Who’s Assessing the Information Security Function?
Information security breaches have become a common daily news story. Some of the most notable breaches have come from Target, Home Depot, Sony, and the US Office of Personnel Management. These notable breaches involved the theft of PII (Personally Identifiable Information) and credit card data. In response to the breaches, boards have instructed their Information Technology (IT) departments to perform penetration assessments, buy various information security related software and monitoring tools, hire a CISO with information security analysts, or even expand the responsibilities of their already strained infrastructure teams. In many cases, these actions are taken without regard to a clearly defined strategy and approach to cyber risk.
Many organizations still view the IT function as a cost center instead of as a strategic enabler to the business. The result is an IT function that does not have the resources to properly understand how to effectively approach information security. In many cases, company’s purchase multiple tools that may have overlapping functionality, or may not be truly effective in meeting the requirements of the organization. In other cases, the organization may hire an MSSP (Managed Security Service Provider) who uses template based software tools to identify potential risks that may or may not be applicable to your company’s technology environment. As a result, the MSSP may not be effective at covering the cyber security risks of your organization. In both cases, even though the organization may be spending a lot of money protecting its environment, the organization may not be adequately mitigating cyber security risk.
Given that cyber security related threats and issues take place within an organization’s technology environment, cyber security threats and issues are often seen as an IT problem rather than a business problem. Most organizations fail to realize that IT is an enabler for the business and that the business, not IT, owns the applications and data on those systems. As a data owner, the business should derive and communicate to IT the business requirements of how they would like their data available, processed with integrity, and held confidentially. IT’s responsibility is to enable these functional requirements for the business. Often, due to poor communication, IT departments install many data security protection mechanisms that may or may not meet the requirements of the business may not be effective at addressing cyber security risks.
Given that cyber security is a hot market buzzword, many infrastructure firms, temporary staffing firms, and software vendors are developing products, rebranding existing products, and selling inexperienced resources. In our experience, we have seen many unfortunate outcomes of this rise in “cyber security”, such as:
- Organizations spending millions of dollars on cyber security software, but don’t effectively use the software, or have not implemented, or don’t have a process to use it.
- Resume’s of people who claim to be cyber security “experts” with very minimal experience.
- Major security breaches at companies who use an MSSP to monitor their environment, but don’t take ownership of the related residual risks of using an MSSP.
The result is that companies are spending millions of dollars on support fees and software they are not effectively using, and hiring resources whom may not know how to perform and run an effective information security risk program. So, the question becomes: “Is the board and executive management getting a false sense of security on information security?”
Many people feel that the answer to the questions above is to perform a penetration assessment. A penetration assessment simulates the actions of an external, or internal cyber-attack focusing on identifying a weakness in an organization’s cyber defenses. Penetration assessments are generally scoped to focus on a particular attack vector, or meeting a specified goal. The general focus of a penetration assessment is to determine if someone can break into the environment and if so, what information can they steal. In a penetration assessment, all it takes is one security weakness to be identified, and the penetration assessment is complete.
Penetration assessments are very good at showing executives and board members that someone can hack into their environment. If your board is in denial about cyber security risks, this type of assessment is great at bringing the issue to light. However, penetration assessments are not good at risk identification and or truly gauging an organization’s exposure to cyber risks. They focus on a micro attack vector and really do not address cyber risk from a macro or enterprise perspective.
Another approach is to perform a vulnerability assessment. A vulnerability assessment is the process of identifying, quantifying, and prioritizing information security risk in an organization’s environment. The two main approaches to a vulnerability assessment are an issue based approach and a risk based approach. The difference between these two approaches can truly define how effective your organization is at addressing cyber risks.
In an issue based approach to vulnerability assessments, the organization may focus on a specific technology or security process in the organization. They will then look for every possible vulnerability that could cause a cyber security related issue for the organization and attempt to fix the issue.
In a risk based approach to vulnerability assessment, the potential risks of using the technology in the organization would be identified and prioritized. They would identify vulnerabilities in the technology and map them to the previously identified risks. The organization would then review and quantify the risks, understand the vulnerabilities and analyze mitigating factors related to the risk in order to determine potential corrective actions. An issue based approach may seem very efficient as it can be quickly completed. However, a risk based approach is much more effective in that it forces the organization to leverage its human and capital resources on the risks that are most important to the business.
Independent Internal Controls Assessment
A third solution is to have an independent internal controls assessment of the organization’s cyber security risk program. An internal controls assessment can be performed either by Internal Audit or by an independent qualified and licensed firm. We warn organizations to not rely on unqualified external third party assessors to perform cyber risk internal controls assessments as these assessors are not held to the same level of independence and ethics standards as a CPA firm, or your own internal Audit function. Additionally, if the IT organization pays for the third party assessment, or has done other business with the assessor in the past, the results of the assessment may not provide the intended independent assessment value to the board and audit committee. An independent internal controls assessment performed by a qualified and licensed firm can provide value by validating:
- The information security function is performing in a manner that is required by the board and executive management.
- Information security resources, both human and capital, are being used effectively.
- Information security resources have the right skillsets to be performing the information security function.
- A strategy and approach are being performed based on a defined management tolerance for cyber security risk.
- The effectiveness of the information security function at protecting the organization’s most critical data.
- Information security incident response and recovery processes have been designed to effectively and timely handle cyber security threats.
IT is a strategic enabler to the business, however cyber security risk must be addressed jointly by both IT and the business. All organizations have limited human and capital resources for which they can use to address cyber risks in their organizations. In order to effectively and efficiently address cyber security risks, organizations should seek the value provided by a combination of penetration, vulnerability, and independent internal controls assessments. Without performing the right mix of these assessments, executive management, boards, and audit committees cannot truly feel comfortable cyber risks have been addressed effectively and efficiently in their organization.
Hein & Associates is a CPA firm providing IT internal controls assessments and cyber security expertise to many organizations. Hein’s cyber risk group performs IT internal controls assessments, cyber security risk assessments, SOC reporting, HIPAA, PCI, and many other types IT compliance assessments for its clients.
September 25, 2015