First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

cyber security

Amazing insights on cyber

A couple of recent pieces shed some light, some amazing light, on how cyber-related risk is perceived by executives and the board.

 

, , , , , ,

The board and cyber security

There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:

 

, , , , , , , ,

A CIO talks business sense about cyber security and the CISO

Every so often, I see an interesting piece on Forbes.com. This time it is How To Talk To the Board About Cybersecurity. A CIO shares his experience working with boards and advice on that challenge for CISOs. Here are some useful comments (with my highlights):

 

, , , , ,

UK government guidance on risk and cyber: the very good and the very bad

The National Cyber Security Center (NCSC) is a part of the UK’s Government Communications Headquarters (GCHQ). If you are like me, you may have only heard about GCHQ in an unflattering context, that of working with US intelligence agencies to spy on foreign heads of state and hack foreign agencies.

 

, ,

SEC investigates cyber-related frauds

On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.

 

, , , , ,

New information about cyber risk is alarming

According to the 2018 Sentinel One Global Ransomware Report, it appears that the frequency of attacks are surprisingly high, but the extent of damage is surprisingly low.

 

, ,

So what if the risk is high?

Most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable. Providing actionable information about all the things that might happen, not by using terms like High, Medium, or Low, but in specific business terms will help evaluate which risks to take.

 

, , , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

The state of information or cyber security today

Senior management must understand the state of information or cyber security today and how it affects enterprise objectives and the delivery of value to customers and other stakeholders. A number of recent publications talk to this topic.

 

, , , , , , , , , ,

Mitigate the risks associated with IT systems acquisition

Any organization which acquires IT systems must do so carefully. Among other reasons, systems may be costly, they may be critical to business operations, and they may create significant risks (for example a risk of security breaches). The following suggestions will help to mitigate some of the risks associated with IT systems acquisition:

 

, , , , , , , , , , ,

What a CEO needs to hear to invest more in compliance – strategy

Investment decisions are strategic. They are based on a business case and cost/benefit analysis. Expense decisions are more tactical, and are often associated with things an organization must do to keep running – like meet a regulatory requirement so they can check the box.

 

, , , , , ,

What do audit committees think about risk and audit?

I am encouraged by the latest KPMG report, their 2017 Global Audit Committee Pulse Survey. I am encouraged because KPMG appears to be asking the right questions and getting intelligent answers.

 

, , , , , , ,

Privacy Commissioner examines cyber security

The increasing cyber security threat continues to raise a series of privacy risks for organizations. The Office of the Privacy Commissioner of Canada (OPC) has been regularly focusing on cyber security in letters of findings and guidance and, most recently, in a report, entitled “Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities”.

 

, , , , , ,