Part four of our series, Building the Modern Corporate Risk-Assurance Function
Cybersecurity is unlike any other business risk because it isn't a risk at all. It's simply a new manifestation of all the business risks you already have.
That point may sound trite, but its implications are profound. Managing cybersecurity in a comprehensive, effective way will take audit and compliance executives well beyond their comfort zones. All the risk assurance efforts you build on the framework of the COSO cube and the strategy of the Three Lines of Defense will still exist, but in new mixtures and new forms. Much of what you do today will need to be re-imagined.
Good cybersecurity will become a strategic issue—that is, cybersecurity will be about driving employees, customers, and business partners to behave in certain ways; rather than testing firewalls, devising clever password policies, or executing smooth breach disclosure programs. In the very near future, if you still insist on defining cybersecurity as a series of IT tools and controls, you will have failed.
Consider an analogy from healthcare. At some point, you might suffer a heart attack. You can carry around a tool to survive that heart attack, such as a defibrillator—and if you do have a heart attack, that defibrillator could be a lifesaving tool. Or you can try to lead a healthier life every day, by exercising and eating right.
Modern risk assurance needs to treat cybersecurity the same way: as a process of "healthy living" where the entire enterprise handles data carefully and properly. To do otherwise—to rely only on tools like firewalls, security tokens, and passwords—is akin to keeping a defibrillator nearby while you sit on the couch eating potato chips all day. Does that sound like a good way to prevent heart attacks to you?
Step 1: Re-imagine Your Risk Assessment
If good cybersecurity is about being a good custodian of the data you have, then the premise of your risk assessment shifts. The fundamental question isn't whether your security controls work properly, or which regulations apply to the data your company has. You must think more broadly and ask: How could our organization mishandle the data we have?
Framing your risk assessment this way brings several benefits at once. First, it disciplines the organization to think about business processes, and how they can be improved. That is a far better way to approach cybersecurity than to spend time trying to imagine specific threats, because the latter idea lures you into responding with specific controls or tools to fight those threats—and you're back to the analogy of sitting on the couch with your defibrillator, rather than improving your overall health.
For example, everyone agrees that outside hackers trying to pilfer your data is a serious risk. The far more dangerous risk, however, are insider threats—because insiders can mishandle your data in more ways, and they often don't even mean to cause any harm. Indeed, one of the most common cybersecurity threats is a phishing attack, where outsiders exploit insiders, by sending them bogus emails asking the insider to reply with valuable data.
Let's get even more specific. The scam making the rounds right now is a phishing email allegedly from the CEO of your company, to someone in the HR department, asking the HR employee to reply with W-2 tax information on all the company's employees.
The risk there is enormous, but the most effective control is simple: the HR employee needs to know when to challenge the CEO about why he or she needs that personnel data. Yes, the company could also invest in tools such as stronger packet sniffers to identify suspicious emails—but then you've agreed to enter an IT security arms race with hackers trying to exploit weaknesses in your internal processes for data handling.
Training employees to recognize unusual requests for data may be difficult, especially for junior-level workers or people burned out from an unhealthy culture. Regardless, training is an ideal solution to insider threats because it improves the process of handling data. The specific insider threat no longer matters; today it happens to be accidental leaking of W-2 data, but a new threat will appear tomorrow. Training is a strategic tool that helps employees address whatever comes along.
Training and insider threats are only one example of the risk assessment re-imagined for modern cybersecurity. Audit, compliance, and IT security professionals will need to keep pushing that line of thinking constantly, throughout the whole enterprise.
Thankfully, asking that question—"how might our organization mishandle the data we have?"—sweeps business units in the First Line of Defense into the conversation. That's critical because they manage those business processes in the first place. With clear lines of communication between first- and second-line of defense functions, you can connect the unwanted event (say, stolen intellectual property) to the flawed process (poor oversight of contract IT vendors), and devise better controls (improved due diligence, tighter access controls, and indemnification in the vendor's contract).
Traditional tools such as firewalls, security tokens, and strong passwords will always be part of cybersecurity. But as we conduct more business processes online, stopping cybersecurity threats will be more about building stronger processes online—so tools will only be one part of the solution. Depending on the risks you find, they may not even be the most important one.
Consequences for Internal Control
Once you start assessing cybersecurity risks as a question of how your company handles its data, other consequences follow. Foremost, the mix of controls you have to address those problems will change—less about "hard" controls, such as blocked websites or complex passwords, and more about broader solutions such as better training or more monitoring. In other words, effective internal control over cybersecurity will stress different principles of internal control than what we've seen in the past.
For example, a cornerstone of IT security has been authentication: users must prove they are who they claim to be, before the IT system grants them access to certain data. But authentication has an implicit weakness; all an intruder needs to do is successfully impersonate a user. So as corporate data has become more valuable, and the ability to impersonate someone has become easier (thank you, social media), authentication regimes have become more complex: longer passwords, renewed more often, with more challenge questions.
Password policy would fall under Control Activities in the COSO internal control framework—but password complexity cannot continue ad infinitum. If we move instead to a cybersecurity regime where users must handle data wisely, and "improper data usage" results in a security alert no matter what authentication the user has entered, then the control shifts. You need more effective monitoring of employee activity—which falls somewhere between Information & Communication (as your IT network observes and reports improper usage) and Monitoring (as that incident is relayed to someone in IT security or business operations to stop the employee).
At a theoretical level, none of this is rocket science. At the practical level, it requires considerable cooperation among IT security, internal audit, compliance, and business unit leaders to create the right controls. The conversation shifts from "how can we stop Outcome X from happening" to "how can we steer employees and everyone else to handle data in certain ways we want"—the very definition of elevating something to be a strategic issue.
A Word on Compliance
We cannot discuss cybersecurity without looking at the unusual role the compliance department plays. In some respects, compliance is crucial to help internal audit, IT security, and business units understand the regulatory risks for how data should be handled. On the other hand, compliance also has its own job—usually after a breach, when the company must clean up a cybersecurity failure.
A 2014 survey from Kroll, for example, found that 75 percent of compliance officers had no role in cybersecurity planning before a breach, but 44 percent were responsible for disclosure after a breach. In other words, a company can have poor internal control over cybersecurity, and excellent breach disclosure.
That scenario isn't hypothetical. It just happened in June, when the Securities and Exchange Commission fined Morgan Stanley $1 million for poor cybersecurity controls. Those internal control failures included faulty access controls that let an employee steal personal data on 730,000 customers; and poor audit procedures since the bank apparently didn't audit those controls for at least 10 years. On the other hand, once Morgan Stanley did discover the theft (because hackers then stole the data from the rogue employee and posted it publicly) the bank's compliance function acted superbly. It found the stolen data online, fired the employee promptly, reported the breach, and cooperated with authorities to investigate.
The Morgan Stanley case underlines the main point here: effective cybersecurity is about building effective processes to handle your data. Morgan Stanley had effective processes to handle data after a breach; it just failed to build strong processes for handling data before a breach. The modern enterprise needs to start thinking in those terms all the time, because more and more business processes will live online in the future. So they'd better live healthy.
Note: This is the fourth paper in a series of four that examines how to build the modern corporate risk assurance function. The first part is:Rethinking Basic Principles of Risk Oversight. The second part is: Ending the Risk Assurance Turf Wars . The Third part is: What We Worry About When We Worry About GRC.
Matt Kelly is an independent compliance consultant who lives in Boston. The views expressed here are his own. He can be reached at firstname.lastname@example.org.