Insights: Article

Transparency and Independence: Management’s Greatest Cybersecurity Needs

By   Anders Erickson

October 13, 2016

Cybersecurity threats to organizations have never been greater. The severity and impact of cyber threats have changed the landscape in which governments, corporations, individuals and, specifically, financial institutions of all sizes and complexities operate, according to the Department of Defense. Data compromise and system breaches have become commonplace in our society—1 billion personally identifiable information records were stolen in 2014 alone—and boards and executives recognize they’re being held accountable for the data entrusted to their organization. A mistake or malicious act in cybersecurity can lead to loss of data, trust, customer base and more. If not properly managed, cyber risks can lead to an organization’s demise. To effectively manage cybersecurity risks, boards and executives need greater transparency in the IT activities of their companies and an independent evaluation of the adequacy of what their organizations are doing to protect data.

Transparency matters
One of the greatest challenges facing most boards and executives is the complexity of the IT world. For most organizations, those responsible for managing IT systems operate in a bubble. People outside the IT group (and even some within it) understand little of the technologies or operations that provide the most basic technology-based services that businesses rely on, like email or web services. When in recent history have businesses been so dependent on a service they know so little about? When have boards and executives been so ill prepared to manage the risks posed by a critical aspect of their business, specifically the security of their IT operations?

In general, IT departments operate in one of three communications models:

  • First, there are IT departments that proactively educate boards and executives on the risks of cybersecurity and provide meaningful assistance as initiatives and programs are established to manage the related risks.
  • Secondly, there are IT departments that willingly provide information related to IT operations and risks, but only as requested. They’re either engrossed in the responsibilities of daily operations or have found comfort in independence granted by an organization too bewildered or overwhelmed to consider what questions they should be asking IT.
  • Lastly, some IT departments might be resistant to attempts to gather information about their activities.

Most organizations fall into the second category. These IT departments view themselves as an open book, willing to assist management when requested. Their intentions, although good and admirable, leave boards and executives in a difficult position as they attempt to ascertain and manage their cyber risks. If they don’t know which questions to ask, IT isn’t going to give them the information they need. Boards and executives need outside resources with the skill set and experience to provide transparency of the activities of their IT department. Boards and executives need these resources to ask their IT department the questions necessary to gather the information they need to effectively manage their cyber risks. This process is not as simple as asking IT to complete a questionnaire. Often the critical challenge is asking the right follow up questions to an initial response from IT. Their answer to the second or third question is often where the true risks are discovered.

Independent resources curb biases
Research conducted by the United States Computer Emergency Readiness Team (CERT) found that the most likely architects of cyberattacks are system administrators or other IT staff with privileged system access. Stories of white-collar crime, employee fraud and insider threats permeate our newsfeeds.

“California man pleads guilty to using a database of stolen trade secrets to generate more than $300,000 in gross sales and $60,000 net profit for himself.”

“Software programmer found guilty of planting malware in the network of the investment bank where he worked, resulting in damages costing over $3 million.”

Boards and executives need to understand that the people they entrust to manage their IT systems, in many cases, have the ability to do almost anything to the data residing on those systems. Company and customer data, including financial, health and proprietary data, can be viewed, modified or erased by those responsible for developing and administering systems. To further complicate matters, those same individuals have the ability to remove all evidence or audit trail of their activities. 

Organizations can become entirely reliant upon a person, group or vendor who can (through either mistakes or malicious intent) make everything appear to be OK. Mistakes and fraud are more common than most think. Boards and executive management need an independent resource to peel back the layers of obscurity and provide an unbiased view into their organization’s IT.

To fulfill their responsibilities, people with ultimate accountability for the security of an organization’s data need to be clear about the complex processes conducted by their IT personnel, as well as independent evaluations of their organization’s cybersecurity activities, initiatives and culture.

Investors and business owners do not blindly accept management’s reports and evaluations of their financial statements. Instead, they rely on accountants to verify an organization’s financial health. Likewise, boards and executives should not be content with information provided by their own IT professionals but should validate the information with an independent assessment.

Get Started Now

Latest Insights

July 13, 2018
Here are some idea for giving your new hire a smooth start into your business and alleviating stress for you.
July 13, 2018
The impact of the recent SCOTUS Wayfair decision will continue to have a ripple effect on businesses and state sales tax compliance.
July 9, 2018
The revenue cycle is a complex system and we have historically given much attention to the front-end and back-end while oftentimes leaving the middle functions of the cycle neglected.
July 3, 2018
FASB Accounting Standards Codification Topic 606, Revenue from Contracts with Customers, provides a 5-step framework for determining revenue recognition.
July 2, 2018
As part of the Tax Reform Act of 1986, the “Kiddie tax,” a taxing regime designed to make the transfer of income items by wealthy parents to lower tax paying children less attractive, was implemented.
July 2, 2018
When it comes to your employees, you likely conducted interviews on them when you first hired them.
July 2, 2018
Nearly ten years after the release of the initial exposure draft, FASB issued ASU 2016-02, Leases - The standard may have been issued, but the conversation about this re-write of legacy guidance has not slowed.
June 29, 2018
Banks look at three broad categories when considering small business financing: business cash flow, personal financial strength, and collateral value.
June 28, 2018
You need to be cautious when entering into a bartering relationship and remember to track everything and the key to accounting for bartering is making sure you still record the income earned and expenses incurred.