Nobody can get enough guidance about cyber-security these days, and the New England Chief Audit Executives group is no exception. I attended the group’s winter meeting here in Boston last week, and that’s all we talked about for two solid hours. These folks had good ideas galore about managing cyber-security risk, so let me recap the most important ones here.
First, worry more about the process of how information is governed at your business than about the tools you use to protect it. Last week’s discussion started with a panel of audit and IT executives, and every one of them agreed on this point. Tools address one specific risk, and they may do that quite well—but they may also be useless for every other risk. And if your process for governing information is sloppy overall, those other risks will hit you eventually. The tools you have won’t do you much good then.
I always favor analogies from the real world, so try this one: at some point in life you might suffer a heart attack. You can go through life equipped with tools to reduce that risk, such as a defibrillator, and it will indeed help when the time comes. Or you can improve your process of being healthy: eating right and exercising. Neither one of those procedures will assure that you never have a heart attack—but they will help you immensely in staying alive should a heart attack come to pass.
Good tools without good process is the equivalent of carrying around a defibrillator while you overdose on salty foods and sit on the couch all day. Does that sound like a good strategy for preventing heart attacks to you?
Second, define the roles for managing cyber-security risk at your business. Nobody at the CAE group specifically mentioned the Three Lines of Defense model, but that’s my default for any conversation about who oversees what part of a risk. In that case, the internal auditors have things a bit easy: you’re in the third line as usual, testing the security procedures and controls like you would any other.
The first and second lines of defense get more complicated. Clearly IT (or the IT security function, if you have a separate one) belongs in the second line. Compliance does too. But each one supports the business units bravely holding down the first line of defense in different ways. My first point above, to worry more about process than tools, still holds true—but you do need both tools and process to have effective cyber-security: IT supporting the tools to fight cyber-security risks, compliance supporting the processes.
I like to think of effective cyber-security defense as this: for business units to follow effective processes there in the first line, compliance needs to do its job in the second line defining what those processes are. They might be policies to have third parties certify their data security, or procedures for swift disclosure of a data breach. But the business units can’t follow a good process unless compliance does its job spelling out the policies and procedures that govern that process.
The third point I heard last week, and perhaps the most heartening one, was that Corporate America has faced a mess of poor controls and poor understanding of risk before—and we solved the problem. We’ve been here before with Sarbanes-Oxley compliance.
Numerous times I heard speakers worry about weak processes and then breezily add, “unless it’s a SOX process, because our SOX processes are generally strong,” or “If it’s a SOX-related control usually we’re confident it works.”
Study those parallels between SOX compliance and cyber-security, because they are deep and vital. A huge amount of cyber-security risk hinges on access: ensuring that only authorized users get access to certain types of data. That is the same worry compliance and internal auditors have about access control to financial information—and you’ve been testing your access controls for financial data for the better part of a decade. Drop the word ‘financial’ from my last sentence, and you have your marching orders for cyber-security risk. I’m not saying that goal is easy to achieve, but that’s the goal.
You can even make an intellectual leap from SOX compliance back to the importance of a strong process. When you read through the 17 guiding principles of the updated COSO framework—the framework we’re all using for SOX compliance—those principles are all about strengthening your process. Everyone might be using the framework right now for internal control over financial reporting, but COSO intended the framework to be a roadmap for internal control over other risks too, cyber-security included.
So as scary as cyber-security might be right now, it can be conquered. If the compliance and audit community tamed Sarbanes-Oxley, you’re in prime fighting shape for this threat too.