Collaborating Across Boundaries: Toward an Integrated Cyber Risk Assessment by Internal Auditors and Cybersecurity Professionals

Abstract

Although cyber risk is widely recognized as a critical organizational threat, how firms configure internal roles and practices to address it remains poorly understood. This study offers insights into that question. In practice, two professional roles share the job of cyber risk assessment and assurance: cybersecurity specialists, who focus on the technical side of assurance, and internal auditors, who focus on governance, processes, and compliance. Drawing on 36 interviews across a range of organizations, we explain how these professional roles collaborate, when collaboration breaks down, and why working together is often difficult. We identify five common patterns of working across professional boundaries, ranging from rival parallel assessments to genuinely integrated work. As exposure to cyber threats rises because of regulation, critical operations, or greater digital dependence, accountability pressures increase, and managers and professionals spanning across the two professional roles act as connectors and engage in coordination across domains. We also show how standard risk‐management templates and reporting tools can shift from being symbolic checklists to becoming practical coordination mechanisms. Overall, the study offers a framework for building more integrated cyber risk assessment and assurance, with relevance for other emerging risks that demand cross‐functional expertise.