Audits: pain or gain?
- April 19, 2016
- Posted by: Normand Brien
- Category: Uncategorized
As the landscape shifts, executives and board members increasingly are forced to take ownership and accountability for any cyberrisks facing an organization. No longer is cybersecurity just a technical and operational issue.
It’s fair to say most of us dread a dentist visit to work on a cavity or to pull a tooth; crowns and fillings alone should be a deterrent to that anticipated visit. When we’re young, our parents tirelessly explain about oral hygiene, suggesting a proper diet, brushing often and going to the dentist regularly. As we grow older, the inevitable happens — oral decay and potential gum disease. Unless we are diligent about what we eat and listen to health providers about smoking hazards and our brushing habits, expect frequent visits to the dentist.
Much like caring for our teeth, avoiding the hardships of a financial downturn or the risk of being hacked should be a priority. Frequent assessments of a company’s health would improve the effectiveness of the governance processes and what has already been determined to be the strategic and operational fundamentals of business. We live and work by rules and regulations; agencies (federal, state and local) from all industries require that you assess those risks or dangers that put the business in harm’s way. The company stakeholders, often its customers or investors, expect that the business is protecting the investment, functioning properly and that it is transparent about its transactions.
Risk is the main cause of uncertainty in any organization. Thus, companies increasingly focus more on identifying risks and managing them before they even affect the business. The ability to manage risk will help companies act more confidently on future business decisions. Their knowledge of the risks they are facing will give them various options on how to deal with potential problems. Corporate leaders should press to get answers on open concerns about operational practices and not influence the outcomes so as to improve the company’s risk posture.
CEOs and other C-suite leaders must understand their business environment; beyond the economics (financial impacts) and technological (privacy, mobility and rapid enhancements) aspects, business advisers should be cognizant of industry regulations and consumer conversations. With this knowledge, they should confidently engage a certified and trusted resource to assess and document potential risks in these areas and to layout plans to mitigate or resolve them.
Risk management: Looming need for cyber experts and auditors
Risk management is a corporate function requiring executives to know the business impacts and obtain the business intelligence to resolve the warning signs. Identifying strategic risks and conducting risks assessments ensures bidirectional leadership to risk avoidance.
For now, we’ll spend time here on the IT factor. Risk, in our case, describes a threat or a situation involving exposure to technology practices, which can come from both internal and external sources. External risks are those not generally forecast or in direct control of management such as government legislation, industry regulations, rate increases and so on. Internal risks, on the other hand, include noncompliance of policies, procedures, practices or information sabotage, among several others.
Focusing on security hardening, regulatory compliance and operations governance are three elements of an IT strategy that should rise to the top, suggests BMC (a global leader in IT management solutions). Businesses must have a sense of urgency! If you owned a home, you would take safeguards to protect your property from an intrusion. Since information technology is exposed to more risks, why not have the same behaviors and attitudes?
So let’s deal with it! When we need our teeth cleaned or to fix a tooth, we call an expert — the dentist. Periodic checkups or “audits” are required to protect our teeth going forward. Meaning in business, we hire our own experts to look at our day-to-day business protection and appoint independent resources to routinely audit how well we’re progressing.
Inside looking out
Nowadays, for successful and protected operations, organizations should have a dedicated team of certified, security professionals to evaluate business practices for fraud and abuse. In recent years, many companies have added an independent risk management team. These specialists are in demand, especially related to cyber-threats and risk management. In this whitepaper from ISACA and the RSA Conference, both information security firms conducted a survey of more than 450 practitioners. We are well aware that breaches have increased exponentially, most of these respondents are not prepared for a potential intrusion citing a weak labor force, ineffective tools and when hiring a novice, the learning curve is steep and costly. Consequently, more than 80% of boardrooms are quite concerned. ISACA goes on to say, “ISACA / RSA Conference survey shows that cybersecurity is still seen as a technology issue, not a business imperative.”
Internal IT security teams, who report to senior level management, ensure procedures and best practices are developed and documented for compliance to corporate policies. They also exist to oversee and perform assessments by identifying any vulnerabilities or threats. Leadership also trusts that the business impacts and the likelihood of these threats being exploited are being addressed.
Outside looking in
Most private and public companies are required to do an audit at least once a year; use of auditors as a resource help evaluate the effectiveness of internal controls regarding governance, risk and compliance. Their roles and responsibilities include the formulation and execution of strategies and meetings to fulfill the mission of protecting the organization. Professional auditors should carry high-level educational degrees (generally an MBA) and years of experience in accounting and information technology systems.
It is mystifying that many firms do not take the cybersecurity threat seriously given this article from Risk Management. Is it a matter of funding or staffing? Maybe so; but given today’s threat level on network infrastructures, social media, electronic mail systems or documents, if you are not conducting assessments or taking advantage of the many solutions out there then your business is ultimately setup for failure. There are ample resources available to guide you through evaluating and selecting professional services to stay on the offense. Visit here to learn about ISO different standards, risk assessment techniques, principles and guidelines for audits, among other materials.
It’s not always a thrill to visit a dentist; if we’re not diligent about dental heath, chances are we’re in for pain. Maintaining habits of oral hygiene and regular checkups assures us our teeth will last a long time. In business, the likelihood of roadblocks and threats are inevitable and will be a painful experience — loss of funds or proprietary information, hostile takeovers, and so on. Take these simple steps to guide you to an improved methodology that can eliminate the inhibitors to success.
Take on the challenge of eliminating risks in your organization seriously. As the landscape shifts, executives and board members increasingly are forced to take ownership and accountability for any cyberrisks facing an organization. No longer is cybersecurity just a technical and operational issue. Cyber issues cannot simply be delegated to the security department; there are issues with serious potential business consequences and they are directly related to corporate governance.
While more organizations are progressively implementing continuous reviews and along the way are improving the quality of the data gathered during each audit, these specialists and managers need to be willing to move beyond their traditional yearly audit activities. Although some guidance exists today about the best ways to implement a continuous audit process (that is compliance managers), as with any major change, the evolution toward continuous auditing will take time and substantial attention from senior management.