Organizations have responded the current cybersecurity landscape with a great deal of anxiety and thought, but often not a whole lot of follow through. That may, however, be changing.

A new survey co-authored by consulting services group Protiviti and information management systems professional organization ISACA found that while awareness and concern around cybersecurity is increasing overall, 37 percent of businesses did not address cybersecurity in their 2018 audit plans. The study polled over 1,300 IT audit professionals and executives across the globe.

Andrew Struthers-Kennedy, managing director for Protiviti's global IT audit practice, noted that while these numbers perhaps aren't where they should be, they continue to increase year over year.

Struthers-Kennedy attributed a lot of the shift to the rapid growth of data aggregation and usage in organizations. IT audit leaders are increasingly managing third-party vendor audits and internal information governance regimes rife with data of varying kinds.

“Both of those are a function of the changes some organizations are undertaking. They're moving services to third parties or cloud providers, they're providing technologies that are capturing and creating vast numbers of data elements, they're looking to use those data elements to drive decision-making,” Struthers-Kennedy said.

With the influx of data comes a whole set of new competencies that IT auditors are responsible for managing, from big data analytics to internet of things-wired devices (IoT). The survey found that although most organizations continue to run audits with exclusively internal staff, growing numbers of IT audit teams in all global regions are working with external teams or outside consultants to co-source their cybersecurity audits.

Struthers-Kennedy sees IT teams looking most to subject matter experts to address some of these newer data types. “Co-sourcing, I think it's just necessary in today's environment where there's such a high demand for technology resources of all types,” he said.

There are certainly plenty of places that Struthers-Kennedy sees potential room for IT auditors to improve their work. Developing stronger lines between IT auditors and third-party vendors and their business partners can be a way to clamp down on the risk of third-party data breach. “They need to be engaging with business partners a little more actively, so they can be a real-time risk adviser,” he suggested.

Additionally, while organizational leadership and boards of directors are starting to show more interest in technology and cybersecurity concerns overall, Struthers-Kennedy sees potential for corporate leaders to grow their knowledge bases. A recent study from law firm Fox Rothschild found that 27 percent of chief legal officers and in-house counsel never report to their directors on cybersecurity and data privacy. Indeed, the majority of respondents to the Protiviti and ISACA survey reported that their boards showed medium engagement and levels of understanding.

Struthers-Kennedy said most IT auditors report to audit directors, who translate those messages on to boards. Those boards, he said, should likely be able to understand and engage meaningfully with those technical reports. “This is not just an auditor responsibility but a management responsibility, but part of it is educating management and the board,” he said.