Questions directors should ask about information security
Deloitte has another useful piece of guidance out as an Audit Committee Brief: The Promise and Perils of Information Technology.
But have they missed an essential element in taking a traditional approach? We’ll come to that after looking at some of the value in the Deloitte publication.
Some of the interesting points they make are:
- Attacks on IT infrastructure are no longer isolated occurrences. A study by the Ponemon Institute revealed that among 50 companies studied in 2011, there was on average more than one successful cyber attack per company per week, an increase of 44 percent from 2010.
- Audit committees can enhance their effectiveness by adopting a proactive and communicative approach to monitoring IT security. When audit committee members are familiar with and comfortable discussing technology risks and initiatives, they are more likely to ask the right questions and focus on the right issues when the unexpected occurs.
- All significant IT-related activities, projects, and risks should be evaluated in the context of the company’s overall strategy. It is important for audit committee members to have a strong understanding of the business value of IT, and the full range of its functions, from the practical to the innovative, should be considered. IT’s role is typically large enough to warrant a tailored strategic plan, which should be coordinated with the overall business strategy.
- Board members should maintain communication with the chief information officer (CIO) or equivalent IT leader and have regular meetings in which the CIO reports on important IT matters. The CIO can be leveraged as a technology resource in the same way the CFO is a primary financial-reporting resource.
- [Boards should] Require internal audit to evaluate cyber-threat risk management effectiveness as part of its quarterly reviews.
The authors suggest a number of questions directors can ask, and I think they all add value. I particularly like these:
- Does the audit committee receive sufficient information to discuss IT strategy intelligently and effectively?
- Is IT aligned with the business vision? Is IT strategy developed to both enable and shape business strategy?
- Does the audit committee understand how IT can help monitor risk? Do we know the most material risks associated with IT? Are the plans for monitoring, reporting, escalation, and testing sufficient to mitigate risks?
Now to the question of whether Deloitte’s guidance has missed a critical element.
A few months ago, I was struck by a comment that a respected information security practitioner wrote. He said that organizations were spending too much of their IT security budget protecting their systems, trying to keep attackers out! Why? He said that the attackers were becoming ever more sophisticated and their methods are ahead of those charged with defending information assets. This made a lot of sense to me. He advised that instead of spending all our funds on prevention, we should spend a lot more on detection. The odds of bad guys getting in is so high, we need to have reliable methods of detecting when they get in and acting to limit damage promptly.
Earlier this month, I read a piece about how national governments are now involved in attacking not only each other but businesses and other organizations in target countries. The level of sophistication in these cyber-warfare units is extreme. The key statistic that got my immediate attention was that at least 120 countries now have cyber-crime units attacking, possibly, our systems.
Add to that news that organized crime is making at least tens of billions of dollars accessing our systems and taking confidential data out – which they then use to steal from us and our customers.
So, I am persuaded that they most important question directors should be asking about information security is this:
How will you know when intruders gain access to our systems?
Then, directors should follow up with this:
How can you ensure that any damage is limited?
I welcome your comments.