2025從人工智能到網(wǎng)絡(luò)安全解構(gòu)復(fù)雜的技術(shù)風(fēng)險(xiǎn)格局研究報(bào)告（英文版）-44正式版

FROMAITOCYBER—DECONSTRUCTINGACOMPLEXTECHNOLOGYRISKLANDSCAPEAssessingtheresultsofthe12thAnnualGlobalInternalAuditPerspectivesonTopTechnologyRisksSurveyfromProtivitiandTheInstituteofInternalAuditorsGLOBALINTERNALAUDITTABLEOFCONTENTS03

09Toptechnologythreats,organizationalpreparednessandITauditpro?ciencyExecutivesummaryandkey?ndings18

21WhycybersecurityanddatastandoutUseoftechnologytoolsasmostsigni?cantconcerns24

28OurcalltoactionfortechnologyauditleadersandteamsAcloserlookatAIandITaudit31

39Appendix—fullglobalresultsDemographicsProtivitiandTheIIA01Executivesummaryandkey?ndingsProtivitiandTheIIACybersecurity.Dataprivacyandgovernance.Artificialintelligence(AI).Third-partyrisk.Asnotedinthekeyfindings,cybersecurityisviewedasthemostsignificanttechnologythreat.Databreachestopthelistofperceivedcybersecurity-relatedthreats,largelyduetoincreasedconcernsaroundransomwareattacks.Inaddition,ourresearchrevealsthegreatestperceivedrisksassociatedwithAIare,byaconsiderablemargin,securityandprivacyissues,underscoringthedominanceofcybersecurityasacriticalchallenge.Atfirstglance,theresultsofthisyear’sGlobalInternalAuditPerspectivesonTopTechnologyRisksSurveypaintafamiliarpictureoftheprimarytechnologythreatsfacedbyorganizationsworldwideandtheirreadinesstotacklethem.However,adeeperlookrevealsnuancedlayersthatdepicttoday’sandtomorrow’schallengesindifferenthuesanddimensions.Moreimportant,thefindingshighlightthestrategiesandtoolsthatareprovingmosteffectivefortechnologyauditorstoaddressthesechallenges.Beyondcyberissues,AIisrapidlybecomingacriticalareafortechnologyauditors.DespiteAI’sgrowinginfluence,proficiencyinAI-relatedauditingremainslow,highlightingtheurgentneedforauditgroupstobolstertheirknowledgeofAIrisks,includingethical,operationalandreputationalchallenges.Factorssuchasauditfrequencystandoutinthesurveyresults.Internalauditfunctionsthatperformsixormoretechnologyauditsannually,referredtoashigh-frequencyITauditinggroups,perceivethethreatlandscapeandtheiroverallpreparednessinamuchdifferentlight—atopicweexplorefurtherinouranalysis.Theresultsnotonlyreinforcesometrendsfromprioryears,butalsorevealemergingrisktrendsthattechnologyauditorsmustanticipatetoremainrelevant.Thereisgreaterinterestinnewapproachestoaddressthechangingrisklandscape,andthereisanelevatedlevelofmaturityinsomeorganizations,whichsignalswhatistocomeforthetechnologyauditprofession.ProtivitiandTheIIAAuditfrequencyisamongseveralimportantindicatorsfortechnologyauditfunctionsastheynavigateadynamicbusinesslandscapethatisbeingshapedcontinuallybyexponentialgrowthintechnologieslikegenerativeAIandtheconcurrentemergenceofnewsecurity,privacyanddata-relatedchallenges.theanalysissupportingourconclusions.Ourcalltoaction(seepage28)summarizesthekeyactivitiesauditgroupsshouldundertaketoensuretheirtechnologyauditfunctionscontinuetodelivervalueandremainrelevanttotheirorganizations.Lastly,theAppendixcontainsacomprehensiveoverviewoftheglobalsurveyresults.Inthefollowingpages,wepresentthekeyfindingsfromthesurvey,thecompletesetofrisksanddefinitions,andTop5technologyrisks*Figure168%CybersecurityDataprivacy&complianceDatagovernance&integrityThirdparties/vendors61%53%50%47%Cloudcomputing10%20%30%40%50%60%70%80%90%100%*Percentagesreflectthenumberofrespondentswhoratedthethreata4or5ona5-pointscale,where1indicates“Nothreatatall”and5indicates“Significantthreat.”ProtivitiandTheIIA5OurkeyfindingsGlobalInternalAuditStandardsTMCybersecurityisthetoptechnologythreat—Notonlydocyberconcernsstandoutasthetopthreat,buttheseconcernsareevengreateramongorganizationsconductingtechnologyauditsmorefrequently,aswellasamongthoseusingcybersecurityandAI-basedtoolstosupportthetechnologyauditdepartment.Thesemorematureorganizationsalsoexpressedthehighestlevelofpreparednesstohandlethisrisk(Standard9.1UnderstandingGovernance,RiskManagement,andControlProcesses).Dataconcernsareprevalent—Dataprivacyandcomplianceaswellasdatagovernanceandintegrityrankamongthetoptechnologyrisksorganizationsface,and52%viewdatabreachesandleaksofsensitiveinformationasposingthegreatestcybersecurity-relatedthreats.InJanuary2024,TheInstituteofInternalAuditorspublishedanupdatedversionoftheGlobalInternalAuditStandards?(“theStandards”).ThesestandardsareamandatorycomponentoftheInternationalProfessionalPracticesFramework(IPPF),whichfacilitatestheconsistentdevelopment,interpretation,andapplicationofinternalauditingknowledge,therebyenhancingtheprofession.Applicablestandardsarereferencedthroughoutthispublication,withfurtherinformationavailableviaTheIIA’swebsite:/NewStandards.Higherfrequencyoftechnologyauditsdrivesbetterperformance—Conductingmoretechnologyauditsannually(forpurposesofanalyzingthissurvey’sresults,definedassixormore—seepage8)drivesaclearerunderstandingofthethreatlandscapeandcontributestoimprovedorganizationalpreparednessandtechnologyauditproficiencytohandlethesethreats.Conversely,organizationswithlowerauditfrequencymayfaceblindspotsintheirriskmanagementefforts,underscoringtheimportanceofregularandthoroughauditing(Standards9.4InternalAuditPlan;13.2EngagementRiskAssessment).AIisbeginningtoinfluencetechnologyauditing—WhileAIisnotviewedasasignificantshort-termtechnologyconcern,mostrespondents(59%)viewadvancedAIsystemsasposingsignificantriskstotheirorganizationsinthenexttwotothreeyears.Further,theuseofAI-basedtoolsintechnologyauditingisassociatedwithelevatedconcernsaboutvariousthreats,includingcybersecurityanddataprivacy,andalsodriveshigherlevelsofperceivedorganizationalpreparednesstohandlesuchthreats(Standard10.3TechnologyResources).ProtivitiandTheIIA6AboutoursurveyProtivitipartneredwithTheInstituteofInternalAuditors(TheIIA)toconductits12thannualGlobalInternalAuditPerspectivesonTopTechnologyRisksSurveyinthesecondquarterof2024.Theobjectiveofthisannualsurveyistoexplorethetoptechnologyrisksorganizationsface,asperceivedbytechnologyauditleadersandprofessionals.Additionally,itexploresthepractices,processesandtoolsemployedtohelpenterprisesidentify,assess,manageandmitigatetheserisks.Atotalof1,246executivesandprofessionals,includingchiefauditexecutives(CAEs)andinformationtechnology(IT)auditdirectors,completedthesurveythisyear.Datagovernance&integrity—Risksrelatedtomaintainingaccurate,consistentandreliableenterprisewidedata.IoT(InternetofThings)—Risksfromvulnerabilitiesinconnecteddevicesandnetworksleadingtopotentialbreaches.ITmanagement—Risksassociatedwithattracting,retaininganddevelopingskilledITpersonnelorganizationwide,impactingoperationalefficiencyandinnovationcapacity.Regulatorycompliance—Risksrelatedtoadheringtoindustry-specificDefinitionsofsurvey-assessedtechnologyrisksregulationsgoverningtechnologyuse.Inthisyear’ssurvey,weassessed13technologyrisksthatorganizationsface.Belowisthelistofthesetechnologyrisks,alongwiththeirrespectivedefinitions.Softwaredevelopment—Risksassociatedwithmodernsoftwaredevelopmentanddeployment,suchasDevOps,continuousintegrationandcontinuousdelivery(CI\CD),andcontainerization.AI&machinelearning(includinggenerativeAI)—Risksfromethicalconcerns,securitybreaches,andoperationalissuesinAI/MLapplications,includinglargelanguagemodelslikeGPT.Technicaldebt&aginginfrastructure—Risksfromoutdatedsystemsleadingtoinefficiencies,vulnerabilitiesandcostlyfutureupdates.Cloudcomputing—Risksofdatabreaches,lossofdatacontrol,andnon-Technologyresiliency—Risksassociatedwithmaintainingadaptabilityandcomplianceincloud-basedsolutions.recoverycapabilitiesinthefaceofITdisruptionsoroutages.Cybersecurity—Risksfromunauthorizedaccess,disruptionordestructionofThirdparties/vendors—Risksrelatedtothesecurity,reliabilityandresilienceinformation,systemsornetworks.ofthirdparties.Dataprivacy&compliance—RisksinprotectingpersonaldataandkeepingupwithTransformations&systemimplementations—Risksinvolvingmajorbusinessorevolvingdataprotectionregulations.ITchanges,includingdisruptions,unmetrequirements,dataloss,etc.ProtivitiandTheIIA7EvaluatingtechnologyauditfrequencySimilartotheanalysisconductedinthe2023study,ametricexaminedinthisyear’ssurveyishowoftenorganizationsconducttechnologyaudits.Thesurveyresponseswerecategorizedintotwodistinctgroups:High-frequencyITauditing—OrganizationsthatconductsixormoretechnologyauditsperyearLow-frequencyITauditing—OrganizationsthatconductfiveorfewertechnologyauditsperyearThesehigh-andlow-frequencyITauditinggroupsarereferencedthroughoutthereport.AsillustratedinFigure2below,themajority(71%)ofrespondentsindicatethattheirorganizationsperformfiveorfewertechnologyauditsperyear.Figure213%13%Lessthan1ITaudit1to2ITaudits30%28%3to5ITaudits16%6to12ITauditsMorethan12ITaudits10%20%30%40%50%Low-frequencyITauditingHigh-frequencyITauditing"Unsure"responsesnotshown.ProtivitiandTheIIA02Toptechnologythreats,organizationalpreparednessandITauditpro?ciencyProtivitiandTheIIAPerceivedthreatoftechnologyrisksinnext12monthsCyberanddatastandout:Technologyauditorsshouldbewell-acquaintedwiththetop-ratedtechnologyrisksinthisyear’ssurvey,whichincludecybersecurity,dataprivacyandgovernance,thirdparties,andcloudcomputing.(allrespondents)*Table120242023YOYtrendsCybersecurity68%61%53%50%47%44%43%74%58%55%60%50%41%52%Threatlevelsaredown,preparednesslevelsareup…forsome:Theyear-over-yeartrendindicatesamoderatedecreaseinperceivedtechnology-relatedthreatsandanincreaseinpreparednessamongorganizationstomanagetheserisks,withjusttwoareas—dataprivacyandcompliance,andregulatorycompliance—showingyear-over-yearincreasesinperceivedthreatlevels.Giventhebroadattentionontechnology-relatedthreatsoverthepastyear,manycompanieslikelyhavematuredtheirriskmanagementprograms.Thisincludesenhancingcybersecuritymeasures,resultinginperceptionsofDataprivacy&complianceDatagovernance&integrityThirdparties/vendorsCloudcomputingRegulatorycomplianceITtalentmanagementTransformations&systemimplementations43%55%Technologyresiliency36%33%29%44%43%36%Technicaldebt&aginginfrastructureSoftwaredevelopmentdecreasingthreatlevelsandincreasingorganizationalpreparedness.Additionally,moreorganizationsareadoptingadvancedtechnologiestosupportthreatdetectionresponse(seeFigure16).AI&machinelearning(includinggenerativeAI)28%22%28%29%IoT*Percentagesreflectthenumberofrespondentswhoratedthethreata4or5ona5-pointscale,where1indicates“Nothreatatall”and5indicates“Significantthreat.”ProtivitiandTheIIA10本報(bào)告來(lái)源于三個(gè)皮匠報(bào)告站（）,由用戶Id:673421下載,文檔Id:608226,下載日期:2025-02-10threatlevelsof,asshowninTable1,essingtheresultssuchasthosethatdtools,aswellasuencyITauditfunctions,oupsoftenperceiveadscapewhileviewingtomitigatetheserisks.smightperceivealogy-relatedrisks.partyandvendorrisklogyauditteams,asighwhilethelevelofuatethisissuearentyear-over-yeardropintethisrisk(seeTable3).ProtivitiandTheIIA11CommentaryOurfindingsrevealseveralkeydifferentiatorsforITauditfunctionstoimproveperformanceanddelivergreatervaluetotheenterprise.Asobservedinlastyear’sstudy,thefrequencyoftechnologyauditsperformedannuallyrevealssignificantdifferencesinhowITauditleadersandteamsperceivethreatsandassesstheorganization’spreparednesstomanagethem.Thisisparticularlyevidentinareassuchascybersecurity,regulatorycompliance,dataprivacyandcompliance,anddatagovernanceandintegrity.Thesedifferencessuggestthathigh-frequencyITauditinggroupsmayhaveabetterunderstandingoftheserisksandthethreatstheyposetotheorganization.concernforleadership,organizationsarededicatingmoreresourcesandattentiontoenhancingtheirdefenses,resultinginstrongeroverallsecuritypostures.Further,notabledifferencesareobservedamongorganizationsthatusecybersecuritytools(orassesstheoutputsoftheirusebythebusiness),aswellasAIandmachinelearningtools,tosupporttheirITauditingactivities.ThissuggeststhatthesetoolsarevaluableassetsinhelpingITauditteamsidentifyspecifictechnologythreatsandunderstandtheorganization’slevelofpreparednesstomanagethem.Byleveragingthesetools,ITauditteamscanscanentirenetworksandidentifygapsinnearreal-time.Asaresult,theybecomemoresecurityconsciousandaware,enablingthemtodevelopabetterappreciationofallthreats.However,itisimportantfortechnologyauditteamstopartnerwiththeITorganizationtounderstandhowthesetoolsarebeingusedthroughouttheenterpriseandtooptimizewaysfortheinternalauditfunctiontoleveragethem(Standards13.4EvaluationCriteria;13.5EngagementResources,13.6WorkProgram).Muchofthisisunderstandable.Internalauditfunctionsthatperformtechnologyauditsmorefrequentlyarenaturallyexpectedtohavemoreconcernsaboutthetechnologyrisklandscape.However,thesedifferencesarenotvisibleacrossalltechnologyrisks.Asnotedearlier,twotechnologyriskshaveincreasedyearoveryearintermsofperceivedthreattotheorganization:dataprivacyandcompliance,andregulatorycompliance(seeTable1).Thecontributingfactorstothisupticklikelyincludeevolvingregulationsandtheincreasingcomplexityofdatagovernance.Businessleadersneedtoupgradetheirdataprivacyandgovernanceframeworkscontinuouslytoensurecomplianceremainsatoppriority.Thesefindingscertainlyraiseseveralimportantquestions.Forexample,whatmightorganizationsthatarenotutilizingcybersecurityorAItools,orconductingtechnologyauditsfrequently,bemissingintheirtechnologyauditsandriskcoverage?Additionally,cybersecurityremainsasignificanttechnologythreat,driveningreatpartbyelevatedconcernsaboutransomwareattacks.However,theperceivedlevelofpreparednessforcybersecurityisrising,with63%ofrespondentsindicatingtheirorganizationsarewell-preparedtohandlecyberthreats(seeTable2).Thisprogressreflectsnotonlythegrowingadoptionofadvancedcybersecuritytools—suchasvulnerabilityscannersandthreatintelligenceplatforms—butalsotheincreasingprioritizationofcybersecurityattheboardlevel.AscybersecuritybecomesastrategicInregardtothird-partyriskmanagement,thesignificantgapbetweenperceivedthreatlevelandtheorganization’spreparednesstohandlethisrisksuggestscompaniesrecognizethird-partyandvendorrisksasamajorthreatbutbelievetheyareunderpreparedtomanagethemeffectively.Thiscouldbeduetothecomplexitiesinvolvedinmanagingthird-partyrelationshipsandthepotentialcascadingeffectsofvendorvulnerabilitiesontheorganization.It’salsopossiblethat,atleastinsomeorganizations,thereisnoclearlydefinedownerofthird-partyriskmanagement.ProtivitiandTheIIA“Theseareremarkablydynamictimesfororganizations,notonlyduetorapidlychangingmarketconditionsbutalsoresultingfromongoingtechnologytransformation,ledbytherapidriseofgenerativeAI.Internalauditteamsneedtokeeppacewiththechangestheirorganizationscontinuetoundergo.Moreimportantly,theyneedtoembracetheuseofemergingtechnologieslikegenerativeAIandadvancedanalyticsintheirowninternalauditpracticesastheyhelptoidentifyandaddressthemostcriticaltechnologyriskstheirorganizationsface.”Perceivedleveloforganizationalpreparednesstohandletechnologyrisksinnext12months(allrespondents)*Table2Cybersecurity63%57%55%47%47%44%39%38%37%36%34%21%17%55%53%45%42%35%25%36%35%45%30%35%26%14%RegulatorycomplianceDataprivacy&complianceCloudcomputingDatagovernance&integrityITtalentmanagementTransformations&systemimplementationsSoftwaredevelopmentTechnologyresiliencyThirdparties/vendorsTechnicaldebt&aginginfrastructureIoT–AngeloPoulikakosManagingDirector,GlobalLeader,TechnologyAuditandAdvisory,ProtivitiAI&machinelearning(includinggenerativeAI)*Percentagesreflectthenumberofrespondentswhoratedtheorganization’slevelofpreparednessa4or5ona5-pointscale,where1indicates“Notpreparedatall”and5indicates“Extremelyprepared.”ProtivitiandTheIIA13Perceivedthreatoftechnologyrisksinnext12months—Perceivedthreatoftechnologyrisksinnext12months—perspectivesamongITauditgroupsthatusecybersecuritytoolsperspectivesamongITauditgroupsthatuseAItools**Figure4Figure5CybersecurityCybersecurity76%58%Dataprivacy&complianceDataprivacy&compliance68%53%40%50%60%70%80%UsecybersecuritytoolsDonotusecybersecuritytoolsUseAItoolsDonotuseAItools*Percentagesreflectthenumberofrespondentswhoratedthethreata4or5ona5-pointscale,where1indicates“Nothreatatall”and5indicates“Significantthreat.”Seepage35forfullsurveyresultsonuseoftools,technologiesanddeliverymethods.*Percentagesreflectthenumberofrespondentswhoratedthethreata4or5ona5-pointscale,where1indicates“Nothreatatall”and5indicates“Significantthreat.”Seepage35forfullsurveyresultsonuseoftools,technologiesanddeliverymethods.ProtivitiandTheIIA14Perceivedleveloforganizationalpreparednesstohandletechnologyrisksinnext12months—perspectivesOrganizationsthataudperceptionofriskamonghigh-frequencyITauditinggroups*Thisyear’s?ndings,aswellIncreasedfrequencyoftechunderstandingofkeytechnoandcompliance,anddatagFigure6Cybersecurity79%Severalfactorscouldexplain—isincreasedawarenessanfrequently,organizationsarecontrolweaknessesthatmigbecomemoreattunedtothetheirperceptionofriskheightheremaybeculturalfactorsauditsgenerallyhaveastron57%Regulatorycompliance72%52%Datagovernance&integrityThesurveyindicatesthat4technologyauditsannuallygapinriskdetectionandmmaylackthereal-timeinsigthreats,underscoringthentechnologyauditstoenhan60%42%10%20%30%40%50%60%70%80%High-frequencyITauditingLow-frequencyITauditing*Percentagesreflectthenumberofrespondentswhoratedtheorganization’slevelofpreparednessa4or5ona5-pointscale,where1indicates“Notpreparedatall”and5indicates“Extremelyprepared.”ProtivitiandTheIIA“Cybersecuritycontinuestobeamajorconcernformostorganizations.Whilemanyinternalauditorsdonotfocusexclusivelyoninformationtechnology,itisbecomingincreasinglyimportantthattheyareawareofcyber-relatedrisks.Thereisanelementofcybersecurityinmostbusinessprocesses,highlightingtheneedforinternalauditorstoidentifycyberrisksduringtheengagementriskassessment.”PerceivedlevelofITauditteamproficiencytoevaluatetechnologyriskseffectivelyinnext12months(allrespondents)*Table3Cybersecurity58%56%55%45%41%39%39%38%34%33%31%17%13%53%52%54%49%34%31%44%47%35%48%42%22%14%Dataprivacy&complianceRegulatorycomplianceDatagovernance&integrityCloudcomputingITtalentmanagementTransformations&systemimplementationsTechnologyresiliency–GeorgeBarhamDirectorofStandardsandProfessionalGuidance,TheIIASoftwaredevelopmentThirdparties/vendorsTechnicaldebt&aginginfrastructureIoTAI&machinelearning(includinggenerativeAI)*PercentagesreflectthenumberofrespondentswhoratedtheirITauditteam’sproficiencylevela4or5ona5-pointscale,where1indicates“Notatallproficient”and5indicates“Extremelyproficient.”ProtivitiandTheIIA16ComparingperceivedthreatswithorganizationalpreparednessandtechnologyauditproficiencyThegapsbetweentheperceivedthreatofAIandmachinelearningandthelevelsofpreparednessandproficiencyareparticularlyconcerninggiventherapidadoptionofAItechnologiesacrossindustries.OrganizationsmaybeembracingAIwithoutfullyunderstandingtheassociatedrisksordevelopingthenecessarycontrolstomitigatethem.Thisleavesthemvulnerabletopotentialethical,securityandoperationalchallengesthatcouldarisefromAIuse.Thereisanoteworthyandinsightfulconnectionbetweenhoworganizationsperceivevarioustechnologyrisksandtheircorrespondinglevelsofpreparednessandproficiencyinmanagingtheseriskswithintheirtechnologyauditfunctions.Themostsignificantgapsareintheareasofthird-party/vendorrisks,andAIandmachinelearning,includinggenerativeAI.Thepercentagesbelowreflectthenumberofrespondentswhoratedthelevelofthreat,organizationalpreparednessortechnologyauditfunctionproficiencya4or5ona5-pointscale—seeFigures13,14and15intheAppendixfordetails,includingdefinitionsofscalesforperceivedthreat,organizationalpreparednessandtechnologyauditproficiency.Perceivedthreatlevelvs.ITauditproficiency—topthree*Figure7Thirdparties/vendors3Thirdparties/vendors:Perceivedthreat:50%???28%Organizationalpreparedness:36%Technologyauditproficiency:33%AI&machinelearning(includinggenerativeAI)13%Manyorganizationsmaylackthenecessaryframeworksorexpertisetomonitorandcontroltherisksassociatedwithexternalvendorseffectively.Thesegapshighlightpotentialvulnerabilitiesinthesupplychain,whereafailuretomanagethird-partyrisksadequatelycouldleadtosignificantdisruptionsorsecuritybreaches.Cybersecurity10%20%30%40%50%60%70%AIandmachinelearning(includinggenerativeAI):Perceivedthreat:28%PerceivedthreatlevelITauditproficiency???Organizationalpreparedness:17%Technologyauditproficiency:13%*Percentagesreflectthenumberofrespondentswhoratedthisthreata4or5ona5-pointscale,where1indicates“Nothreatatall”and5indicates“Significantthreat,”andthenumberofrespondentswhoratedtheirITauditteam’sproficiencylevela4or5ona5-pointscale,where1indicates“Notatallproficient”and5indicates“Extremelyproficient.”ProtivitiandTheIIA1703Whycybersecurityanddatastandoutasmostsigni?cantconcernsProtivitiandTheIIAWhat’stopofmind:ChiefconcernsforITauditleadersandteamsthisyearincludecybersecurityandanumberofdata-relatedissues—privacy,compliance,governanceandintegrity(seeTable1).Intermsofareasofcybersecurityperceivedtoposethegreatestrisks,databreachesandleaksofsensitiveinformationstandout,byfar,asthemostsignificant.Followingthese,third-partyandsupplychainrisks,alongwithcloudserviceprovidersecurityweaknesses,arethenextmostworrisomeissues(seeFigure8).requirements,organizationsmustfileanincidentreportwithinfourbusinessdaysofthecompany’smaterialitydeterminationregardingacyberincident.Organizationsmustprovideinsightintohowthecybersecurityriskmanagementfunctionsareintegratedintobroaderriskmanagementsystemsandprocesses,suchasriskreportingandmonitoringprocessesusedinconjunctionwiththeenterpriseriskmanagementprocess.Similarly,theNetworkandInformationSecurityDirective2(NIS2)intheEuropeanUnionhasexpandedthescopeoftheoriginaldirectivetoenhancecybersecurityacrosstheentireEuropeanregionbyunifyingnationallawswithcommonminimumrequirements.Underlyingregulatoryfactors:It’sunderstandabletofindtheseissuesamongthetoptechnologyrisks,giventheregulatoryattentiontheycontinuetodrawandtheincreasedlevelsofpreparednesstomanagethem.IntheUnitedStates,forexample,thenewcybersecuritydisclosurerulesfromtheSecuritiesandExchangeCommission(SEC)haveplacedaspotlightonbeingmorediligentandmindfulregardingcyberrisks.TherulesincreasereportinganddisclosurerequirementsforcompaniesregisteredwiththeSEC.Amongthe52%oftechnologyauditleadersseedatabreachesandleaksofsensitiveinformationasamajorrisktotheirorganizationinthecomingyear.ProtivitiandTheIIA19CommentaryAscyberthreatactorscontinuetoenhancethesophisticationoftheirattackmethods,ITauditteamsmustalsocontinuetoupskilltheirtechniquestohelpmanagementidentifyrelevantrisks.Itwillbeincreasinglydifficulttokeeppacewithoutsupportfromcybertoolingandothertechnology-enabledtactics.Ofnote,theuseoftoolssuchasvulnerabilityscannersandintrusiondetectionsystemsdoesnotalleviaterisklevels—infact,theymayrevealpreviouslyunknownrisksandvulnerabilities.Therehavebeensituationswhereanorganization,afteremployingthreatdetectiontechnology,realizedtheywere“flyingblind”priortousingthem.Anotherimportantpoint:Privatelyheldcompaniesmayalsoseevalueinenhancingtheirincidentidentification,evaluationandremediationpracticesthroughgreateruseoftechnologytoolsbytheITauditfunction,eveniftheyarenotsubjecttothesamepublicdisclosurerequirements.AscyberthreatathesophisticatioITauditteamsmtheirtechniquesrelevantrisks.ItkeeppacewithouandothertechnoAlso,asorganizationsincreasinglyrelyondata-drivendecision-making,technologyauditfunctionsmustevolvetoprovidemorerigorousassessmentsofdatagovernanceframeworks,verifyingthatdataintegrityismaintainedacrossbothinternalprocessesandthi