A conversation with Marius Bosman, IT audit director at Ball Corporation

Interview by Joseph McCafferty

December 19, 2016

Communicating top risks to the board and C-suite is always tricky since it's such a critical area of involvement by the highest levels of the organization. Communicating IT risks can be even more challenging since directors and top executives aren't always sophisticated in technology areas. Information security and risk professionals must be sure they communicate in a way that will convey an accurate assessment of the critical IT risks without using too much "techie talk," or IT jargon.

Cybersecurity is such a critical issue that it is on most board agendas and a top concern of the CEO. IT auditors have a role to play in helping establish what the key IT risks are and how the organization is doing at managing them. This is one area that directors and the executive team are sure to push back on and probe for any weaknesses in the risk assessment.

We recently caught up with Marius Bosman, director of IT audit at Ball Corp., at the IT Audit and Controls conference taking place this week in New Orleans to talk about elevating critical IT risks in the organization and communicating those risks.

"I think overall companies are doing a good job [of elevating IT risks], however, in my experience on the risk management side around cyber, they could definitely be more proactive and could do a better job across the board," says Bosman.

Of course, to communicate those critical IT risks to the board, organizations must be able to identify them in the first place. Bosman says companies are good at identifying IT risks, but could always improve. "Companies are identifying the key IT risks as it extends from the business perspective, however, I think we could spend a little bit more time understanding the IT landscape and the cyber angle of that as well," he says.

"For us, it is important to keep a level head. We see these incidents occur in the media and the news and also understand that it's not the only risks to our IT environment. Availability of our systems, power interruptions, and other problems have a huge impact, and we need to keep a level head around that as well."

Bosman says many directors and CEOs are fairly sophisticated on IT risks and understand their importance. "Board are knowledgeable in this area, says Bosman. "I think boards are fairly well educated," says Bosman. "They do see a lot of cyber activity in the news and on the Web, and I think they know all the buzz words and they have a good understanding. However, for us it helps to send our head of IT and our head of IT security to our board meetings to help educate them further and put a little bit of perspective and balance into the conversation," he adds.

When it comes to boards that are less IT savvy, says Bosman, it can help to provide cases for them to learn from. "I think you need to use and example out of the news, and we've seen many examples. Sit down and explain to them in a really easy fashion or in laymen's terms, how did an attacker get access to a network, what went wrong, the fact that we are doing everything we can doesn't mean they can't get in, and if they get in how do we quickly detect that and respond quickly before any of our information gets hacked or gets stolen."

For more, click "play" to watch the interview.


 Joseph McCafferty is head of audit content for MIS Training Institute. He can be reached at jmccafferty@misti.com.