Article written by:
Doug Davidson
Director of Information Technology Services
Organizations that are secure and resilient operate their cybersecurity program as an element of their business risk management, not simply as another element of IT risk. Our experience is that quality, mature security programs consider not only the systems in their environment and other bits and bytes issues, but take into account the potential for cyber impacts across the entire company. This includes applications and data outside of the firm’s control, including its suppliers and customers.
Our experience in working with clients to assess and improve their security programs is that more effective, mature security programs start with management working to answer the following questions:
- What are your company’s cybersecurity risks? How is the company managing these risks? Is your current cyber risk management program meeting stakeholder and customer expectations? Is your current program meeting your firm’s regulatory obligations? How do you know?
- Do you have an inventory of systems, software, data, and information? Does that inventory include cloud applications, mobile applications, and other third parties who may have access or control of the firm’s data and information? Do you manage that inventory as you do your financial ledger or physical assets? Do you know the risks to those assets?
- Have you selected a recognized, accepted framework, such as the NIST Cybersecurity Framework, to address cybersecurity defense in an in-depth manner?
- When was the last time you conducted a risk assessment or maturity assessment of your security program against the selected framework? When was the last time you conducted a penetration test of your cyber defenses? What were the key findings, and how are you addressing them? What is your firm’s security program maturity level?
- Do the company’s outsourced providers and contractors have cybersecurity controls and policies in place? Are those controls consistent with your firm’s policies given the types of data involved? Are those controls monitored? Is the risk associated with those vendors considered? Are your cyber risk interests considered in contracts with these companies based on their risk to your firm?
- Is there an ongoing company-wide awareness and training program established around cybersecurity? Do your employees know their role? Do your employees understand how to handle sensitive information to keep it secured?
- Do new technology plans include steps for managing the risks of new technologies?
- Are you comfortable that you are meeting your customers’ security concerns?
- Does your external auditor indicate you have cybersecurity-related deficiencies in the company’s internal controls over financial reporting? If so, what are they? What are you doing to remedy these deficiencies? Are they signs that you may have broader, company-wide cybersecurity deficiencies?
- Is an executive-level management member involved in regular updates from those in the firm responsible for security operations as to the continuing maturity of the program? Has a steering committee been established to help balance business goals and security imperatives? Collectively, do they routinely receive metrics or other updates regarding the topics above?
GBQ Information Technology Services is a team of builders, breakers, operators, and auditors experienced in IT strategy, enterprise risk, cybersecurity, productivity solutions such as data analytics, as well as IT audit and assurance.
For more information or assistance with cybersecurity matters, please contact Doug Davidson, Director of Information Technology Services.