A conversation with risk management and internal audit expert Norman Marks
The consequences of a cyber-attack—including a hit to reputation, lost customers, diminished credibility, and the cost of repairing the damage, just to name a few—are such that companies will do everything they can to defend against them. That is, of course, everything within reason and considering they have limited resources to spend on cybersecurity.
So where do you draw the line? Risk expert, Norman Marks, who has served as chief audit executive at several large companies, says thinking about how to answer that questions can provide new insights into the difficulty of managing the vast threat of cyber-attacks and data breaches. He says companies tend to be reactive, throwing money at every weakness they find, rather than considering the bigger picture and spending limited resources where they will do the most good.
We sat down with Marks, who gave a keynote talk on cyber-risk at the IT Audit & Controls conference last month in New Orleans, to talk about how to balance the never-ending threat of cyber-attacks with the fact that companies don't have unlimited resources to defend against them.
Marks says it comes down to return on investment. "The key is to understand what the potential impact on the business would be if you had a breach," he says. "How would it affect the business? How would it affect the achievement of objectives and the success of the organization? And how much is it worth spending to address that? Because we don't want to spend more money than we are actually getting a return on in terms of reducing the risk."
It could involve a change in focus for managing cybersecurity risk, Marks warns. "We still need to understand the weaknesses in our defenses," says Marks. "But we need to recognize that defense alone is not sufficient. A determined, intelligent attacker is going to, at some point, breach our defenses. So the change should be to recognize that. We still do what we can to put reasonable defenses in place, but put more priority on understanding when and how they get breached and how we react to it."
According to Marks, organizations would do well to spend some of those defense funds on better detection mechanisms. He says they are taking too long to realize they have been breached, causing the damage to escalate. "In the current situation, the average breach takes 9 to 12 months before its detected, and that is simply unacceptable," says Marks.
He adds that internal audit has an important role to play in managing cyber-risk. "Internal audit's role is to help management navigate this very, very difficult situation," says Marks. "We have an opportunity to provide some objective information to management and to help them understand what the risks are in terms of business. We have on the internal audit side a very broad perspective. We are not tied up on one side or the other, so we can actually bridge the business side and the technology side."