Companies tend to narrowly focus on IT risks that are limited to personally identifiable information and the related systems that protect such information.
But that is only a part of the discussion that should be happening in the boardroom, according to a report by PwC.
“Beyond the interrelationship of IT risks with strategy and operations, a holistic approach to the reporting of cybermetrics can result in a comprehensive view of the IT risk universe, providing more valuable and effective information to directors,” the global consulting firm said.
Stakeholders nowadays expect directors to have broader IT oversight, and the economic crisis has sharpened the focus on the information disclosed by companies and, in particular, the role of the audit committee. That makes this committee the portal through which all IT security relevant to protecting a company’s most valued digital assets should flow.
Audit committees are best positioned to provide documentation and clear evidence of governance and accountability; effective risk assessment processes; security programs based on an assessment against a recognized framework; and the monitoring of the progress of the security program and compliance with internal controls—all which serve to protect the company’s “IT-security owner” and the board from the scrutiny of regulators and plaintiffs.
Whether as the chief information security officer, CIO, COO, CFO or chief risk officer, the person responsible for IT security should have this role documented in his/her job description and an appropriate role as part of the company’s leadership team.
And companies should give consideration to whether other individuals, particularly at the business-unit level, need to have a similar role that supports the IT-risk owner, PwC said.
Then the communication channels have been set up between directors, the IT security owner and management, a task that can be driven by the audit committee.
The global consulting firm’s 2015 Annual Corporate Directors Survey found 65 percent of boards are communicating with the company’s CIO at least twice a year. But only 21 percent of directors believe their companies’ IT strategy and risk approach is supported by sufficient understanding of IT at the board level, and many directors view IT specialists as too technical and lacking in effective communication skills, PwC said.
“It is common for directors to be frustrated with their interactions with management regarding cybermetrics and IT in general,” the report said.
Audit committees should push management for dialogue that:
Baseline information for directors can cover a variety of aspects of the company’s IT systems, including:
Dozens of additional metrics for consideration include those pertaining to systems infrastructure (e.g., level of unplanned downtime due to security incidents and IT outages), third parties (e.g., providers with access to the company’s crown jewels), mobile computing (e.g., number of authorized and unauthorized mobile devices accessing IT systems), big data (e.g., efficiency in converting raw data into usable information to improve operations), social media (e.g., percentage of employees trained on cyber policies and practices related to social media), cloud computing (e.g., cost of services compared to typical run rate of IT department), and international travel.
Again, the most relevant are those that relate to protecting the company’s most important digital assets.
With respect to these, the audit committee should:
