A zero-day vulnerability is that one vulnerability in your security management, access management, network and computer operations security management, or other cybersecurity risk management practices that has been overlooked due to poor cybersecurity practices and processes, poorly designed security architecture, inadequately trained information security staff or lax employee cybersecurity training and awareness programs, uncontrolled privileged access, etc. Commonly, they show up in faulty vendor software upgrades, weak device configurations, poor change management practices, or in high rates of phishing testing failures, etc.

Examples of these attack vectors include unsupported applications and tools where the vendor discontinues updates for its applications; poor change management practices on vendor upgrades; a general lack of granularity around privileged user controls; insufficiently robust cybersecurity training or awareness programs that does not recognize the distinctiveness of your business. An airline has a different set of cybersecurity risks compared to an asset manager, etc.

Allowing expansion of privileges to users in an uncontrolled IAM environments or waiting for the software company to fix the code and distribute a patch are not solutions especially if an agile hacker is able to compromise privileged access or exploit a vulnerability ahead of a patch.

These vulnerabilities can be exploited by threat actors from zero‑day to n+days until the threat is discovered and halted. Their presence creates a window of opportunity to compromise otherwise secure systems. By exploiting a known issue, the attacker is able to penetrate your company’s systems.

The insidious nature of these vulnerabilities makes it nearly impossible for Internal Audit or other assurance providers to identify and uncover these vulnerabilities.  Internal Audit cannot be expected by management and the Audit Committee to be on the front‑line of proving regular and on‑going assurance over the organization’s cybersecurity posture. And one‑off audit projects such as penetration testing, IT operations audit, or a cloud migration strategy audit are also not sufficient to understand and comment on your organization’s cybersecurity posture.

So what to do?

Start with a cybersecurity Maturity Assessment (CSMA) of the following main cybersecurity domains to determine the overall cybersecurity posture and degree of maturity in each of the domains.

• Data Protection & Privacy
• Identity and Access Management (including insider threats)
• Security Architecture and Engineering (including cloud security)
• Security Operations (including vulnerability threat management, security monitoring and incident response)
• Cybersecurity Training and Awareness
• Third‑Party and Supply Risk Management

Each of the domains should be guided by proper governance (including a communications and a reporting model; adequate policies, procedures, practices and guidelines; proper ERM based risk management practices; and a sound IT strategy.

After assessing the cybersecurity posture, identify the areas of lower or weaker maturity for greater scrutiny (e.g. audit projects or controls assessments). If you have the opportunity, compare the findings to peers in your industry. Regularly refresh the cybersecurity posture (e.g. annually) through either lighter‑touch audit assessments or self‑assessments and adjust the profile and nature of on‑going audit projects.

This helps keeps Internal Audit’s fingers on the pulse of the organizations cybersecurity posture and informed of the potential zero‑day vulnerabilities and communicates the risks to management and the Audit Committee. You may not be able to avoid the surprise of a zero‑day vulnerability attack but will have shown management and the Audit Committee that you are honed in on the areas of potential weaknesses and where they can originate.