Tuning the Tone at the Top: Is Your Board “on Board” with Data Security and Privacy?

With cyber attacks and data breaches routinely making media headlines, conventional wisdom suggests companies would be making IT security and data privacy a top priority.

But the results of Protiviti’s 2014 IT Security and Privacy Survey indicate many organizations still have done little to safeguard against such potential crises. And worse, they are ill-prepared to mitigate them if they should strike.

Perhaps, most glaring – and difficult to explain – is the lack of corporate initiative with regard to written information security policies (WISPs) and data encryption policies. More than one-third of survey respondents said they do not have a WISP in place, and 41 percent lacked a data encryption policy.

Such findings are startling, considering that 46 of 50 states have data privacy laws that impose significant penalties on organizations that expose confidential data. Every privacy-related law holds accountable the company in possession of private data if that information is breached. Just as important, nearly all of these laws allow for leniency if the targeted organization has a WISP and data encryption policy. There is no way to sugarcoat it. With the opportunity to minimize legal liability, it is imperative for companies to adopt these policies.

Beyond highlighting such deficiencies, our survey provides insights into key factors that help organizations establish and maintain a robust IT security and privacy profile. Conducted in the second quarter of this year, the survey incorporates responses from more than 340 CIOs, chief information security officers, and other IT executives and management-level professionals.

The common denominator among entities with strong cybersecurity profiles is an engaged board of directors that is cognizant of security and privacy issues. According to our survey, 78 percent of organizations with boards demonstrating a high or medium level of engagement and understanding of security risks had all “core” information security policies in place. It is important to note that involvement doesn’t mean boards must be aware of every security practice detail. However, boards that set a strong “tone at the top” will drive their organizations to plan and implement more robust cybersecurity measures.

Our survey’s findings repeatedly show striking differences in security performance between companies with strong board engagement in information security and those without it.

For example, with data volume growing almost exponentially, it is paramount for companies to stratify their data based on importance and apply appropriate retention and destruction dates to each type, according to regulatory and legal requirements or industry standards. Here again, there is a clear divide between companies with regard to this pressing challenge: 87 percent of companies with boards that are highly engaged in information security have a clear data classification policy, compared with 64 percent for those lacking board engagement.

Likewise, although all companies can fall victim to hackers, it is interesting that those with a board that is more engaged in information security likely will recover more quickly after an attack: 77 percent of these companies have a formal and documented crisis response plan that would be executed in such an event. By comparison, only 47 percent of companies without high board engagement in information security are similarly prepared.

The obvious question is, why is high board engagement in information security such a differentiator? In our experience, operational teams in these organizations are compelled to tackle IT security issues earnestly as a result of oversight and direct questions from board members. Furthermore, they likely are producing meaningful metrics and communicating effectively with the board, which in turn may authorize management to make greater investments in security measures.

The clear takeaway here is that a board that is highly engaged in information security often leads to a security-conscious environment that fosters a true understanding of an organization’s capabilities – and, just as importantly, its limitations.


Thinking M&A or Divestiture? We’ve Got Answers in Our M&A FAQ

Jim Ryan low resby
Jim Ryan
Managing Director – Leader, Protiviti’s Mergers & Acquisitions practice


We recently published our M&A FAQ Guide and the timing could not be better. M&A activity, including carve-outs and divestitures, is on the rise around the globe as organizations sharpen their strategic focus. Yet, as noted repeatedly in articles in Forbes and the New York Times, among other media, the majority of companies fail to realize the desired value of their transactions. Why? Simply put, organizational responses are not comprehensively designed to match the complexity of an integration or separation.

Our M&A Guide offers considerations that may better prepare your organization. Mergers and acquisitions tend to be corporate-wide initiatives that, by their very nature, are sprung on employees with little analysis of people, process and technology interdependencies. Additionally, planning is rushed, runways for execution are shortened and key personnel become overcommitted. Our guide can accelerate your M&A activities by providing insights for many of the key challenges that organizations must solve to meet expectations.

For a glimpse at the guidance we offer, consider five questions to ask about your M&A activity:

  1. What is a typical deliverable of the due diligence team?
  2. Have we sufficiently defined the scope and change control process?
  3. How do we structure the team without detracting from daily business demands?
  4. What are the unique issues facing Finance, IT, Marketing and Sales?
  5. What are the key risks?

