The Climate for Change:
Navigating Information Technology Risk Over the Horizon
White Papers | September, 2014
Cyber theft and incidents of breached security have risen dramatically in scale and frequency, and very publicly. Companies – and their customers, partners and shareholders – recently victimized include US Steel, Alcoa, Target, Michael’s, SuperValu and Home Depot. Governments are also susceptible and just as frequently the attacks are linked to other governments. Cyber security and privacy are top of mind for the general public as well as business and government. Witness the ongoing, hotly debated and much publicized US National Security Agency’s domestic and international cyber and cell monitoring programs. It is clear that IT risk management not only warrants the increased and ongoing attention of law enforcement, but that it is an issue of increasing significance for boards as a crucial business matter to routinely review, assess and act upon.
2014 Major Data Breach
CyberSecurity Breach Announcments
DHR recently conducted a survey of non-executive directors and CEOs from across the business spectrum about their focus on information technology risk management and various perspectives on it. The survey addressed such issues as intellectual property protection, integrity of safe operating capabilities, and privacy of customer and employee information. It became clear that, increasingly, the focus of boards and executive leadership teams was not how to prevent IT intrusions or breaches as part of the risk calculus but, more critically, how to monitor and evaluate those intrusions, trace their origin, prevent collateral damage and respond effectively.
Julian Waits, CEO of Threat Track Security, using the Target data breach as an example, articulated the concerns stated by many CEOs and board members in terms of risk approach. “When we have an intrusion how quickly do we identify it, quarantine it, trace it, and insure we limit exposure and risk in everything from operating processes to the mining of additional data?” he asks. “That has to be systemic as well as procedural given the speed at which we are operating. Target’s failure wasn’t in preventing the breach that occurred, it was in its slowness to respond, its failure to recognize the extent of the problem, and its inability to isolate and trace the intrusion properly. Ultimately that created a problem an order of magnitude larger than originally occurred.”
The reality is that any company is vulnerable. An organization’s response, and the timeframe in which it is played out, can create a greater risk issue and reputational challenge than the initial incident itself. And of equal relevance is the damage done to virtually every stakeholder of any breached company, organization or governmental entity. “The lifeblood of any organization is the people who work, strive and sweat for it,” says David Hickton, U.S. Attorney for the Western District of Pennsylvania. “When these cyber-intrusions occur, production slows, plants close, and workers get laid off and lose their homes.”
The Survey, Results and Key Insights
The survey included the following questions:
- Does your company’s governance charter and principles include discussion or mention of risk management and annual risk review?
- Does your company’s board of directors contain a specific risk management committee?
- Do you have a corporate officer assigned to lead risk evaluation and management efforts?
- Has your board reviewed your board of directors composition and succession plan in the past 12 months to consider expertise and oversight capability in the information technology discipline and cyber security areas?
- Is formal information technology risk evaluation conducted in evaluating key business decisions and potential strategic changes by the board of directors? If yes, how many attempted incursions were detected and successfully eliminated or mitigated in your report to the board?
- Have you reviewed/conducted a thorough IT, network and data security review at the board level in the past two quarters?
- Do you have an information technology breach communication plan in place and response plan for the market established to report significant issues in cyber-security?
- Have you had a third party audit or evaluation of your information technology systems and security plan conducted in the past 12 months?
- What do you see as the most significant information technology threat facing your company today?
- Where does information technology risk management fit as an overall business risk management priority for your organization in 2014?
Results were enlightening. For instance, risk as a specific issue in corporate charters and governance documents was mentioned by fewer than half of the non-executive directors and CEOs surveyed, nor is a specific annual risk review included in their governance guidelines. Without formalization of this requirement, it is easy to imagine the potential for erosion of discipline relative to risk review in competition with other agenda items such as regulatory compliance, business strategy, etc.
Seventy-eight percent of respondents listed IT risk management as one of their top three management issues and only 27percent have a detailed risk mitigation and IT risk response plan in place that is reviewed annually by the board of directors or a specific board committee.
Whose job is it?
Ninety-one percent of participants indicated that the CFO or CAO has a detailed and specific responsibility to lead risk evaluation and management efforts in non-financial institution based organizations. The role of Chief Risk Officer has become imbedded within the cultures of the financial services and institutions sectors of the economy.
However, responsibility is assigned in terms of leadership. The board as a whole must be held accountable for overseeing risk management and must be involved in the oversight process. The specific needs of any organization will vary, as will the structure and composition of their boards, but spreading various aspects of oversight responsibility among committees is a viable distribution tactic. Assigned responsibility for sharing progress, findings, insights and solutions with the board as a whole can drive home the tenant that risk oversight is important, significant and relevant to the board’s function and, even more importantly, to the organization as a whole.
Although responsibility may rest with a single committee or individual, risk oversight should become ingrained in the board’s culture as a priority in boardroom conversations and agendas. Risk-related roles and responsibilities need to be formally defined, understood and implemented.
Respondents were also asked to identify which of the following areas – or if any of them – were key concerns for the board specifically, and to the business broadly, in reviewing IT risk:
- Theft of customer data and liability.
- Disruption of essential shared services such as power and utilities.
- Disruption of core business processes.
- Financial theft and payment systems information.
- Identity theft and misrepresentation of the company in public domain.
Eighteen percent of respondents indicated that all of these areas were a significant concern facing the business in 2014; especially as IT capabilities are critical in virtually every aspect of their business, from customer payment processes to discrete manufacturing capabilities.
