Collaborating Across Boundaries: Toward an Integrated Cyber Risk Assessment by Internal Auditors and Cybersecurity Professionals
基于36场访谈,研究内部审计师与网络安全专家如何协作进行网络风险评估,识别五种合作模式,并揭示协作障碍与整合机制,对面临新兴风险的管理者与专业人员有参考价值。
ABSTRACT Although cyber risk is widely recognized as a critical organizational threat, how firms configure internal roles and practices to address it remains poorly understood. This study offers insights into that question. In practice, two professional roles share the job of cyber risk assessment and assurance: cybersecurity specialists, who focus on the technical side of assurance, and internal auditors, who focus on governance, processes, and compliance. Drawing on 36 interviews across a range of organizations, we explain how these professional roles collaborate, when collaboration breaks down, and why working together is often difficult. We identify five common patterns of working across professional boundaries, ranging from rival parallel assessments to genuinely integrated work. As exposure to cyber threats rises because of regulation, critical operations, or greater digital dependence, accountability pressures increase, and managers and professionals spanning across the two professional roles act as connectors and engage in coordination across domains. We also show how standard risk‐management templates and reporting tools can shift from being symbolic checklists to becoming practical coordination mechanisms. Overall, the study offers a framework for building more integrated cyber risk assessment and assurance, with relevance for other emerging risks that demand cross‐functional expertise.