First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Information security guidance

In this Audit Committee Brief (July 2012, The Promise and Perils of Information Technology), Deloitte points to the changing, expanding and strengthening role of IT and how it can benefit an organization.

According to Deloitte, IT now plays many fundamental and highly beneficial roles in businesses, including:

  • Improving access to and analysis of information
  • Facilitating and strengthening communications both within the company and with customers
  • Storing and organizing numerous streams of sensitive data
  • Securing communications and other proprietary information to prevent identity and intellectual property theft
  • Managing network interruptions, and other intrusions

Why is that?

2011 and 2012 were the years we constantly heard about security breaches around the world. “The growing threat to enterprise security is a concern for many IT leaders with 69 percent expecting a negative impact to their organization within the next three years.” Source CIO.

While, many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk by strengthening their information technology department (as reflected above).

However, Deloitte indicated that this “expanding IT landscape poses a risk of malicious activities”.

Attacks on IT infrastructure are no longer isolated occurrences. A study by the Ponemon Institute revealed that among 50 companies studied in 2011, there was on average more than one successful cyber attack per company per week, an increase of 44 percent from 2010.

Deloitte is calling for IT Audit Committees to become more IT literate, given the increasing complexity and pervasiveness of technology and the common assignment of the audit committee to couple risk and IT oversight with financial reporting oversight.

This knowledge is often gained through the expertise of a committee member or through external specialists as needed.

Deloitte provides proactive strategies and steps the IT Audit Committee can take to combat threats and implement risk management measures. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. This means, understanding IT risks and discussing them with management can help committee members anticipate issues and critically evaluate management’s plan of action for when concerns arise.

Audit committees can enhance their effectiveness by adopting a proactive and communicative approach to monitoring IT security… to ask the right questions and focus on the right issues when the unexpected occurs.

In a related Governance, Risk Management and Audit post by Norman Marks, he comments (August 26, 2012 at 11:07 AM), that preventative measures should be supplemented with detective ones.

The odds of bad guys getting in is so high, we need to have reliable methods of detecting when they get in and acting to limit damage promptly.

While it is prudent for any organization to invest in both, what may be surprising to learn in the meantime is how many organizations have yet to fill, properly integrate or utilize the role and information security guidance of the Chief Information Officer.

If your organization does not have a CIO, or a properly integrated and utilized CIO including for information security guidance, it may be time for you to really consider what may be at stake for your organization (e.g. The Role of the CIO: What’s Really at Stake). Yes, the evolving role of the CIO in security (e.g.) is something to move from your radar (e.g., 10 Predictions for What the CIO Role Will Look Like in 2020) into your active thoughts and initiatives. You may even want to label the CIO role as Chief Information Security Officer (e.g. or e.g.) but as important as security is, would placing security in the role title be limiting? In any case, it seems safe enough to say that the evolving role of the CIO certainly involves security (as further example). So if your company is looking for resources related to information security (e.g.), a good place to start should be, and is expected to increasingly become, in the OCIO (office of the chief information officer). In fact if you are looking for “some guidance on how to formulate a holistic security strategy”, the CIO role is a good place to start… as you might expect, information assurance (including security) has to be a top priority for any CIO (e.g.).

So I will ask you this, has your organization filled, and properly integrated and utilized the role and information security guidance of the CIO?

Let me know. I would love to hear from you on this, and I’d imagine there may be differing opinions of what is the best way to properly integrate the CIO. For example, your opinion of what is proper may be based on different input data or surveys as follows:

Your opinion of what is proper may also be biased, depending on whether you come from the accounting world (e.g., perhaps you are a CFO type like Mr. Sherman), the engineering world (e.g., perhaps you are a CTO type like Mr. Coallier), or the IT world (e.g., perhaps you are CIO or VP type such as Stephen Ibaraki, perhaps another type of leader e.g.,

Regardless of your professional sector, it would be interesting to hear from you and what has informed your opinion.

Perhaps you contributed to a best practice like COBIT5 or ITILv3 and would like to quote something in particular.

Perhaps you have a link you’d like to share that answers the question of how many organizations have yet to fill, properly integrate or utilize the role and information security guidance of the CIO.

Perhaps you have a link you’d like to share that provides a definition for what is proper.

Perhaps you feel the 10 steps toward more effective cyber-threat risk governance suggested in the Deloitte audit brief should have made step 3 (“Hold a senior executive accountable for cyber-threat risk management) be step 1.

Perhaps you’d like to share your opinion of where IT should report and would like to share a link about a particular trend.

Perhaps you feel where IT should report is situational, that is it depends on the nature of the organization or related circumstances.

For example, in your industry, do you see a trend for IT to move from reporting to the CFO to reporting to the CIO and for the CIO to be a member of the executive team reporting to the President/Board?

Perhaps you think the topic should explore the critical skills and competencies of the future CIO… as examples:

Perhaps see page 4

mitigate it. “Both information security risk management and overall enterprise risk management are crucial to the credibility of the new CIO leader.”

Page 6, Competency 12

12. Risk management. Ability to mitigate the risks faced by the institution with respect to network and application security, information privacy, regulatory compliance, disaster recovery, campus safety, and large-scale projects.

And Page 9, Communities of Practice

Rather than organizing the IT professionals around technologies, the CIO should look to organize around the processes supported by the IT organization to provide a more seamless consumer experience. The overlay of process teams on traditional organizational structures may be a first step. In this regard, the IT Services division at Miami University (Ohio) is employing communities of practice (CoP) for bodies of knowledge or processes that overlay the official departmental IT structure. CoP examples include professional development, IT architecture, security, process definition and improvement, and communication and advocacy. In addition to promotion of more seamless and successful solutions, these CoPs provide leadership development opportunities for the IT staff members.

I look forward to your feedback, and wish you a good day.

Ron Richard
Quality management specialist

Follow me

Ron Richard

Quality, Information Technology and Enterprise Risk Management specialist at Ron Richard Consulting
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist has held positions at most any level of an organization, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series. Read more
Follow me

, , , , , , , , , , , , , , , ,

Comments are currently closed.

One thought on “Information security guidance