To make a merger or divestiture succeed, you must align the growth strategy with your corporate strategy; identify the right markets and targets; define and execute thorough, fast due diligence; prepare a detailed plan by phases; and follow up with well-resourced execution.

While nothing replaces focused thought and aggressive action, the information in our guide can help sharpen your focus while reducing risk, improving your chances of realizing desired value – and maybe get a little sleep.

Just-Released Insights on IT Security and Privacy – Board Engagement, Cyber Threats and More

I am pleased to announce that Protiviti released the results of its 2014 IT Security and Privacy Survey today. Our report contains some highlInfographic-2014-IT-Security-Privacy-Survey-Protivitiy noteworthy findings that we’ll be discussing in greater detail in future entries. For now, let me share the key highlights with you:

  1. Board engagement is a key differentiator in the strength of IT security profiles.
  2. There remains a surprising lack of key “core” information security policies.
  3. Organizations lack high confidence in their ability to prevent a cyberattack or data breach (which isn’t a surprise given previous entries we’ve posted on this blog!).
  4. Not all data is equal: Companies can’t protect everything – designating a subset of their data deemed most critical will help with their data security measures, yet many aren’t doing this.
  5. Many are still unprepared for a crisis.

Visit www.protiviti.com/ITSecuritySurvey for more information and to obtain a complimentary copy of our report. And view our video below.

Mobile Health Apps

Pretty much everyone I know – and I’ll bet everyone you know – uses a mobile device of some kind. In fact, more than 130 million people in the United States own smartphones, and almost half have slept with a phone next to the bed (hopefully they don’t put it under their pillow!). It’s also estimated that half have used them to obtain health-related information, and that about 20 percent have installed a health-related app (so-called mHealth, a term used for the practice of medicine and public health with the help of mobile devices). In fact, I’ve read reports that five years from now, 100 million people will be using mHealth and various mobile fitness apps. And we’re not just talking about application for industrialized nations; the mHealth field has emerged in recent years largely as an application for developing countries, where mobile phone penetration is increasing rapidly. In developed and developing countries, mHealth is rapidly becoming a means of providing greater access to larger segments of the population, as well as improving the capacity of their health systems to provide quality care. Thus, mHealth is a big deal.

Protiviti’s recent white paper, “mHealth: How Mobile Apps Can Help Health Plans Improve Consumer Engagement and Facilitate Behavior Change,” recently took a close look at the mHealth space and identified multiple opportunities for health plans to use mobile app technology. Our research confirms that member engagement via mobile telephony can improve member satisfaction, loyalty and retention. It also can be a key strategic weapon against rising medical and administrative costs and reform uncertainty, and facilitate interaction with health exchanges and accountable care organizations.

I’d like to make a couple additional points about mHealth apps:

  • The federal government is already deeply invested in mHealth and patient engagement. The Department of Health and Human Services set up a Text4Health task force to provide mHealth recommendations directly to the secretary. It also established a SmokefreeTXT program for smoking cessation, and TXT4Tots, a text messaging library with evidence-based information on nutrition and exercise.
  • In the private sector, Aetna, Humana, Florida Blue and Kaiser Permanente are among several high-profile examples of health plans maximizing mHealth apps.
  • mHealth vendors are already servicing payers which need engaging mobile content for users – but too often use communications written by clinical staff using clinical terminology. Sensei Health stands out in this; it uses writers with diverse backgrounds – including comedians, in some cases – to compose several versions of a standard message, then tracks users’ response rates to each and sends future communications in the most popular style.

I note all this to give you an idea of the potential of mHealth apps for better member engagement. But organizations have to put some effort into it. To be successful, mHealth programs must get personalized information into members’ hands when their members want it – and not use mobile apps only to reduce administrative costs. They’ll need a comprehensive mHealth strategy in order to do this right. Companies don’t want to do it poorly and alienate the members they’re trying to engage.

Ask the senior management in your organization:

  • How can our plan maximize mHealth to optimize member engagement and facilitate behavior change?
  • How can we provide a secure environment for the exchange of sensitive personal information?
  • How can we integrate mHealth information into existing workflows?

The Protiviti white paper on mHealth apps provides details on key issues like patient privacy and data security. I encourage you to check it out.


Cloud Data Security – The Risks Are Real But Don’t Fear

Cal Slemp


by Cal Slemp
Managing Director and Leader of Protiviti’s Security Program, Strategy & Policy Practice

I’m concerned that recent articles might be giving the wrong impression about the risks that accompany data storage in the cloud. When I see headlines like “Cloud Security Concerns are Overblown, Experts Say,” I worry that companies may see “overblown” and perceive “non-existent.” Such stories are part of the news cycle. For example, the same question was posed in this Forbes article back in 2012, and was followed shortly thereafter by a number of very-high-profile retail and financial data security breaches.

Wherever there is risk, there are bound to be stories questioning whether the perception of risk is exaggerated. And while it is true that a few data security breaches do not an untrustworthy cloud make, it is also true that there’s no such thing as secure data storage. Offsite, and thus “out of sight,” should not equal “out of mind.”

Risk is risk. It doesn’t matter if you keep your data in-house or in the cloud; your responsibilities for data security remain the same. You can’t afford to leave anything to chance because you remain responsible for customer data loss – even if the data was lost by a third-party vendor. All the customer cares about is you and the trust he or she placed in your brand. And while you may have a financial recourse in the event of third-party data loss, the reputational damage will all be on you. That is the business reality.

In a Flash Report Protiviti published earlier this year, we summarized the federal government’s cybersecurity framework and how it will help organizations get a handle on securing their information. I feel it’s a helpful document for companies that haven’t spent much time and effort on information security; for those that have, it’s consistent with the efforts we’ve seen in our work in the security and privacy space.

Remember that whichever framework or approach you select, mitigating cybersecurity risk introduces new investment costs that need to be considered by management, and that insufficient data security mitigation plans can cause revenue and customer loss and severe reputation damage that can be detrimental to your bottom line.

The cloud’s vulnerabilities affect your vendor risk management efforts as well. My colleague, Rocco Grillo, noted recently that a company “can have all the security in the world inside its four walls, but all it takes is a compromise at one third-party vendor that’s connected to it. That creates a bridge directly into the organization.” And as our colleague Brad Keller from the Shared Assessments Program states, if you’re relying on a third party, “you can’t just shut the door and say it’s someone else’s problem. You can outsource the function, but not the risk. In effect, you ultimately own the risk.” That’s why Protiviti and the Shared Assessments Program developed the first comprehensive Vendor Risk Management Maturity Model. This model sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program’s maturity against development goals. It’s worth taking a look to see how well your company stacks up.

Are cloud data security fears overblown? Maybe. Ripples on a pond do tend to grow as they travel outward from the source. But overblown does not mean minimal or nonexistent. The risks are real, and organizations need a solid vendor risk management policy and procedure in place to ensure that those risks are adequately considered and addressed.

IT Transformation: Five Strategies to Manage Change

Boardrooms are abuzz over big data; mobile applications are the order of the day; the first wave of enterprise resource planning systems is due for an upgrade. Without a doubt, information technology (IT) is in the crosshairs of change. Seems like it’s always been that way!

The pressure is on for IT departments to design, source and implement new systems incorporating all the latest bells and whistles. I offer the results of Protiviti’s 2014 IT Priorities Survey, which I have mentioned here previously, as proof of the scope of the drivers for change.

In leaping forward, however, organizations tend to embrace the future at the expense of the status quo. This can be a costly and crippling mistake when dealing with mission-critical systems. Service and performance continuity is as important to change management as change itself. In making change happen, it is essential to ensure that everything already in place runs smoothly while you build and implement the new technology. Also, it is important to achieve acceptable returns on prior IT investments. There has to be appropriate balance when embracing change.

For many companies, IT transformation can mean deploying heavily customized software; “re-architecting” existing networks; establishing interconnectivity with new business partners; adopting specialized technology; and investing further in web and mobile capabilities. So what are the best ways to manage an IT transformation? Here are five strategies and approaches that we have found work best:

  1. Understand – and communicate! – your priorities. This means introducing them with the assistance of relevant functional leaders across the enterprise. Paint a picture of what you have now, what you hope to have after the transformation, and what needs to be done to maintain the technological status quo during the change.
  2. Prepare a prioritized task list, in consultation with the organization’s executive management and business owners.
  3. Make sure you understand which core activities cannot fail during the transformation and develop appropriate timelines to address them.
  4. Organize your IT transformation projects according to your priority list.
  5. Make sure you have the right skills and people in place to get the job done.

Companies know too well how difficult it is to maintain current systems as new systems are being developed and put in place. Indeed, “IT infrastructure change management” and “operating system change management” both ranked very high as critical priorities in our survey. Planning and managing the technical infrastructure are key elements to the success and resilience of the business.

Here are some questions to ask prior to initiating an IT change:

  • Which systems are in immediate need of upgrading and which ones can wait?
  • Which are the mission-critical systems that need to be maintained during the change?
  • How will you maintain IT security during the change?
  • How and when will your IT policies be updated?
  • Do you have the resources to accomplish the transformation efficiently, effectively and with minimal disruption?

The breathtaking pace of technological change greatly complicates IT management processes, and the need for new technologies will continue to command the attention of CIOs and IT leaders. While you can’t stop progress, maintaining current systems and operations to ensure a smooth transition can spell the difference between IT that supports and moves the enterprise forward, or periodically disrupts it.


Sarbanes-Oxley Compliance: Time to Pull Your SOX Up

I was surprised – and a bit concerned – at the results of a recent Protiviti study that looked at planned implementation of the revised COSO framework.

In our 2014 Sarbanes-Oxley Compliance Survey, we asked companies how far along they were in transitioning to the updated framework. A surprising number said they hadn’t made much progress. I’m hoping it was a timing issue. The framework was released in May 2013; we conducted the survey in early 2014, which may have been too early in the transition process to provide an accurate gauge as to where companies really are.

That said, the numbers are interesting, and we’re continuing to track this issue as 2014 progresses. I believe that companies should understand the level of effort required to implement the new control framework. Our experience is that for some companies, there may be a significant amount of work required to complete the transition.  For others, the effort is not as much – particularly if their existing risks and controls documentation is up to date.

The COSO Board has stated that users should transition to the updated framework as soon as it is feasible given their particular circumstances. COSO will continue to make available the original 1992 framework through December 15, 2014; after this date, it will consider the framework superseded. This suggests that calendar-year companies must transition to the updated framework no later than calendar year 2014, while companies reporting on a non-calendar-year schedule would be expected to complete their transition at their first year-end following December 15, 2014. That said, there are unmistakable signs in the marketplace that some companies are not planning to meet this timetable for purposes of complying with Sarbanes-Oxley Section 404.

This is not a surprise. COSO is not a regulator, therefore it cannot mandate actions by issuers. However, as time goes on, it will be difficult for an issuer to take the position that the superseded 1992 version of the COSO framework qualifies under the SEC’s criteria as a “suitable framework” for purposes of complying with Section 404 of Sarbanes-Oxley. The SEC has elected not to rule on this matter as it has far bigger irons in the fire, but SEC staff has said they will watch developments on this front closely and monitor the transition for issuers continuing to use the 1992 framework, to evaluate whether and if any further action is appropriate at some point in the future.

We encourage companies to complete the transition in accordance with COSO’s guidance. For those companies choosing to defer the transition, we encourage them to consult with legal counsel and with their accounting firm and review their decision and supporting rationale with the audit committee. In addition, we recommend that they be prepared for a comment letter from the SEC. While we don’t think the SEC staff will issue a comment letter for 2014 calendar-year companies (but who really knows?), the risk clearly increases with the passage of time. If the company receives advice from the external auditor that it can delay the transition until next year, management should inquire of the auditor if the audit staff will use the principles and points of focus provided by the 2013 new framework in auditing the effectiveness of ICFR of audit clients electing to continue using the 1992 framework.

With respect to the level of effort, the most significant change in the new framework is the explicit articulation of 17 principles representing the fundamental concepts associated with each of the five components of internal control. Given the stakes, I’d expect most organizations to have already responded with a project-management-type approach to the transition, designating roles, responsibilities and authorities to proceed with the transition plan to the new structure provided by the updated framework.

My colleague Brian Christensen, the global leader in Protiviti’s Internal Audit and Financial Advisory practice, recently said that “a surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls. The survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”

I hope your organization isn’t one of them. If it is, there’s guidance available. Protiviti has published extensive guidance on the new framework, what it means and how to start implementing it. Especially valuable is the Third Edition of Protiviti’s “Frequently Asked Questions” document. We also have hosted a series of webinars on the new framework, recordings of which are available here.

Implementing the new COSO framework could represent a major undertaking for the issuer community accessing the U.S. capital markets; I hope your enterprise is well on its way as the end of 2014 is on the horizon. And whether you are or not, let us know how you are handling or planning the transition.