Home > Risk > Questions directors should ask about information security

Questions directors should ask about information security

Deloitte has another useful piece of guidance out as an Audit Committee Brief: The Promise and Perils of Information Technology.

But have they missed an essential element in taking a traditional approach? We’ll come to that after looking at some of the value in the Deloitte publication.

Some of the interesting points they make are:

  • Attacks on IT infrastructure are no longer isolated occurrences. A study by the Ponemon Institute revealed that among 50 companies studied in 2011, there was on average more than one successful cyber attack per company per week, an increase of 44 percent from 2010.
  • Audit committees can enhance their effectiveness by adopting a proactive and communicative approach to monitoring IT security. When audit committee members are familiar with and comfortable discussing technology risks and initiatives, they are more likely to ask the right questions and focus on the right issues when the unexpected occurs.
  • All significant IT-related activities, projects, and risks should be evaluated in the context of the company’s overall strategy. It is important for audit committee members to have a strong understanding of the business value of IT, and the full range of its functions, from the practical to the innovative, should be considered. IT’s role is typically large enough to warrant a tailored strategic plan, which should be coordinated with the overall business strategy.
  • Board members should maintain communication with the chief information officer (CIO) or equivalent IT leader and have regular meetings in which the CIO reports on important IT matters. The CIO can be leveraged as a technology resource in the same way the CFO is a primary financial-reporting resource.
  • [Boards should] Require internal audit to evaluate cyber-threat risk management effectiveness as part of its quarterly reviews.

The authors suggest a number of questions directors can ask, and I think they all add value. I particularly like these:

  • Does the audit committee receive sufficient information to discuss IT strategy intelligently and effectively?
  • Is IT aligned with the business vision? Is IT strategy developed to both enable and shape business strategy?
  • Does the audit committee understand how IT can help monitor risk? Do we know the most material risks associated with IT? Are the plans for monitoring, reporting, escalation, and testing sufficient to mitigate risks?

Now to the question of whether Deloitte’s guidance has missed a critical element.

A few months ago, I was struck by a comment that a respected information security practitioner wrote. He said that organizations were spending too much of their IT security budget protecting their systems, trying to keep attackers out! Why? He said that the attackers were becoming ever more sophisticated and their methods are ahead of those charged with defending information assets. This made a lot of sense to me. He advised that instead of spending all our funds on prevention, we should spend a lot more on detection. The odds of bad guys getting in is so high, we need to have reliable methods of detecting when they get in and acting to limit damage promptly.

Earlier this month, I read a piece about how national governments are now involved in attacking not only each other but businesses and other organizations in target countries. The level of sophistication in these cyber-warfare units is extreme. The key statistic that got my immediate attention was that at least 120 countries now have cyber-crime units attacking, possibly, our systems.

Add to that news that organized crime is making at least tens of billions of dollars accessing our systems and taking confidential data out – which they then use to steal from us and our customers.

So, I am persuaded that they most important question directors should be asking about information security is this:

How will you know when intruders gain access to our systems?

Then, directors should follow up with this:

How can you ensure that any damage is limited?

I welcome your comments.

  1. August 25, 2012 at 1:20 PM

    Norman, Spot on. I think Deloitte’s guidance is helpful. I suspect the real issue for most boards is a lack of managerial or independent members that have real IT experience. By that I mean that few boards seem to see skills beyond accounting and banking as helpful or necessary. This also applies to marketing, HR and other specialist skills. Generalist or even senior management of IT as part of a wider business is not the same as having an ex CIO. IT has a language and lexicon of its own and it needs specialists to be able to engage with CIOs to challenge, test, probe and, ultimately, govern them.

  2. Pastor Patrick Orji
    August 26, 2012 at 10:27 AM

    I respect this view, but I don’t agree with it. The dictum “prevention is better than cure” is germane here. How can we prefer preventive controls to detective controls. You are advocating we stop upgrading the strength of firewalls and anti-virus systems and concentrate on detecting what hit our systems after the damage has been done.

    For all I know, preventing the bad guys from gaining access is still less expensive than waiting to analyse how and why they gained access.

    • Norman Marks
      August 26, 2012 at 11:07 AM

      It would be foolish indeed not to take all reasonable precautions to keep the bad guys out.

      The point here is that it is foolish to assume that they will be effective 100%.

      Instead we should supplement preventative measures with detective.

      Do you agree?

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

  3. Girma Bersisa
    August 27, 2012 at 6:18 AM

    I don’t feel comfortable on the tendency of shifting twards ditective control while less focusing on the prevention aspect. I think it is more sound to keep on enhancing the preventive effort as much as we try to have robust detection capability.

  4. Ehtisham Syed
    August 27, 2012 at 6:33 AM

    Norman, excellent point “Instead we should supplement preventive measures with detective.” See the article “Back with the Vengeance” http://www.theiia.org/intAuditor/itaudit/2010-articles/back-with-a-vengence/

  5. jay
    September 2, 2012 at 6:51 PM

    Reading expert opinions in online magazines and blogs one would gather that there is a consensus that prevention is not working. In the case of Advanced Persistent Threats the consensus seems to be that when a breach has occurred the best course of action would be to monitor the infiltrators to learn how that came in and what they are after.Event though the vulnerabilities may change the attack methodology will still remain the same.

  6. November 19, 2012 at 1:18 AM

    I would argue both ‘methods’ of security are just as important as one another and should be recognised as such when it comes to funding.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: