Risk management and cyber security (part one)
Risk management in many economic sectors and in many companies is not taken into consideration at all. The information relating to risk management varied widely from the type and size of the company but also from the perception of danger that the management has. If we talk about managing the risk with the company management, many CEO's will answer that to mitigate the risk actions have been taken such as investments in personnel, training, and development of processes and procedures or the hiring of an independent third party consultant. Few will answer that they have carried out collaborations between equal-sized companies or with industrial groups. Rarely will they answer that a series of practical actions, simulations, and exercises have been discussed. Someone may think that this task is professional owed by auditors. Mistake, in many companies, then, the auditor process is only on pragmatism or actions and projects to detect material errors. But where place cyber frauds? You only detect them when you suffer damage, unfortunately. Not before? Computer fraudsters are proficient. With the traditional tools of the corporate review (for example auditor block sampling), it is not possible to detect fraud issues on time. Not only an ordinary auditor process cloud to fall into the case of false red flags. Now, reputation damage related to data privacy violations is a very worrying threat. The issue of computer problems is omnipresent and increasingly invasive in the work of the auditor. The company management continues to be late in protecting itself from the cyber risk compared to the other risks considered more important (for example the risk of non-compliance). A first step could be to make an initial survey of the facts and perform the basic control of computer security with the support of a computer scientist to identify the most important resources of the organization that:
1. Need protection,
2. Test the checks of probable internal threats,
3. Evaluation of processes and structures so that they are designed to protect against accidental or inadvertent disclosure of company information.
A next step would be to improve the IT and computer skills of its staff and take measures to fill any existing gaps. We are living in a global market in the presence of different dynamic geopolitical environments with changing economic conditions and disruptive technology. An ordinary company, its CEO should understand that it need lead to alignment and collaboration between all internal business functions with a wider and more active role in the identifying, assessing and monitoring issues precursors of future emerging risks. I wonder myself how many companies have formally assigned responsibility for cyber-security at board and management level? And is the board of directors receiving regular updates and reports regarding the cyber-security risk strategy? Does the board hold regular meetings on the evolution of the cyber-security threat environment, and how does the IT security risk management program adapt? How does the board actively monitor its investments in new technologies and IT security solutions?
Published on Linkedin