The CrowdStrike Incident: A much needed Wake-Up Call for the Business... and its IT posture.

Internal Audit would have caught it they say... I read multiple people overselling internal audits capability. I say; Hell no! I strongly disagree with the notion that internal audit would have caught this issue before it happened. In reality, auditors may not always possess (e.g., almost never) the specific knowledge and expertise to identify complex security vulnerabilities. It has very little to do with cybersecurity but rather the IT posture of companies...

This incident highlights the importance of first-line solution architecture design and domain architecture considerations from both the software supplier's and consumer's perspectives. Software can indeed fail, just like any other system, and it's essential to build resilient and fast systems capable of recovery, including adequate staffing and training based on continuity planning.

The truth is that IT issues are often perceived as solely technical problems, but they have significant business implications. The CrowdStrike incident serves as a prime example - an IT-related issue with substantial business consequences. It's crucial to recognize that IT issues require a strategic response, rather than just treating them as separate entities.

When we view IT as a distinct function, we neglect the broader picture. We focus on patching holes and addressing symptoms, rather than tackling the underlying causes of these issues. However, I firmly believe that IT is actually a business problem, not an IT problem in itself. The CrowdStrike incident shows us that IT issues have far-reaching consequences for businesses, making it essential to adopt a more holistic approach to risk management.

In this context, let's consider the role of Internal Audit or Assurance as part of our Third Line of Defense. While internal audit plays a critical role in assessing the effectiveness of controls implemented by operational teams (First Line of Defense), I question whether their expertise and resources are sufficient to cover the complex landscape of cyber threats. In reality, auditors may not always possess the specific knowledge and expertise to identify complex security vulnerabilities.

According to the three lines of defense model:

• Operational teams (First Line of Defense) implement and maintain controls to protect against cyber threats.
• Risk Management functions (Second Line of Defense) identify and assess risks, develop policies, and monitor compliance with those policies.
• Internal Audit or Assurance (Third Line of Defense) provides an independent assessment of the effectiveness of controls implemented by the First Line of Defense.

While internal audit is essential for ensuring that controls are in place and functioning as intended, I believe it's a stretch to assume that their primary role is to catch complex security vulnerabilities. In fact, this responsibility falls more squarely on the shoulders of operational teams (First Line of Defense) and risk management functions (Second Line of Defense).

To achieve a higher level of maturity, organizations should invest in people capacity - having sufficient personnel with the necessary expertise to handle various scenarios, from routine maintenance to complex crisis situations. This includes not only technical skills but also essential soft skills like communication, teamwork, and problem-solving.

Organizations should commit to developing their people capacity through training, upskilling, and reskilling opportunities for their IT staff and risk management functions. By doing so, we can transform IT into an asset that drives business growth and innovation, rather than a liability.

And as for governance? Well there is COBIT; ITIL, ISO bla bla bla bla bla....