Capital market stakeholders across the spectrum are as primed as ever to take action on an issue that affects us all: cybersecurity. Fifty percent of U.S. chief executives say they are “extremely concerned” about cyber threats, according to a recent survey. Boards of directors are engaged on the issue, while investors overwhelmingly perceive cybersecurity attacks as one the biggest risks to their portfolios. For policymakers at home and overseas, cybersecurity continues to climb the list of priorities.

This rising cyber-awareness is necessary and fitting, given the urgency of confronting cybersecurity threats and the astonishing aggregate cost of today’s cyber-attacks. Yet as momentum picks up, we must carefully consider our overall approach to cybersecurity risk management — there are several possible paths ahead. Moreover, cybersecurity is particularly challenging terrain, given its complex and shifting nature. Organizations face varying threats and actors, all in the context of relentless and rapid technological change.

Cindy Fornelli

Cindy Fornelli

So which path should we choose through this difficult landscape? What should be our model for addressing cybersecurity challenges? Here are three key points to consider.

First, the approach to cybersecurity risk management should be principles-based, setting the focus on an end-result and letting the private sector bring to bear its agility, energy, and innovation to achieve that result. For cybersecurity, one critical objective should be enabling companies to establish robust cybersecurity risk-management programs that are tailored to their particular situations, needs, risk appetite, and threats faced.

Yet accomplishing that objective becomes increasingly difficult if overly prescriptive regulations or standards force companies to meet a raft of requirements that align poorly with their businesses and risks. At that point, cybersecurity risk management devolves into a burdensome compliance exercise, one in which merely checking boxes becomes a resource-draining end in itself. That’s certainly a path we should avoid.

Second, a sound approach to cybersecurity should build on and leverage the good work that has already been done in this area. Several organizations have developed cybersecurity management frameworks — such as those put forward by the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST) — to help organizations manage cybersecurity risk.

Third, we need to incent positive action. Companies should be rewarded for making good faith efforts to protect against cybersecurity breaches, to detect cyber-threats, and to remediate in a timely manner following a breach.

While a broad-based consensus may not have formed around the three-point approach outlined above, there has been promising movement in that direction. Recently, the American Institute of CPAs (AICPA) unveiled an entity-level cybersecurity reporting framework through which organizations can communicate useful information about their cybersecurity risk management program to a broad range of stakeholders, including boards of directors, senior management, investors, and others.

The AICPA’s reporting framework has three key components: The first is management’s description of the entity’s cybersecurity risk management program, based on suitable criteria. The second is management’s assertion to the presentation of their description and to the effectiveness of controls implemented to achieve the entity’s cybersecurity objectives. Finally, the AICPA framework includes a CPA’s opinion on that description and the effectiveness of the controls to meet the entity’s cybersecurity objectives.

The AICPA’s reporting framework is principles-based and voluntary, and companies do not need to implement all three of its components at once. Rather than prescribing specific requirements, its description criteria set forth the types of policies and procedures that companies can adopt for cybersecurity risk management. With the aid of the criteria, companies can decide what works best for them.

What’s more, the AICPA framework leverages existing cybersecurity and risk management structures. It maps to commonly used cybersecurity risk management frameworks — such as NIST and ISO — and aligns to the 2013 COSO Internal Control – Integrated Framework so cybersecurity can be integrated with a company’s broader enterprise risk management efforts.

Finally, and no less important, the AIPCA approach incents companies to take action. While the framework cannot guarantee against cyber-attacks, it offers companies the benefit of an independent, objective opinion on their cybersecurity risk management. In addition to bolstering the company’s own confidence, that independent opinion can provide decision-useful information to other key constituencies, including directors and investors.

The AICPA’s cybersecurity risk reporting framework is a step toward harnessing the power of the private sector, making the most of existing resources, and increasing the confidence of investors and other stakeholders. It represents progress down a sound path forward for cybersecurity.

A former deputy director of investment management at the Securities and Exchange Commission and senior vice president at Bank of America, Cindy Fornelli has served as the executive director of the Center for Audit Quality, an organization affiliated with the AICPA, since its establishment in 2007.

, , , , ,

One response to “Choosing a Sound Path Forward for Cybersecurity”

  1. Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.

    Why isn’t it being addressed? Lack of Courage.

    The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

    Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

    Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn’t the organization responsible for telling others what best practice is use best practices for its own security?

    Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

    Why don’t these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don’t help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don’t specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

    This is not a technical issue. It’s one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it’s cheaper to harm customers than the bottom line.

Leave a Reply

Your email address will not be published. Required fields are marked *