The cybersecurity workforce gap is on pace to hit 1.8mn by 2022 – a 20% increase since 2015 “due to essentially lack of qualified personnel,” according to an industry during a webinar hosted by the Institute of Internal Auditors Qatar.
Titled ‘Cybersecurity Trends and Challenges for Internal Auditors’, professor Frank Yam said: “Cybersecurity is the preservation of confidentiality, integrity, and availability of information and information systems through the cyber medium.”
“Besides, other properties, such as authenticity, accountability, non-repudiation, and reliability, can also be involved,” said Yam, who is the chairman of Focus Strategic Group Inc, a consulting firm providing Business and Technology advisory services, focusing on IT auditing, risk management, and cyber-security.
Yam served six terms as the director and international vice president of Information Systems Audit & Control Association (ISACA), US. He also has an Executive Master's degree in Innovation and was selected as the ISACA 2021 Outstanding Chapter Leader for his "effective and inspiring leadership."
During his presentation, Yam said: “But it is not just about Covid-19, but in the new normal, everything is digitised.”
For organisations, he said the priority is on keeping everyone safe, as well as on customer experience management, business continuity, and new technology-related strategies. “For Internal auditors, it is about remote auditing, change in skills for digital transformation, and the economic downturn that increases fraud risks,” he said.
Yam said emerging technologies are “radically novel” and “relatively fast-growing technologies” persisting over time and potentially impact the socio-economic domains. The common risks with emerging technologies are overestimating AI capabilities, algorithmic bias, programmatic errors, cyber-attacks, legal risks, and liabilities, he said.
“Agile is a mindset, not a methodology,” said Yam, who explained agile compared to a waterfall methodology. The agile methodology process follows creating a vision document, kick-off, and the rest of the activities are iterative until project completion, he said.
“Cybersecurity starts with understanding the real web. There is World Wide Web with only 4% of Internet content, such as Google, Amazon, and Wikipedia, among others. Deep web Internet content is over 90% generally not accessible by search engines, such as academics, medical, government, and subscription information, among others.
“The dark web has only 6% Internet content with encrypted data of illegal sites and stolen data,” said Yam, who displayed market prices from the dark web for information related to credit card, bank account, medical, Facebook, and spam, among others.
Yam said, “Too many auditors worry about threats and vulnerabilities that pose no actual risk to an asset, prioritising compliance over risk, and wasting precious time and resources."
He said the strategic audit planning and usage of the NIST (National institute of standards and technology) cybersecurity framework as a benchmark guideline is needed.
“The training encompassed a strong message to assume breach. At a time of constant change where technologies will continue to evolve and disrupt, the board expects auditors to understand technology-related risks and recommend controls to adopt a sensible business model.
“The ‘KEY’ for success is building teams that can thrive in the future that can't be predicted. KEY is Keep Empowering Yourself,” said Sundaresan Rajeswar, board member and chief adviser of the IIA Qatar chapter, who co-ordinated the event.