A summary of the common, surprising, and concerning lessons learned from our validation meetings during the start up phase of our company.
The research is completely subjective, but represents common issues expressed regardless of industry, size, complexity, or perceived maturity.
2. Lessons about IT Risk >
Background
• Nearly 75 interviews, 70% of those from NE Ohio
• 3 months of research, testing work processes and researching information asset attributes.
• Primary purpose was to understand approaches to risk, and understand how organizations
of all sizes and industry protect from breach risks.
• Secondary objective was to gain an insight into gaps in risk management, real gaps, without
pressure of sales, audit, or board reporting.
• How were risk assessments approached, in what formats, and how they were utilized in daily
operations.
• Were frameworks applied, or basic data classification routines applied.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
3. Lessons about IT Risk >
Everyone is Struggling
• 100% felt educating the board is difficult and was not improving. Almost
universally, interviewees did not feel comfortable that non-IT directors understood
IT risks.
• 2/3 of respondents believed that 2-3 performance benchmarks are critical to
present IT and IT Security in a similar fashion as other executives.
Benchmarks would be most valuable when aligned with overall business strategies.
• About ½ felt that their existing management reports were sufficient and informative
for IT professionals, but did not initiate insight or opinion from oversight
committees.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
4. Lessons about IT Risk >
Everyone is Struggling
• 100% Collaboration, ubiquitous devices, and open communication expands risk
faster than controls and budgets can handle. The risks of hindering business
“needs” outweighs risk of breach or loss. Often the person accepting the risk is
accepting a risk [that if monetized] is over their authority.
• ¾ of IT Risk professionals felt uncertain as to the accuracy of risk assessment
reporting; concerned with completeness.
• Monetizing risks is seen as critical to gain a seat at the table and adequately
communicate risks. 100% of respondents indicated they were not comfortable
applying hard economic values to IT Risks.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
5. Lessons about IT Risk >
Internal Disconnect
• If we began contact with the CEO or CFO, “we’ve got it covered, our network is
secured” was a consistent response, nearly universally.
• From the CIO or IT Manager and nonregulated or small business, “we are doing a
pretty good job, we address the highest concerns, we aren’t a target anyway”.
• Once we spoke to IT Auditor or IT Risk associate, “I am very concerned that we
aren’t addressing our largest vulnerabilities”.
• Information System Risk Assessments, Disaster Recover Planning, Business
Resumption Planning, and Audit Findings are likely stand alone exercises.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
6. Lessons about IT Risk >
Risk Assessments
• Nearly 85% felt the Risk Assessment was sufficient for compliance or audit, but
were of little value in operational activities.
• Slightly higher, 9/10 indicated the RA would not be useful after a breach, as they
were not accurate enough to understand what actual data was on a device.
• ¾ of Risk Assessments did not address controls that would identify breaches if
the target data was still available to normal operations.
• 100% of BYOD organizations were comfortable with personal backup applications
such as iCloud as acceptable risks but only 1 in 4 had addressed the legal risks
associated with ownership, privacy rights, or rights to search and seizure.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
7. Lessons about IT Risk >
Effective Auditing
• Heads of IT want comprehensive and tough audits, but are fearful of
repercussions from internal sources or from their external examiners.
• As a result, audits often fail to uncover significant risks or add value to the
client; becoming compliance events.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
8. Lessons about IT Risk >
Architecture
• Castle and Moat security remains the most prevalent IT Security
architecture in SMBs, at about 90% of spend. It is only slightly lower (85%)
in enterprise organizations.
• Nearly all interviewees acknowledged that intruders will look for admin
credentials and then pivot internally, yet ½ did not believe those same
intruders could exfiltrate information with those same credentials.
• 100% of organizations tested included the presence of cloud storage
vendors, regardless of policy or device sensitivity.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
9. Lessons about IT Risk >
Vendors’ Vendors
• 100% of companies interviewed had an “business case” exception to their
approved Vendor Management Policy that involved a vendor holding regulated
or business-sensitive data.
• 24 organizations had a significant vendor relationship to store backup data deemed
“critical” in their recovery plan, with no contract or SLA with the backup
vendor.
• 0% were comfortable that they understood exactly where the vendor was storing
data, the partners their vendors may be sharing data with, or believed they could
obtain that information quickly from the vendor. Particularly complex in legal
verticals.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
10. Lessons about IT Risk >
Old Consultants
• 100% of interviewed independent consultants maintained client data on
their devices. In 14 instances, that was a personally owned device.
• In many instances, the consultants were contractors to the firm who owns
the client engagement.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
11. Lessons about IT Risk >
Data
• ½ of Non IT Executives believed that boot-level encryption is sufficient
control to secure data.
• The same executives concluded that virtualization of desktops has eliminated
end-user risks related to data loss.
• All respondents with an IT Risk role felt the implementation of a data
classification framework is critical to manage corporate information assets,
but is too cumbersome to implement effectively.
Paul Hugenberg III,CPA, CISA, CISSP, CRISC
12. Lessons about IT Risk >
Cyber-Related Insurance
• Requirements are all over the board, insurance policies are not comparable, and
often the coverage is not adequate.
• Insurance companies are learning, but want your help.
• Companies are resistant to share pertinent information about their internal
ecosystem, creating a unclear picture of risk and the inability to provide tailored
and relevant coverage.
• The definition of a record is misunderstood between insurers and the insured.
• Hard costs after a breach are borne largely by the insurer, impacting the
willingness of private organizations to address growing breach risks.
13. Lessons about IT Risk >
Thank You.
Questions?
Paul Hugenberg, III
Paul.Hugenberg@infogpsnetworks.com
330-651-7040