We’ve all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk — the human being. Governance is a tool to help bridge the gap.
Take cybersecurity, for example. The Center for Internet Security’s Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are “layered,” with each tool testing some aspect of the communication, usually with the ability to block or send alerts on questionable traffic. Only if the message passes through all appropriate gates can it be delivered to its intended destination. This is no inexpensive proposition. A company’s spending on cybersecurity may reach tens of millions of dollars.
And despite automated defenses, proactive technology tools, and the money, time, and resources invested, organizations remain at risk. Phishing, where a party with harmful intentions uses methods such as enticing emails to get recipients to click a link, is a prime example. The code behind the associated link may load malware onto the user’s machine, capturing login credentials, and spreading malware throughout the network. The intruder now has the same access as that of the victim and will seek elevated access privileges. All it takes is one person clicking one link containing malware in one email to infect the system.
Governance can be effective in bolstering the line of defense. A sound policy, employee education, and monitoring for enforcement are all critical facets of such a program. Internal auditors should be looking for governance in all the right places.
The auditor should determine whether the organization has defined the level of risk it is willing to assume and whether there is a current risk profile. By identifying risks, mitigation activities in place, and residual risks, the organization can determine its current position. The auditor can then compare the risk appetite to the risk profile. Where the residual risk is too high, the organization can brainstorm alternatives and assess the cost/benefit of each. Results are likely to identify high-risk areas where automation alone cannot bridge the gap or is too costly to implement.
For those actionable items, ensuring good governance may be the best option. Access control is one example. When an employee or contractor is terminated, particularly for cause, access to systems and facilities must be removed immediately. While it is possible to automate access deactivation, the process must be initiated by a human interface. Having a policy that assigns responsibility for this function is best practice.
There must be widespread awareness and understanding of the policy and a sense of urgency and ownership in carrying it out. As the termination procedure may not be a frequent occurrence, reminders to all managers and inclusion in manager on-board training are necessary. Also, it’s imperative that human resources have this process top of mind.
A robust awareness program also contributes to driving behaviors. Executive behavior is key, and employees must know what is expected of them. Repeated education can be effective, as many need reminders. Auditors may recommend computer-based training, lunch-and-learn sessions, posters, gamification, and other methods to improve retention and reinforce desired behavior.
Finally, there is a need to monitor for desired behavior. While many factors can be monitored electronically, governance still plays a role. The auditor can determine whether there are policies for monitoring employee behavior. Has there been a discussion with the legal department regarding an employee’s expectation of privacy? If employees should not have an expectation of privacy regarding company property, computerized activity on company networks, etc., have they been notified? The auditor may want to recommend a banner on the login page of the company’s systems.
Just like installing a home security system and remembering to use it, governance and automated controls should be complementary. Auditors can help companies see how a balance is needed. Desired behavior must be governed from the top, embraced by management, and exercised by all.