don’t know how best to deal with the threats or how to optimise limited resources. This is where internal audit must offer more help.”

Her own background stems from business continuity and she urges internal auditors to start from the end point – what do you need to protect most? “People think this is an IT problem, but ultimately it’s about protecting your people and your data. We need to ask what is our responsibility as a business, and what are the needs and expectations of the board, stakeholders, government and external regulators,” she says.

There is always a pattern behind crises that culminate in a public inquiry or directors being grilled in a Select Committee hearing, she explains. Repeatedly, we see a trail of missed warning signs – people feeling that they can’t report problems because managers don’t listen and the board doesn’t ask.  

There are also recurring psychological safety issues that inhibit whistleblowing processes from working. “We need to stop the cycle and catch issues before they escalate. People need to be responsible for spotting problems and encouraged to admit any mistakes they’ve made. They need to know they’re protected if they put their heads above the parapet,” Armstrong-Smith says. “The worst thing you can have in your organisation is apathy.”

IA as an interface 

Internal audit is ideally placed to act as an interface between the people running the business at each level and the processes that protect them. Internal auditors can see whether processes are working, reports followed up and escalated and whether due diligence is being done.

“Never hope that problems won’t come out in the public domain – they will,” Armstrong-Smith says. Can you explain what internal audit was doing and who knew about the issues?” Having a clear audit trail is vital if you are to show that a problem was spotted and reported and how decisions were made.

This is also an entry point for a conversation with the board. Do directors understand the risk and the consequences of inaction clearly? If they choose not to act, do they understand how this could end? They may need to make tough decisions, but internal audit must ensure these are fully informed by the risks.” 

Focus and perspective 

The number of cyberattacks and potential scale of the damage they inflict can hamper effective management, Armstrong-Smith adds. Internal audit can help directors who are overwhelmed by fear of “the size of the elephant” by helping them to focus on what they most need to protect and the critical risks.

“There is a danger that organisations spread their cybersecurity too thinly – it’s easy to do a small amount about a lot of things, rather than making a difference to what really matters,” she explains. “It’s important to have a clear trail showing how management made decisions and what their response to a crisis was. People are more likely to remember how you dealt with an attack than what actually happened.”

Protecting your critical interests can also involve helping smaller suppliers to be resilient and to be honest about problems. Larger organisations need to know when things go wrong in third parties, so it makes sense to support them and build trust down the chain.

Conversely, a strong cyber risk strategy and resilience planning can be a selling point up the supply chain. The advice, processes and assurance work that internal auditors provide can be marketable and may help to win business. 

Get your house in order

Knowledge at all levels is power. Boards need to know the real situation to make good decisions, and everyone in the organisation, and down the supply chain, must be confident about their capabilities if the worst happens.  

At its most basic, you need to know that back-ups are complete and what you can do if systems go down. As technology, and geo-political and economic risks change, so also will your risks and this affects your resilience, Armstrong-Smith points out.

AI amplifies the abilities of the attackers, but it also amplifies the defences at your disposal. Data is more important than ever so you need to know where it is and how it is managed. “If it is somewhere it shouldn’t be, or hasn’t been deleted when it should have been, find out now and put it right,” Armstrong Smith advises.

Internal audit sits at the centre of this knowledge and has the channels to monitor culture, reinforce whistleblowing processes and raise issues to the top decision-makers. This may require courage and perhaps difficult conversations, but it should put your organisation in the best possible place when (not if) disaster strikes.  

The Internal Audit Conference takes place at London’s QEII Centre on 8-9 October and online tickets are also available. The full programme and tickets are available now.