Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequences.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

Focus on Healthcare: Top Priorities for Internal Auditors

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory, Healthcare and Life Sciences Industry Leader



Fundamental changes in healthcare in the past few years, brought on by the Patient Protection and Affordable Care Act (Affordable Care Act, PPACA or ACA) as well as the massive shift to digital records, continue to rock the landscape in which healthcare organizations operate. For healthcare internal audit (IA) departments, the changes continue to bring specific new challenges, which must be balanced with other existing priorities – HIPAA, Meaningful Use, ICD-10, etc.

So how are chief audit executives (CAEs) and IA professionals performing this juggling act, and what priorities are they putting ahead of others? A joint survey from Protiviti and the Association of Healthcare Internal Auditors (AHIA), entitled Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, attempts to answer these questions and more.

Below, we summarize the five key priority areas for healthcare IA functions this year, as identified by survey participants:

  1. Cybersecurity risks and practices – This is an area “under construction” for most healthcare IA departments. Respondents expressed low confidence in their current capabilities; however, a strong majority are evaluating these risks and working to improve practices.
  2. Regulatory compliance – CAEs and their teams are committed to strengthening their knowledge and expertise of new and emerging compliance requirements, especially those emerging from the ACA. Understanding health information and insurance exchanges ranks among the top priorities.
  3. Supporting, enabling and protecting the digital enterprise – While cybersecurity is a top priority for internal audit, it is far from being the only technology-related challenge. Two out of three healthcare organizations are working through a “major IT transformation,” according to healthcare respondents to Protiviti’s 2015 IT Priorities Survey. Among the top priorities for healthcare IA departments in the new digital enterprise are new data analysis and addressing IT risks, especially those related to social media and mobile applications.
  4. Addressing fraud risks – Recent and extensive fraudulent activities against government healthcare programs (Medicare), combined with the ever-present risk of employee fraud, are keeping fraud risks among the top priorities for healthcare internal auditors. Fraud risk assessment, fraud risk, fraud monitoring and fraud auditing make up four of the six top areas of focus.
  5. Multi-stakeholder collaboration – The complex nature of the healthcare industry requires the cooperation and collaboration of several different disciplines, including IT, risk management, operations and legal, among others. To effectively address multidimensional challenges, internal auditors must work with a number of different stakeholders, both internal and external to the organization. Healthcare internal auditors in our survey gave high priority to developing the interpersonal skills required to skillfully navigate these often contentious negotiations.

Overall, this year’s survey results suggest a broader awareness of and increasing commitment to the challenges of the rapidly changing healthcare industry. And, just as the ability to innovate and adapt will be key to the survival of healthcare organizations, so, too, must IA organizations adapt in order to audit at the speed of risk and add strategic value to their organizations.

Click here for more on our healthcare industry results. You can access Protiviti’s 2015 Internal Audit Capabilities and Needs Survey here.

Just Released: Protiviti’s 2015 IT Security and Privacy Survey

Cal Slemp mugBy Cal Slemp, Global Leader of Protiviti’s IT Security and Privacy Practice




Cybersecurity is top of mind from the boardroom and C-suite to IT, Legal, Finance and more. But does that translate to effective policies and actions? That’s the focus of Protiviti’s 2015 IT Security and Privacy Survey Report, published today.

The answers are mixed.

Our 2014 report identified notable gaps between top-performing companies and other organizations in terms of best practices in IT security and privacy; it also pointed to where these organizations needed to progress to bridge these gaps.

A year later, much progress has been made – yet many gaps remain.

Bright spots in our 2015 survey: Many organizations have changed with confidence to become what we classify as top performers. These organizations are characterized by high board-level engagement in information security, and strong security frameworks with specific information security policies.

Other insights from the survey:

  • “Tone at the top” is a critical differentiator. From strong board engagement to management-driven “best practice” policies, effective security begins at the top. A strong tone at the top is as important as any policy, because even the best policies are merely words on paper. It takes people to put those words into action, and people take their cues from company leadership.

Have you communicated to the people in your organization what you expect regarding information security and privacy? Are you setting a good example?

  • A strong security foundation must include the right policies. Organizations that have in place all “core” information security policies – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.

What are your policies? Do you know them? Do your employees?

  • Many companies lack critical policies and an understanding of their “crown jewels.” One in three companies lack policies for information security, data encryption and data classification. Most lack a strong understanding of their most sensitive data and information, as well as potential exposures. Such gaps open the organization to cyberattacks and significant security issues.

What are your informational “crown jewels”? How are you protecting them?

  • There isn’t a high level of confidence in the ability to prevent an internal or external cyberattack. While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they could prevent a targeted cyberattack, either from external hackers or insiders. This mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement. Many in the cybersecurity community would argue that cyber breaches are inevitable and that the best risk management strategy is to focus on rapid detection and on ensuring that valuable data is encrypted and unidentifiable, rendering it worthless to an unauthorized user.

Could your security protocols detect and contain a breach in progress, or are you still just patrolling the perimeter?

This is an interesting and timely survey report and one where the results are likely to change significantly from year to year as both the cyber threat and cybersecurity landscape evolve and become more aggressive and sophisticated. For a more detailed analysis, you can view and download the entire report here.

Tackling Healthcare’s Growing Cybersecurity Crisis Starts With a Proper Risk Assessment

David StantonBy David Stanton, Director
Healthcare IT Security and Privacy




As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. These benefits are attributed to advanced storage methods, fluid application data sharing and real-time business-relevant analytics. But this progress has its downside, in the form of heightened attention from cyber criminals.

In 2014, healthcare organizations accounted for approximately 25 percent of all reported data breaches – the highest percentage of any industry sector. Even more cyber intrusions are expected in the coming years because of the growing demand for protected health information on the black market. Patient medical records – often exploited for medical identity theft, fraudulent insurance claims, expensive medical equipment and drug prescriptions – can be more valuable to cyber criminals than credit or debit card numbers, which can be cancelled and reissued easily. In 2013, complete health insurance credentials sold for US$20 apiece – approximately 20 times more than the value of a U.S. credit card number with a security code. (See the latest issue of PreView, Protiviti’s newsletter on emerging risks, for more on this troubling trend.)

In the face of this growing threat, what should healthcare leaders do right now? The first step toward protecting patient information is effective risk assessment. A legitimate security framework, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is a good benchmark from which to assess an organization’s cybersecurity capabilities. Though the use of the framework is voluntary, we support its risk-based approach to managing cybersecurity risk.

A good portion of healthcare organizations can use improvement in the area of cybersecurity risk assessment. According to responses of healthcare leaders who participated in a Protiviti survey about cybersecurity risk and the audit process, only slightly more than half (53 percent) of respondents said they address cybersecurity as part of their audit plan, and nearly half of those acknowledged that internal audit does not evaluate the organization’s cybersecurity program against the NIST framework.

Why the inaction? One reason is perhaps a false sense of security. Healthcare organizations traditionally have placed a strong focus on HIPAA compliance, which covers risk assessment – though not necessarily information security issues. Though HIPAA does require completion of a risk assessment, it does not call for best-practice execution of security controls and adversarial resiliency. Yet organizations continue to use the HIPAA standard as comprehensive risk assessment – potentially leaving themselves exposed to cybersecurity risk.

The availability of cyber insurance also may be contributing to healthcare organizations’ less-than-stellar adoption of a cyber risk assessment and lack of expediency around implementing typical good security hygiene found in other industries (e.g., patch management, encryption, asset management, system hardening, monitoring controls, etc.). But times are changing: Insurance providers are being more prescriptive about what security controls, technologies and processes must be in place to show proper due diligence and can outright reject a claim if preventive measures aren’t implemented before the occurrence of the incident. Cyber insurance also does not compensate for the reputational black eye caused by consumers’ perception of negligence in protecting their information.

The bottom line is this: Healthcare organizations must act now to reduce their cyber risk exposure. Initiating proper risk discussions certainly doesn’t guarantee the avoidance of a breach, or eliminate the risks completely. But it does prepare the organization to conduct five critical functions: identify, protect, detect, respond and – in the case of an incident – recover. The framework and assistance for conducting these functions are available – it’s a matter of taking the first step.

Cybersecurity Capabilities: Jordan Reed Answers Questions from our Internal Audit Capabilities and Needs Survey Webinar in March

Jordan ReedJordan Reed, Managing Director
Internal Audit and Financial Advisory practice



More than 800 chief audit executives and audit professionals from around the world participated in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Our subject-matter experts discussed the results in depth in a March 24th webinar, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions.

We received so many questions from webinar attendees that we were unable to address them all within the allotted time. A number of those questions centered on cybersecurity. Jordan Reed, a managing director in Protiviti’s Houston office, answers those questions here:

Q: Do you typically see cybersecurity risks discussed with audit committees, or would that be better situated at the board risk committee?

A: I see both, although more frequently at the board level. Some companies have risk committees that focus specifically on areas like technology and other emerging risks, and cybersecurity certainly fits within that scope. Others provide education, current events and hot topics for the full board, and cybersecurity almost always finds its way onto that agenda. If the board delegates its risk oversight responsibility to the audit committee, then that committee may oversee the management of cyber threats. To the extent cybersecurity has been included in an internal audit risk assessment or internal audit, the topic and results would obviously be discussed with the audit committee versus the entire board. Additionally, any security breach that required a public disclosure would certainly be discussed with the audit committee. So you can see, there is no one-size-fits-all approach.

Q: Can you provide more information about The IIA’s GAIT framework?

A: The best answer to this would come from The Institute of Internal Auditors’ website:

“The IIA’s General Assessment of IT Risk (GAIT) series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.

The IIA classifies GAIT as recommended guidance under its international professional practices framework (IPPF). GAIT practice guides include:

  • The GAIT methodology: A risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act.
  • GAIT for IT general control deficiency assessment: An approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies.
  • GAIT for business and IT risk: Guidance for helping identify the IT controls that are critical to achieving business goals and objectives.”

Q: Does increasing board engagement with cybersecurity require a more technically astute appointee, similar to members with finance backgrounds, so the severity of threats can be better understood?

A: We are seeing a lot of organizations starting to move in that direction. As you might expect, this has been especially true for organizations with a greater concentration of “crown jewels,” such as personally identifiable information — financial services, retail and healthcare companies, for example.

Q: Should cybersecurity be addressed within the organization’s audit charter?

A: Yes, it is already covered in most of the charters I see, in the “Responsibility” section of the Internal Audit Activity Charter. I typically do not see cybersecurity specified at that granular of a level, but it is covered within the overall responsibilities of the internal audit function.

Please see Protiviti’s 2015 Internal Audit Capabilities and Needs Survey Report for additional insights on cybersecurity and other topics.