Why You Need More Than Your IT Director to Manage Cybersecurity Risk

If you trust your IT director to protect your organization from cyberattacks, you’re not taking a best practices approach to risk mitigation. Information technology management and cybersecurity management are two different professions, with different responsibilities and competing priorities.

IT directors select, deploy and maintain technology — networks, hardware, software and peripherals. They focus on efficiency and reliability, ensuring that hardware and software function properly. Cybersecurity directors look for threats and emerging vulnerabilities to protect the organization.

IT directors manage IT infrastructure and operations. Typically, they don’t have a risk management background. Cybersecurity directors, in contrast, monitor and manage IT-related risk. Compare this to the way your company handles deposits. One person deposits money in your corporate accounts. Another person reconciles those accounts.

Division of responsibility is a key internal control.

Effective Cybersecurity Finds Answers for Tough Questions

The challenge for corporate cybersecurity is allowing access to resources while keeping them secure. All too often, companies install new technologies without asking the tough questions:

• Who will use the technology and how will they use it? This is a pressing concern, now that more people work remotely and use their own mobile devices and laptops.
• What type of data will these technologies store? Cybersecurity best practices call for using the Advanced Encryption Standard to protect all data, whether at rest or in motion.
• What are the maintenance requirements? Software needs periodic updates, not just for enhanced functionality, but for cybersecurity. You need a cybersecurity director to monitor these updates.
• Was the system designed securely? This is intentional design, focused on early detection and prevention instead of remediation, which is costly and time-consuming.
• How do you verify that your vendors implement cybersecurity best practices? Cyberattacks aren’t always direct. Make sure your vendors document their compliance with your cybersecurity standards.
• How would a cyberattack gain access to your system? Effective cybersecurity understands every possible point of entry into your infrastructure, to develop and manage tighter access.
• What could disrupt IT services and how long would they be disabled? Threats include ransomware attacks, internet of things (IoT) hacking, and phishing attacks. These can result in identity, data or intellectual property theft.
• What would be the impact of a cyberattack? Possible impacts include data loss, lost value and productivity, weakened customer and vendor relationships, and reputational damage.

According to Cybersecurity Ventures, cybercrime will cost the global economy $10.5 trillion annually by 2025. The question is, how much of that lost value will come out of your company?

How to Maximize the Return on Your Cybersecurity Budget

Earlier this year, the U.S. Securities and Exchange Commission (SEC) indicated a change in the way it views cybersecurity. It now sees cyber vulnerabilities as an existential business risk. That risk also applies to privately held companies (a ransomware attack can devastate any business regardless of size).

In recognition of this risk, companies are spending more on cybersecurity, even as IT budgets shrink or remain flat. The challenge will be to deliver a better return on investment. The Institute for Internal Auditors (IIA) offered direction in 2013, publishing a position paper entitled “The Three Lines of Defense in Effective Risk Management and Control”. The basic model, although recently refined, applies to cyber risk.

The Responsibilities of The Three Lines of Defense

In this model, IT management provides the first line of defense against cyberattacks. As operational managers, they own and manage risk. They’re responsible for developing and maintaining effective internal controls. These controls identify, assess and manage risk, shaping the design and implementation of policies and procedures to meet operational responsibilities.

IT management must design controls into their systems and processes, providing management and supervisory oversight to ensure compliance. Mature organizations should also be able to detect and recognize early indicators of control breakdowns, outdated processes and unexpected events.

Cybersecurity management serves as the second line of defense, responsible for risk management and compliance. This group supports and supervises the risk management practices implemented as part of the first line of defense. Typically, this second line reports directly to senior management. In some businesses, they report directly to the board.

In the IIA model, cybersecurity management has the authority to intervene directly, making changes to internal control and risk systems. They provide internal guidance and training on risk management while monitoring implementation and advising IT management. As cybersecurity guardians, they’re responsible for assessing internal controls, quality of reporting, compliance and timely remediation.

Internal audit services form the third line of defense, providing senior management with independent, objective assurance. They assess the first and second lines of defense, focusing on how IT and cybersecurity directors work together to support risk management and control objectives. Their assurance covers operational effectiveness and efficiency, asset protection, quality of reporting, and compliance with applicable laws, regulations, policies and contracts.

Internal auditors evaluate their company’s risk management framework — how they identify, assess and respond to risk. They have to look at everything inside an organization, including all divisions, subsidiaries and departments, such as sales, marketing, production, customer service and technical support.

The IIA sees a professional internal audit function as an essential governance requirement for all companies, no matter their size. This is particularly critical for privately held or owner-operated companies that lack the bandwidth and organizational structure for effective governance and risk management.

Creating and Protecting Value

The IIA’s updated Three Lines Model now includes six principles. The sixth, “Creating and protecting value,” stresses the importance of collection action, aligning all roles to serve the stakeholders. As the IIA states, “Alignment of activities is achieved through communication, cooperation and collaboration.” This requires a complete review of your IT infrastructure and how your people work to maintain and protect it.

To discuss the state of your cybersecurity, and how your people can align to create and protect value, contact your Windham Brannon advisor.