So you are finally getting that face time with the higher-ups that you’ve been working so hard for (and hopefully not because you are responsible for an actual breach). Audit committees are increasingly asking for (or trying to comply with a regulatory requirement) that the information security officer or IT executive appear before them.
An opportunity for some – but for many another political challenge to deal with. Although you control the content of your planned presentation, those nagging and random questions coming from other committee attendees may derail your best efforts to impress everyone. I’ve identified some of my favorite questions (and potential responses) to help you get ready for the important meeting. Think of it as preparing as you would for a job interview.
Are we protected?
No looking at the CEO or CFO for help on this. Members are looking for clear assurances – yes or no - that the practices used by management shields the business from successful attacks (and lawsuits). Full assurance is impossible due to various factors including multiple threat scenarios, ability of individuals to circumvent or ignore recommended practices, cost-benefit considerations, the significant number of vulnerabilities, and the ever changing technology landscape (not to mention ignorant or incompetent users).
Approach your response by discussing your adaption of a well-recognized security framework(s) (e.g., Critical Security Controls, ISO, NIST, CoBIT), how you monitor practices against the framework, and the risk assessment judgments you are making in getting the “biggest bang for the buck” (You’re doing this right)?
Why pay for security testing when we have the financial statement audit?
Surprisingly not all audit committee members appreciate the limitations of a financial statement audit and assume that the external auditor reviews all controls including those impacting technology. Some believe that the consideration of IT control extends to cybersecurity as well. You’ll want to be able to discuss how relevant organizations such as the SEC and AICPA continue to issue guidance as it relates to financial reporting and cybersecurity – and that in most (but not all) situations cybersecurity is outside the scope of the financial statement audit. (Coincidentally, this is a good time to finally return that phone call from the external auditors and see how you can work together and look good at the meeting.)
Are we covered by insurance?
You breathe a sigh of relief as a question is finally directed to someone other than you – typically the finance person. However, although finance arranged for insurance coverage, they may have made assumptions that could put you and your organization in trouble. While it’s true that most organizations have some insurance and believe that they are covered, a review of underlying terms or unfortunately the actual processing of a claim may reveal otherwise.
[ MORE AUDITS: How an audit can shore up your security strategy ]
This can include adequacy of coverage, confirming that risks transferred through insurance are actually covered by the policy and ensuring that the organization is complying with any designated frameworks required (and “represented by the finance function” as being complied with) as part of the underwriting process. Claim processing should also adhere to any required insurance carrier requirements including but not limited to appropriate notifications to the carrier’s designated attorneys and computer forensic investigation team if required.
Are we ready in case the worst happens?
Members are focusing on how well management (that means you) is prepared to respond and recover from a breach should it occur. From what used to be a single or two-page response plan (tell your boss about the incident and then get your resume ready), incident response strategies have evolved to reflect the sophisticated planning needed to ensure sustainability of business operations. In many ways these efforts are similar to the more well-known business continuity plans. They should be tested regularly and documented to serve as due diligence evidence in case of litigation after a breach (of course subject to advice from legal counsel).
Are we asking the right questions?
Because of the technical complexities, members can be challenged in asking appropriate cybersecurity-related governance questions. Some CPA firms have facilitated this discussion by publishing a list of cybersecurity questions that audit committee members should be asking and many firms include this list as part of the quarterly audit committee deliverables. Lists of questions produced by neutral parties (e.g., National Association of Corporate Directors) can also be used. You should review these questions before the meeting and come prepared to discuss how you’ve addressed the issues (and get “brownie” points by providing a heat-map gap analysis).
By preparing for the above questions, IT an information security managers can take charge of the discussion and make a great impression on the audit committee.
This article is published as part of the IDG Contributor Network. Want to Join?