Point of View : How Good Is Your Company’s Cyber Security Protection?

Powerful Insight

Issues & Challenges

Should Executives Concern About Cyber Security?

As companies continue to rely on digital technology and digitized information to support their business, the need to protect information assets and IT systems has become more critical. Cyber Security has recently come into focus around the world as a way of describing the risks that companies face and the practice they can deploy to protect against such risks. Although IT security and information security has been around for more than 20 years, the recent change is that this risk is now perceived as a critical business risk but not only a technology risk. This risk has become recognized by boards and senior management as something that needs to be addressed and with urgency given the material impact.

According to an annual survey from North Carolina State University’s ERM Initiative and Protiviti, cyber threats and information security/privacy are two of the top of their list of concerns. In Protiviti 2016 Internal Audit Capabilities and Needs Survey Report, 73% of Internal Audit departments were evaluating cybersecurity risk as part of their annual Audit Plan but only 18% felt there was a high level of board engagement in cyber risk discussion. So whilst awareness has increased, more work is required to educate and engage the senior management in the Cyber Security topic. More importantly, how can senior management ensure adequate Cyber Security protection? What assessment can you do to understand the status of your companies’ Cyber Security?

Our Point of View

How Can I Know The Status of my Company’s Cyber Security Practice?

This is a million dollar question in cyber security - “what assessment can we do to fairly and adequately evaluate our current cyber security practice?” A question that almost all senior management and IT director/CIO of all types of current cyber security practice?” A question that almost all senior management and IT director/CIO of all types of companies dying to answer. We can divide cyber security assessment into three types – each with its own focus, ability to identify weaknesses in the current practice and difficulties to execute.

Is Cyber Security an IT Risk or a Business Risk ? Or Both ?

Often cyber security is seen as an IT risk and could be handled by IT Department alone. Without understanding the linkage between cyber security as an IT risk and business risk, companies could focus on the wrong cyber security threats. In different business contexts, each cyber security threats or sources might or might not cause significant financial, reputation and compliance issues. Hence treating cyber security as an IT risk and relying on bottom up assessment, companies might have the wrong prioritization of the cyber security risks. This will prevent the companies from focusing on the cyber security risks that are most critical to the companies.

By bringing together top down business risk assessments along with the bottom up approach, companies can establish a stronger business case for security change. The prioritization of cyber security risks needs to be tailored and customized according to the business needs/priorities and concerns rather than being driven purely by the technical assessment. The top down informs the bottom up about priorities and the bottom up informs the top down about likelihood of control failures.

Proven Delivery

How Protiviti Can Help

Security and Privacy Solution Suite

Security and Privacy solution is one of the key solution suites in Protiviti’s Technology Consulting practice. Our Security and Privacy services utilize experience, tools and methodologies to help our clients to assess the status of their current security and privacy practice and to strategize and implement the required improvement plan. Our professionals bring a blend of extensive product and system knowledge, technical expertise, and consulting experience. Most of our security and privacy professionals have multiple security and risk management related certifications. With the support of Protiviti’s global presence, we can draw on our global experts to develop and tailor our solution to suit our client’s situation and challenges.