It may behoove those tasked with risk management to recall the military saying, “He who defends everything defends nothing.” And according to a recent report by the Institute of Risk Management, 80 percent of cyber-attacks would be defeated by basic security controls. A participant in a symposium organized by IRM noted that most effective line of defense is to decide which parts of the business are the most crucial to protect, rather than attempting to protect everything at the same time. Organizations need to identify their data “crown jewels.” What data – customer or credit card data, intellectual property, knowledge – is most key to their enterprise? Fully understanding its unique value, then building defenses or increased diligence around protection of those assets may be the best way to effectively guard them.
“Industrial companies face many of the same challenges that consumer retail businesses face in cyber security and data management,” says Matt Espe, CEO and chair, Armstrong World Industries. “We expend significant effort in understanding threats and developing monitoring and mitigation strategies for our operating systems, utilities support and basic business operations to manage this risk area.”
As boards take up the issues of executive responsibility and board oversight, a point of view has developed in many constituencies that an information technology leader or functional expert may be a valuable board member. In fact, when combined with the data analytics and customer insight aspects of IT, a board member with these capabilities and general business leadership experience will become a necessity in most 21st Century board rooms.
Forty-one percent of non-executive directors and CEOs surveyed responded that their boards had factored in information technology expertise and cyber security oversight into their thinking regarding board succession in the past year.
A notable trend has been the elevation of risk management to an executive board-level position. According to a report by Accenture the percentage of organizations with a CRO, with or without that title formally, rose from 78percent in 2011 to 96percent in 2013.
The reassignment of ownership of risk management shifted from the CFO to CROs and CEOs, from 46 percent in 2009 to over 70 percent in 2013.
A View From Outside
Boards and organizations face significant risk issues surrounding IT, and an outside audit perspective is relevant in terms of compliance to fiduciary responsibility. However, only 21 percent of survey participants had engaged a third party to formally audit or review IT risk and processes in the past year. Institutional memories of the 1990s include issues surrounding ISO certification and audits requiring third party validation. This is a recent historical antecedent, and there is clearly much work to be done in order to firmly establish this mindset regarding risk management.
“From both a management and board perspective the use of third party auditors to test and evaluate IT risk is becoming an essential risk and governance practice,” says Dave Weick, former CIO of McDonalds and current board director of TrustMark. “Everything from point of purchase information to sensitive employee and customer data is on the table and a potential liability. Understanding the gaps and breach plans are essential for almost any business today. External IT Risk audits are as essential as financial audits in today’s environment.”
Some of the respondent organizations do, in fact, make IT risk management an ongoing governance agenda item and are conducting formal reviews with third party assistance. Of those organizations:
- 35 percent reported that a thorough IT, network and data security review at the board level was conducted annually; 25 percent reported semi-annually and 40 percent in committee each quarter.
- 7 percent reported that there had been no attempted incursions detected, successfully eliminated or mitigated in reports to the board. Thirteen percent reported one to five attempts, 21 percent reported six to 10; 38 percent reported 11 to 25; and 21 percent reported more than 25 attempts.
These responses should give every board member pause. If a board is not engaged in a detailed discussion of evaluating IT risk and developing a risk management plan, then recovery efforts remain undefined and reactive and the future of the entire enterprise could very easily be at stake. But how does IT risk management overlay with board business review processes, and what resource strain does it create in the board room?
The 21st Century Board
The speed and scale of the transformations in IT, from cloud computing to digital media in branding and marketing campaigns, present a real challenge for the board room. In much the same way, financial reporting and environmental compliance are useful oversight and guidance for management, ongoing education, board renewal, and a disciplined approach to information technology will soon be a mandate. While it is “one more thing” to be added to already over weighted agendas for most boards, IT capability and risk management cannot be ignored as a strategic governance issue.
As boards consider succession, renewal and future board members additional weight must be given to capabilities and business acumen in the information technology sector. Some key considerations in evaluating future board members through this filter should include the following:
- Capabilities in both IT risk issues and IT positive skill sets, such as data analytics and digital media utilization.
- At core is the candidate a business leader with strategic acumen or a functional IT expert?
- Experience in IT, in an IT business and/or IT leadership in a non-IT business.
- Additional governance and strategic director contributions that compliment IT expertise.
Our study and other recent, similar, overviews of IT risk management from a governance perspective have indicated that certain best practices are emerging. All boards would be advised to incorporate these into in their overall thinking regarding the role of the board in this area, and those trends include:
- Insure IT risk assessment included in annual risk assessment/audits
- Consider the use of third party auditors in risk assessment and development of mitigation plans
- Evaluate the management responsibility and preparedness for IT risk management
- Insure a formal response plan and risk mitigation plan has been prepared
- Develop formal responsibilities and committee assignment for IT risk management
While IT risk management and governance demands on the non-executive director have never been greater, the first priority for the board is, as always, to optimize shareholder value, and this must remain so, especially when assessing risk. As board composition evolves the need for technology capabilities in the board room are imperative and must be a part of a director’s skill set. While it is, for now, admittedly difficult to envision board composition with room for a stand-alone IT expert in organizations that are not specifically IT businesses, for the evolving 21st Century board IT risk management is a must have. Incorporating that capability in the determination of succession should be accelerated and viewed as a key competence in reviewing the board’s overall capability and effectiveness. The challenges are evolving and they are presenting themselves almost daily. They must be met proactively, imaginatively and effectively. Today’s headlines reinforce the necessity, boards must recognize it, and stakeholders are increasingly demanding it.