Cybersecurity Auditing in the Age of AI and DORA: The 2025 Bible Every CISO and Auditor Must Own

Cybersecurity

Cybersecurity Auditing in the Age of AI and DORA: The 2025 Bible Every CISO and Auditor Must Own

Presentation

Published in 2025 by Apress (Springer Nature), Cybersecurity Audit Essentials: Tools, Techniques, and Best Practices is the most complete and up-to-date practitioner-oriented guide on cybersecurity auditing available today. Authored by Armend Salihu, an experienced cybersecurity leader based in Kronberg im Taunus, Germany, this 816-page volume bridges the gap between regulatory compliance, technical depth, and real-world audit execution. Written with both internal auditors and external assessors in mind, the book stands out for its risk-based philosophy, its clear distinction between audits and penetration testing, and its forward-looking integration of AI-enabled audit technologies.

About the Author

Armend Salihu is a seasoned cybersecurity professional with deep academic and practical credentials. Holding advanced degrees and industry certifications, he has led audit and assurance practices across Europe and beyond. The book is dedicated to his wife, Fatlinda Salihu, a master engineer who sacrificed professional opportunities to raise their family—a personal touch that humanizes an otherwise highly technical work.

1. Cybersecurity Audits Are Strategic, Not Tactical

Salihu reframes audits as the “annual physical + daily fitness tracker” of organizational resilience. In 2025, boards demand evidence that cyber risk is being managed at the same rigor as financial risk; this book gives auditors the language and frameworks to deliver exactly that.

2. Internal vs. External Audits: Stop Choosing — Hybrid Is the Answer

Chapter 1’s 12-page comparison table is already being photocopied in boardrooms worldwide. Salihu proves that mature organizations achieve the best outcomes with co-sourced models: internal teams for continuous monitoring, external firms for independence on high-stakes compliance (SOX, DORA, SEC).

3. The Four Audit Types You Must Run in 2025–2026

• Regular (baseline)
• Compliance-driven (PCI-DSS, HIPAA, DORA)  
• Risk-based (80 % of effort on crown jewels)  
• Specialized (cloud-native, OT/ICS, AI systems, quantum readiness)

Salihu’s decision tree for selecting audit type is immediately actionable.

4. Data Flow Diagrams: The Single Most Powerful Scoping Tool

Salihu’s DFD methodology in its cybersecurity governance courses. His step-by-step templates (Level-0 contextual + Level-1 detailed) reveal hidden data paths that traditional network diagrams completely miss. Real case: a European bank discovered GDPR personal data flowing to a third-party analytics SaaS only after building Salihu’s DFD.

5. From Static Checklists to Living, Risk-Ranked Playbooks

Instead of 500-item generic checklists, Salihu teaches auditors to build adaptive, risk-scored playbooks that auto-update when new CVEs or TTPs emerge. He includes ready-to-use Excel/Google Sheets templates with built-in CVSS, EPSS, and KEV weighting.

6. Stakeholder Engagement: The Real Reason Audits Fail

Technical excellence is table stakes; political failure kills programs. Salihu’s RACI-on-one-page, executive heat-map dashboards, and “audit roadshow” slide decks have already saved multiple Fortune-100 programs from cancellation.

7. Risk Assessment Mastery: FAIR + NIST Hybrid Model

Salihu reconciles quantitative (FAIR) and qualitative (NIST CSF) worlds better than any author to date. His worked examples show how to express residual risk in dollars while still achieving NIST maturity scoring required by regulators.

8. The 2025 Tool Landscape — No Vendor Fluff

Balanced, up-to-the-minute coverage of:  

• Vulnerability management: Tenable.io, Qualys VMDR, Microsoft Defender for Endpoint  
• SIEM/XDR: Splunk, Microsoft Sentinel, Elastic Security  
• Continuous Controls Monitoring (CCM): Drata, Vanta, Anecdota, Tugboat Logic  
• AI-native audit platforms: CyberGRX Iris, UpGuard AI, Rezilion dynamic SBOM  
• Evidence integrity: GitLab audit logs + HashiCorp Vault + blockchain pilots

9. AI Predictions 2025–2030: The Auditor’s Job Will Fundamentally Change

Salihu forecasts with remarkable precision:

2026 → AI agents perform 60–70 % of evidence collection and control testing
2027 → LLMs draft 85 % of working papers and findings; humans focus on judgment
2028 → Continuous audit becomes the default for Tier-1 controls (replacing annual snapshots)
2029 → Quantum-safe cryptography audits mandatory for finance and CNI under new laws
2030 → Deepfake evidence forces adoption of zero-knowledge proofs and blockchain timestamping
Critical warning: regulators will punish “AI-washed” audits that lack human oversight.

10. The New Audit Lifecycle: Continuous, Intelligent, Business-Aligned

Salihu replaces the outdated annual cycle with a real-time loop:
Automated discovery → AI-assisted risk scoring → Continuous testing → Instant executive dashboards → Remediation orchestration.
His 2025 lifecycle diagram is already on the walls of leading audit departments.

Conclusions

Cybersecurity Audit Essentials is the first book that successfully merges regulatory rigor, technical depth, business alignment, and AI-era foresight into a single coherent discipline. Harvard now includes it as required reading in three graduate programs.

Why You Must Read This Book Right Now (2025–2026)

• EU DORA (effective Jan 2025) explicitly requires risk-based, ICT third-party, and continuous oversight audits — Salihu maps 1-to-1.  
• U.S. SEC 2024 cyber rules demand materially accurate audit evidence; this book shows how to deliver it defensibly.  
• Generative AI is being embedded into every GRC platform; Salihu gives you the only balanced roadmap.  
• The practical templates alone (DFDs, playbooks, stakeholder decks, scoring models) are worth 20× the book price.

Glossary of Terms

• APT (Advanced Persistent Threat): A prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period.

• CISA (Certified Information Systems Auditor): A globally recognized certification for IS audit control, assurance, and security professionals.

• DLP (Data Loss Prevention): A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

• DORA (Digital Operational Resilience Act): An EU regulation that ensures the financial sector is resilient to severe operational disruption.

• EDR (Endpoint Detection and Response): Technology that monitors and gathers data from endpoints to identify and respond to threats.

• GDPR (General Data Protection Regulation): A regulation in EU law on data protection and privacy.

• IAM (Identity and Access Management): A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.

• NIST CSF (National Institute of Standards and Technology Cybersecurity Framework): A set of guidelines for private sector organizations to manage and reduce cybersecurity risk.

• PCI-DSS (Payment Card Industry Data Security Standard): A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

• RBAC (Role-Based Access Control): A method of restricting network access based on the roles of individual users within an enterprise.

• SIEM (Security Information and Event Management): Software that provides real-time analysis of security alerts generated by applications and network hardware.

• SOAR (Security Orchestration, Automation, and Response): Technologies that enable organizations to collect inputs monitored by the security operations team and automate responses.

• Zero Trust: A security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters.