Why Boards, Auditors, and IT Leaders Must Rethink Control, Accountability, and Risk
By: John S. Morlu II, CPA
Learning Objectives (ISACA-Compliant)
After completing this article, the reader will be able to:
- Explain the principles of Zero Trust cybersecurity and why perimeter-based security is no longer sufficient.
- Identify key governance failures that contribute to cybersecurity incidents.
- Assess the roles of Boards, executive management, and auditors in cybersecurity oversight.
- Apply practical governance and control measures aligned with ISACA frameworks (COBIT, Risk IT).
- Evaluate how cybersecurity risk should be integrated into enterprise risk management (ERM).
Target Audience
- ISACA members and credential holders (CISA, CISM, CRISC, CGEIT)
- Internal and external auditors
- IT governance and risk professionals
- Board members and executive leadership
- Compliance and assurance professionals
Introduction: Cybersecurity Is No Longer an IT Problem
For decades, cybersecurity was treated as a technical issue—something for IT departments to manage quietly in the background. Firewalls were installed, passwords were changed, and antivirus software was updated. Boards received occasional updates, often filled with technical jargon but little real insight into risk.
That era is over.
Today, cybersecurity is a governance issue, a financial risk, and a fiduciary responsibility. Data breaches, ransomware attacks, and system outages now result in regulatory penalties, litigation, reputational damage, and in some cases, organizational collapse. The question is no longer whether an organization will be attacked, but how prepared its governance structures are to respond.
The Collapse of Perimeter-Based Security
Traditional cybersecurity models assumed a simple truth: Anything inside the network could be trusted. Anything outside could not.
This assumption no longer holds.
Modern organizations operate in environments defined by:
- Cloud computing
- Remote workforces
- Third-party vendors and APIs
- Mobile devices and personal endpoints
Attackers no longer “break in” through the front door. They log in using stolen credentials, compromised vendors, or misconfigured cloud services. Once inside, they move laterally—often undetected.
This reality gave rise to Zero Trust Architecture (ZTA).
What Zero Trust Really Means (And What It Does Not)
Zero Trust does not mean:
- No access
- Distrust of employees
- A single product or software solution
Zero Trust does mean:
- Never trust by default
- Always verify identity, device, and context
- Assume breach
- Enforce least-privilege access
- Continuously monitor and log activity
From a governance perspective, Zero Trust is not a technical upgrade—it is a control philosophy.
Governance Failure: The Root Cause of Most Cyber Incidents
Post-incident investigations consistently reveal a pattern:
- Policies existed but were not enforced
- Risk assessments were outdated or superficial
- Boards lacked cybersecurity literacy
- Management treated cyber risk as operational, not strategic
- Audit functions focused on compliance checklists, not threat reality
In other words, the breach was not a surprise—it was the result of governance blind spots.
The Board’s Fiduciary Duty in Cybersecurity
Boards are not expected to configure firewalls. They are expected to ask the right questions.
Effective cybersecurity governance requires Boards to:
- Treat cyber risk as an enterprise risk, not an IT issue
- Demand clear metrics tied to business impact
- Ensure management accountability for control failures
- Integrate cyber risk into strategy, M&A, and vendor decisions
A Board that cannot explain its organization’s top cyber risks is not exercising adequate oversight.
Management’s Role: From Technology to Accountability
Executive management translates governance into action.
Key responsibilities include:
- Establishing a cybersecurity governance framework aligned with business objectives
- Assigning clear ownership for cyber risk
- Funding controls based on risk, not fear or headlines
- Ensuring incident response plans are tested, not theoretical
Tone at the top matters. When leadership treats cybersecurity as a compliance exercise, employees do the same.
The Auditor’s Role: Beyond Checklist Assurance
Auditors—especially ISACA professionals—play a critical role in closing the governance gap.
Modern cybersecurity assurance requires auditors to:
- Understand threat landscapes, not just policies
- Evaluate the design and operating effectiveness of controls
- Assess whether management reporting reflects reality
- Challenge assumptions about trust, access, and segmentation
Auditors must move from “Are controls documented?” to “Would these controls stop a real attack?”
Alignment With ISACA Frameworks
ISACA provides mature, globally recognized frameworks that support cybersecurity governance:
COBIT
- Aligns IT objectives with enterprise goals
- Emphasizes governance, management, and performance measurement
Risk IT
- Integrates IT risk into ERM
- Focuses on risk appetite, response, and communication
CISM Domains
- Information security governance
- Risk management
- Program development and management
Zero Trust principles map naturally into these frameworks when applied thoughtfully.
Integrating Cybersecurity Into ERM
Cyber risk should be evaluated alongside:
- Financial risk
- Operational risk
- Legal and regulatory risk
- Reputational risk
This requires:
- Quantifying potential impact
- Linking scenarios to business processes
- Reporting risk in language executives understand
Cybersecurity becomes effective when it is measurable, visible, and owned.
Conclusion: Governance Is the Real Security Control
Technology will continue to evolve. Attackers will adapt. Tools will change.
What remains constant is this truth: Organizations are not breached because they lack technology. They are breached because they lack governance.
Zero Trust is not just a security model—it is a governance mindset. One that assumes failure, demands accountability, and aligns controls with real-world risk.
For ISACA professionals, this is not optional knowledge. It is central to the profession’s responsibility in protecting organizations, stakeholders, and the public trust.
Estimated CPE Credit
- Recommended CPE: 4.0 – 6 hours
- Level: Intermediate
- Delivery Method: Self-Study / Group-Study
Suggested Self-Study Assessment Questions (Optional)
- Why is perimeter-based security no longer effective?
- How does Zero Trust change traditional access assumptions?
- What are the Board’s primary responsibilities in cybersecurity governance?
- How should auditors evaluate cybersecurity controls beyond documentation?
- Why must cyber risk be integrated into ERM?
References (ISACA-Appropriate)
- ISACA – COBIT Framework
- ISACA – Risk IT Framework
- NIST SP 800-207 – Zero Trust Architecture
- World Economic Forum – Global Cybersecurity Outlook
Author: John S. Morlu II, CPA is the CEO and Chief Strategist of JS Morlu, leads a globally recognized public accounting and management consultancy firm. Under his visionary leadership, JS Morlu has become a pioneer in developing cutting-edge technologies across B2B, B2C, P2P, and B2G verticals. The firm’s groundbreaking innovations include AI-powered reconciliation software (ReckSoft.com), Uber for handymen (Fixaars.com) and advanced cloud accounting solutions (FinovatePro.com), setting new industry standards for efficiency, accuracy, and technological excellence.