No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • GRC Connect U.S.
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Governance

Cyber Governance – Sticking Your Head in the Sand Is Not an Option

by Theresa Grafenstine
April 4, 2016
in Governance
The Board must play an active role in cyber governance

I recently attended an event where a panel of lawyers provided a “pearl of wisdom” to Board members, stating, “If you don’t understand your cybersecurity risk, don’t try to.” They went on to advise that whatever you do, don’t hire someone to conduct an independent cyber assessment. Otherwise, you might learn where your risks are and open yourself up to liability that your ignorance is protecting you from. After I recovered from my initial shock, I wanted to yell from the rooftop that sticking your head in the sand does not make the very real threat of a cyber attack to your organization go away.

Such behavior is not only risky, it is immoral and it is contrary to the strategic, legal and fiduciary responsibilities that you have assumed as a Board member to your shareholders, customers and employees. A breach can expose data that is the legal obligation of the organization to maintain private. It can compromise the credit of the organization’s customer base, impacting their personal lives for years. It can expose proprietary and trade secrets of the organization, impacting competitive advantage. In fact, markets are increasingly realizing that all data has some intrinsic level of value; therefore, any breach exposes the organization to a degree of loss through exposure. When taking into account that an estimated 84 percent of the total value of the Fortune 500 consists of intellectual property and other intangible assets,[1] a cyber attack could represent the single largest off-balance-sheet risk that exists today for organizations.

When retailers are breached, it can bring harm to customers and damage the corporate brand. In the aftermath of the 2013 Target data breach, the CEO stepped down and Target agreed to pay $10 million to settle a class-action lawsuit.[2] If you think that you are safe because you don’t store credit card information, you are wrong. Hackers are not just interested in stealing credit card information. They have also found it profitable to hold data hostage. For example, a hospital recently paid a $17,000 ransom in bitcoin to a hacker who seized control of its computer systems.[3] Still, cyber breaches are not always about generating a monetary profit. The U.S. federal government is not only responsible for protecting national secrets, it is also entrusted with the data of its citizens and employees. In the widely publicized Office of Personnel and Management (OPM) breach, a nation state has been reported to have stolen the personally identifiable information (including fingerprints!) of more than 22 million employees with security clearances.[4] The motivation for that attack is less about monetary rewards and more about gaining access to classified information by amassing human intelligence. Regardless of the motivation, cyber risk is not going away.

For those of us entrusted with governance responsibilities, do we just give up? Is this problem too hard? No, but we do need to get smart on the topic. Standard frameworks for establishing and maintaining the cybersecurity of organizations are readily available, such as the National Institute of Standards and Technology (NIST) guidance or ISACA’s COBIT. While personal liability should not be the primary driver for Board members concerning themselves with cybersecurity, it is a real possibility that, with the severity of harm possible and the simplicity of basic preventive measures available, ignorance will soon cease to be a reasonable defense. Regardless, as a conscientious Board member, you will understand that you need to be concerned and engaged. But if you are not a cybersecurity or IT professional, this may seem daunting. What can you do?

The Path Forward

Fortunately, you do not have to go back to school to get a master’s degree in cybersecurity to provide value-add in your Board role. Here are some areas where you need to make sure proper strategy is being developed and oversight is being exercised.

First, make sure the Board is fully leveraging the audit committee. The audit committee is a critical component of the governance and oversight structure. Board members should ask whether the organization’s audit committee is taking active steps to address the growing cybersecurity threat. If they are not, they should be. While the audit committee’s traditional responsibility has been related to financial reporting and disclosure, the role of the audit committee has evolved to include regulatory compliance and enterprise risk management activities. Given that information technology supports just about every facet of business operations, cyber risk is a critical component of enterprise risk management.

Further, audit committees generally have oversight responsibilities of the internal auditing department. This gives the audit committee the ability to receive independent assurance as to whether effective IT security controls are in place. However, here’s the problem: According to the Institute of Internal Auditors’ “2016 Pulse of the Profession of Internal Audit” report,[5] while 69 percent of Chief Audit Executives (CAEs) state that internal audit should make significant or extremely significant efforts to communicate cybersecurity risks to the Board and executive management, only 40 percent do so. Moreover, while 63 percent of CAEs agree that internal audit should make significant or extremely significant efforts to provide cyber assurance, only 26 percent do so. A contributing factor to this is that 52 percent of CAEs reported that their internal audit teams lacked the requisite expertise to address cybersecurity risk.

Some might argue that the risk of lacking cyber expertise in the internal audit department can be mitigated by appointing a Chief Information Security Officer (CISO) with strong cyber skills. While having a capable CISO is critical, this approach overlooks the value to the Board of getting independent assurance on the effectiveness of controls. Although outsourcing the IT audit function can serve as a short-term fix, internal audit departments need to develop this expertise if their objective is to address the largest threats facing their organizations. One approach is to embed language in IT audit contracts that requires the outside experts to train the internal audit staff. Another option is to hire internal audit staff that already possess the requisite IT auditing skills. Whatever approach is taken, it is incumbent on the Board and the audit committee to ensure that addressing cybersecurity risks is built into the audit plan.

