Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Security testing as part of a digital assurance toolkit
Cyber Security: A Peer-Reviewed Journal,
7
(4),
363-370
(2024)
Abstract
The role of IT audit and other digital assurance functions is to provide comfort to stakeholders regarding risks and the controls that have been implemented by management to safeguard an organisation. This paper discusses the misalignment between digital assurance activities and security testing. When performing security testing from an assurance perspective, it is common for the discussion with management to focus on the number of findings, not necessarily the impact. From a security testing perspective, a single finding could result in a business compromise, or multiple low findings could be chained together to result in a more significant business impact. Citing example findings across multiple sectors and geographic locations, the paper details what security testing results often look like, related challenges in an assurance context, the difference between security testing and other assurance activities, how to get management buy-in, and key recommendations on how best to use security testing as part of a digital assurance toolkit, with the caveat that scarce specialist skills are required.
Keywords: penetration testing; information risk management; digital assurance; IT audit; cyber security
The full article is available to subscribers to the journal.
Author's Biography
Graeme Huddy leads Mobius Binary, a specialist security testing (pentesting) company, and has over ten years of IT audit and IT consulting experience. In the past 24 months he has overseen the delivery of security testing services to clients in over 15 countries. While not a pentester by trade, Graeme is able to frame the technical output from security testing exercises in a business environment. He uses his broad technical and business understanding to contextualise findings, evaluate the risk and impact to organisations and help clients identify appropriate remediation steps to manage risk. Graeme is a member of ISACA and holds the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications.
