focus on cyber risk, not just security

infosec triangletake a comprehensive and holistic approach that includes your business strategy.

by donny c. shimamoto

cybersecurity is a huge buzzword right now. businesses are worried about it, people are worried about it and vendors are trying to sell you cyber protection solutions.

more: making it matter to accountants | it nerds need budget help | 8 ways to wrestle software subscriptions into submission | it hardware gets even more complex (great!) | how accounting geeks and techie nerds can play nicely together
goprocpa.comexclusively for pro members. log in here or 2022世界杯足球排名 today.

attending a cybersecurity webinar or seminar is also not for the faint at heart. even i, an it specialist in the cpa profession, often leave those events scared to put any of my personal data anywhere online.

yet in today’s interconnected world, we don’t really have a choice anymore. and that’s why you need to pay attention to cyber risk management, not just cybersecurity.

what’s the difference? cybersecurity draws its roots from information security (infosec) and is primarily focused on confidentiality, availability and data integrity. confidentiality and privacy are what people are usually worried about when they think about cyber risks – whether information they want to keep secret is protected from unauthorized disclosure or a data breach.

ransomware attacks have also brought availability to top of mind – that systems are available when they need to be used. previously the distributed denial of service (ddos) attacks that brought down many websites, even amazon and ebay, in 2008 were the prime example of an availability threat.

and last, but not least, data integrity is focused on ensuring that data is not destroyed, corrupted or lost, and that it can be recovered if such an adverse event were to occur.

because many of the threats and preventive measures in these areas are technology-based, cybersecurity tends to be primarily technical/automated controls-focused with some attention to the accompanying administrative and monitoring controls.

cyber risk management involves a much more comprehensive and holistic approach than cybersecurity. drawing from overall corporate governance and risk management disciplines, cyber risk management takes a much broader approach and requires a much broader skillset to perform effectively.

the diagram below shows the relationship between it governance, it risk management (synonymous with cyber-risk management) and the “it department.” we have the it department in quotes, recognizing that in smaller organizations this is probably an it service provider rather than a unit internal to the organization.

diagram of it functionsas you can see from the diagram, it governance and it risk management actually sit outside of the it department. this is because to be performed effectively, these functions require integration with the business strategy, compliance management and overall organization operations. it governance is a part of corporate governance and helps to ensure alignment of the it strategy (which may include cybersecurity projects and information security infrastructure) with the overall business strategy.

it risk management is driven by it governance and compliance requirements, and it interacts with the it department – ensuring that the appropriate controls are built into new systems and that controls are operating effectively in the it infrastructure. it risk management is also a part of enterprise risk management (erm), which looks at an organization’s overall control environment and the interrelation of all elements for good enterprise internal controls. this also ties into an organization’s risk appetite – or how much risk it is willing to undertake to achieve its business objectives – compared to information security, which is often focused on minimizing risk. it risk management also looks not just at technical/automated controls, but also compensating controls and monitoring controls, and compares all of these to the inherent risk and the impact of possible negative outcomes should the risk materialize.

it is important to include business strategy and it value (via it governance), and enterprise risk and compliance (via it risk management), considerations because the evaluation of these areas is often unique to each organization and they are often drivers of competitive advantage. part of the objectives of it governance and it risk management are to ensure that cybersecurity directives and initiatives are in accord with the organization’s overall risk posture, desired return on investment, and position in its industry.

lastly, it risk management also looks at the adequacy of incident response from both administrative and technical perspectives. this is particularly important for privacy breaches in which much of the required response is driven by administrative processes (e.g., notification to affected parties, working with authorities and providing support for those affected) in additional to technical remediation.

the aicpa’s recently published cybersecurity risk management framework affirms this by incorporating both terms into its name, and stating that its purpose is to enable an organization to “communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.” note that it doesn’t say “to ensure the security of its systems and networks.”

as you can see, it’s important to ensure that you have a comprehensive cyber risk management function in place, and not just focus on cybersecurity measures. be sure that you are looking beyond just your it department and cybersecurity, and aligning your it governance and it risk management with your overall business strategy. the security and resilience of your systems and network is a foundational aspect for continued success, but it’s really cyber risk management that balances cybersecurity with driving competitive advantage through innovation and embracing emerging technologies.