Considerations

So what questions should the Board be asking management? A good indicator of executive support for cybersecurity can be found in the budget. If there is scant evidence of funding for the people, processes and technology needed to address cyber risks, chances are it is not happening. On the flip side, throwing a lot of money at a problem does not always fix it. The right people, processes and technology need to be in place to be effective. Start with asking questions about the people. Is someone tasked with cybersecurity as their primary responsibility, or is it a collateral duty? Depending on your cyber risk profile, this may warrant a part-time effort, a one-person shop or an entire team. Next, ask about the types of qualifications this person (or team) has. In addition to experience, professional credentials are a means to independently judge whether someone is qualified. However, if you are putting a lot of weight in professional credentials to establish qualifications, it needs to be more than a paperwork exercise. Make sure the credential has an experience requirement. For example, ISACA recently launched its Cybersecurity Nexus (CSX) credential.[6] The CSX credential goes beyond a memorization exercise. It requires book knowledge along with demonstrated cyber proficiency (e.g., defending against attacks in a virtual server environment).

Even if an organization has skilled people, a common mistake is to invest a lot of money into shiny, new technology without ensuring the right processes are in place. Third-party evaluation of cyber plans and implementation can be helpful in providing independent assurance that the team is heading in the right direction. Another question to ask is does the team have a data management strategy? Not all data needs to have iron-clad protection. Funding and efforts should be focused on protecting critical data (e.g., personally identifiable information, intellectual property, etc.) as opposed to publicly available information.

Last but not least, make sure management is covering the basics: patch, patch and patch again! According to the latest Verizon breach report, more than 99.9 percent of exploits occurred more than one year after the vulnerability was identified.[7] This means that if organizations routinely installed patches, it would prevent the most common means to gain unauthorized access to their systems. Board members should not take for granted that this is being done: Ask the question.

A Final Observation

After the breach, once the data is lost, there is only damage control that can be done. The lost competitive advantage associated with the proprietary information cannot be recovered. The customers’ personal information cannot be recaptured. Reputational damage might be managed, or it might be irreversible. Sticking your head in the sand will not prepare you to assess your level of risk or to make wise investments against those risks—and, as governance professionals, we need to yell this from the rooftops.

 

[1] Ocean Tomo, “Intangible Asset Market Value,” March 2015, www.oceantomo.com/2015/03/04/2015-intangible-asset-market-value-study

[2] National Public Radio, “Target Offers $10 Million Settlement In Data Breach Lawsuit,” March 2015, www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit

[3] Los Angeles Times, “Hollywood hospital pays $71,000 in bitcoin to hackers; FBI investigating,” February 29, 2016, www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

[4] ABC News, “22 Million Affected by OPM Hack, Officials Say,” July 9, 2015, www.abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources

[5] Institute of Internal Auditors, “2016 Pulse of Internal Audit,” February 2016, www.theiia.org/services/Pages/Pulse-of-Internal-Audit.aspx

[6] www.isaca.org/cyber

[7] Verizon, “2015 Data Breach Investigations Report,” www.verizonenterprise.com/DBIR/2015


Tags: Data Governance
Previous Post

Will the FCPA Go Down Under (Again)?

Next Post

Promoting Collaboration to Improve Risk Management

Theresa Grafenstine

Theresa Grafenstine

April 4 - Theresa Grafenstine headshot (266x400)Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA is a member of ISACA’s Board of Directors and the inspector general of the U.S. House of Representatives (House). Over the past 20 years, she has served in the inspector general community in both the legislative and executive branches of the federal government. She is the chair of ISACA’s Relations Board and Finance Committee, is past president and committee chairman of the ISACA National Capital Area Chapter and has served as ISACA’s Communities Committee chair and on ISACA’s World Congress: INSIGHTS program development task force. Grafenstine was recently nominated for the U.S. Federal Government Disruptor of the Year Award for her speeches on reforming audit in 2014. As the inspector general, she is responsible for planning and leading independent, non-partisan audits, advisories and investigations of the financial and administrative functions of the House. Prior to joining the House OIG, Grafenstine served at the Department of Defense (DoD) Office of Inspector General, where she led acquisition audits of major weapons systems and was selected to respond to high-profile Congressional audit requests. Grafenstine earned the 2014 John Kuyers Best Speaker/Conference Contributor Award from ISACA.

Related Posts

world map of china

With a Key Deadline Fast Approaching, Now Is the Time to Address Requirements for Data Transfers Outside of China

by Littler Mendelson
November 6, 2023

Transfer impact assessments will be particularly time-consuming for multinationals

whimsical depiction of man stealing data

Deloitte: 1 in 5 Digital Trust Execs Lack Confidence in Organizations’ Data Protection Programs

by Staff and Wire Reports
October 29, 2023

Nearly half of leaders expect companies will increase time and effort on data protection, privacy

stacks of papers

Advent of New State Data Privacy Laws Is the Perfect Time to Revisit Your Contracts

by Sarah McAvoy
October 9, 2023

Complying with patchwork of laws creates continual burden

us map with pins

Privacy Law Compliance Parallels and Peculiarities: Navigating the Consumer Privacy Compliance Circus

by Roy Wyman, Alexandria Wood Davenport and Joelle L. Hupp
October 9, 2023

Are states stepping into the void — or muddying the waters — on data protection laws?

Next Post
Risk management must work with internal audit and compliance to effectively mitigate risk

Promoting Collaboration to Improve Risk Management

Available SQ

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • GRC Connect U.S.
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT