Original article published in French on Benoit Grenier’s blog
In my recent article “CEO’s and The Blindspot of Cybercrimes” I was explaining that senior management have a perception problem regarding the seriousness of the IT security risks that surround them. I further explained that these CEOs can be held responsible for the consequences of these risks and that they have communication problems with their CIOs. What are the possible solutions?
The Security Audit: An Essential For Intrusion Prevention
Before talking about large companies, let me reiterate that small and medium sized companies are still the targets of choice for computer criminals. As one can read in the article “No Business Too Small to Be Hacked, New York Times” 60% of all reported cyber-attacks in 2014 were against small and medium sized companies. As it is no longer profitable to steal credit cards over the Internet, the cyber criminals have become more sophisticated. They now make use of “ransomware”. This attack can be introduced into a company’s computer systems because employees click on malicious links in emails or download infected files. The “ransomware” then locks the computer system of the company and an announcement appears requesting a ransom be paid in order to have the malicious software removed from the system.
Given the increase in such attacks, being unprepared is like playing security roulette, said Robert Siciliano, chief executive of IdTheftSecurity.com. “If you’re not deploying some level of security, you’ll go under,” he added. “You have to make time for quality control. The worst thing you can do is nothing.” Mr. Siciliano recommends a security audit as a first step. The audit should take note of potential areas of risk, like customer data or employee access. “How secure — or not — is your system?” he said.
In order to not play Russian roulette with data, you must do a complete IT security risk audit. If your IT department does not have the required expertise level you must give the mandate to a specialized company.
For Large and very large companies these security risk audits must be performed internally and often. Unfortunately it is difficult, if not impossible, to objectively evaluate one’s own work when looking for weaknesses. It is also difficult to properly monitor the evolution of defensive technologies necessary for the company and at the same time follow the evolution of technological threats and malicious risks associated with social engineering. This is one of the observations of Price Waterhouse Coopers LLP. in their paper called “Fortifying your defences The role of internal audit in assuring data security and privacy”.
In our experience, every company has security controls and privacy policies, often quite comprehensive ones. But all too often, no one checks to see if these protocols are being followed. As well, new threats to information security are often overlooked—threats that might demand new procedures and tools. …
No matter how strong its data security policies and controls, a company won’t really know the adequacy of its defenses if it doesn’t continually verify that those defenses are sound, uncompromised, and applied in a consistent manner. To achieve such assurance, internal audit has to play a far more substantial role in information security than is often the case today. Companies’ audit committees must also pay more attention to the problem, and heighten the expectations they place on internal audit regarding information security.
Isaca (Information Systems Audit and Control Association) for its part, stresses the inherent conflict that can exist between the internal auditor and their IT colleagues.
In the interviews, information security professionals indicated that how internal auditors approached the review of information security profoundly affected the quality of the relationship. At one extreme, the auditors could be perceived as “the police” who were out to catch mistakes; at the other extreme, they could be viewed as consultants or advisors. Not surprisingly, the two examples had markedly different effects on the quality of the relationship. When auditors were viewed as “the police,” the relationship was formal, reserved and even adversarial; but, when auditors were perceived more as advisors and consultants, the relationship was more open and positive. The latter view was most clearly explained by the information security manager who provided the comment about the “cat-and-mouse” game quoted earlier, who said: “We can leverage each other’s expertise and position in the organization to make things happen. Many times the IT department will tend to almost hide things from audit because they do not want to get a black eye and we don’t have that issue here so much…we have the same goals.
If after all large companies persist in self auditing these IT security risks they must establish a risk management team under the direction of a CISO (Chief Information Security Officer) who reports to the CIO (Chief Information Officer). This of course requires the CISO to have the mandate to report the failing of their own boss. Communication between the CIO and the CEO will remain difficult. The fact remains that the CIO and CEO often do not talk the same language. Most CEOs are familiar with finance, marketing, production and human resource but information technology remains the “black sheep” of their competencies. On the other hand the CIO has difficulty in emphasizing the importance, in the appropriate language, of the technologies that will allow a company to survive cyberattacks let alone technologies which will help the company innovate. This dichotomy has been widely observed and may be found in the audio clip “CEO-CIO disconnect”. This s the essence of what was said by NXC in his article “Study shows businesses the ROI behind a strong security program”.
The big problem with the CEO and CIO disconnect isn’t only that it weakens security, but also that it negatively impacts business growth. A recent study showed just how influential an organization’s security impacts business dealings.…
The fact that those running a business, from the CEO and the board to the CIO and the CISO, can’t agree on how to stay proactive and effective with security is something that must change. Yes, the CIO and CEO speak a different language and have different responsibilities; but their common goal is to stay in business. With this in mind, and the clear ROI behind a strong information security program, there has to be a meeting point between all those involved; and it starts from evaluating what’s missing with the security process in place.
As I often say, in an organisation a file falls much easier than it rises. This is one of the reasons why it is essential that the CEO is involved, and that they give a strong signal, that computer security is one of the issues most fundamental to the growth and survival of the company, whatever it is…
No Business Too Small to Be Hacked
https://www.nytimes.com/2016/01/14/business/smallbusiness/no-business-too-small-to-be-hacked.html
Fortifying your defenses The role of internal audit in assuring data security and privacy
https://www.pwc.com/us/en/risk-assurance-services/assets/pwc-internal-audit-assuring-data-security-privacy.pdf
Internal Audit’s Contribution to the Effectiveness of Information Security (Part 1)
https://www.isaca.org/Journal/archives/2014/Volume-2/Pages/Internal-Audits-Contribution-to-the-Effectiveness-of-Information-Security-Part-1.aspx
Study shows businesses the ROI behind a strong security program
http://www.ncxgroup.com/2016/04/study-shows-businesses-roi-strong-security-program/#.WLc9NBLhAdU
Benoit Grenier
Co-Founder and CEO
Proactive Risk Management
www.parminc.com
1 Comment