Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Cybersecurity Is So Yesterday​

Comments Views

Somewhere around 2009, when the “Great Recession” had reached its nadir, the most-high muckety-mucks that oversaw global internal audit operations for our parent company determined it was an excellent time to complete a focused risk assessment. Properly executed, a focused risk assessment can be a very good thing. However, this particular focused risk assessment was focused on the potential impacts of (wait for it) a recession. More than a year after the recession had started, they felt it was important to work through the various operations and functions within the organization and determine the risks and potential impacts that could occur as part of a recession.

I am not making this up.

It seemed to us to be a little like closing the barn door after the horse had left the stable, the stable had burned down, and the farm had been repossessed. (In fact, we suggested a better risk worth pursuing was determining if the organization was prepared for the turnaround that had to occur at some point. But deaf ears prevailed.) The mandate had come down that it be completed. So, we added it to the ever-growing list of projects completed for no earthly reason and completed the work that was required. I have no idea how (or if) the information was ever used.

I believe audit departments are currently facing a somewhat similar situation related to cybersecurity. That is not to say that cybersecurity is no longer a significant risk, nor that an evaluation of cybersecurity is not an important part of any risk exercise. But I am afraid that we have become so enamored, enchanted, and enraptured by the siren call of cybersecurity that we are forgetting there are new risks coming over the horizon that may well blindside our organizations and our profession.

In hockey, there is a phenomenon called “getting caught puck watching.” (And, yes, I’m from Arizona. And, yes, it is a desert. And, yes, there are a large number of us desert rats that are rabid hockey fans. The toughest part is trying to remember to wear a coat to the rink when it is 90 degrees outside.) “Puck watching” occurs when the team on the offense is storming the net. Everyone on defense is so focused on ensuring the puck does not enter the net (the current threat/risk) that they lose sight of another player from the offense (the new threat/risk) coming in on open ice. The puck is passed back to the new attacker who shoots a one-timer and buries the puck in the net.

Cybersecurity represents a likely opportunity for us to be caught puck watching. Yes, we have to be aware of cybersecurity risks and help defend against them. But we also have to be ready for that other player — that new risk — that is sneaking in while we are distracted.

What types of risks? Well, I am not the best at prognostication (I once predicted that the internet was a fad and would never catch on … oops), but let me throw out a couple of risks I think may be coming down the pike — areas that may or may not be the next big risks, but could blindside us if we keep focusing on the risks we already know about.

The first one, interestingly, is related to the story I told at the top. What steps is your organization taking to be prepared for the next economic downturn? Now, I only ever learned enough economics and finance to get me through the classes that got me my accounting degree (and don’t even ask about grade point averages), but I do know that, no matter who is in power, there is a cycle to these things. And I also know we are starting to see indications of a slowdown. Ignoring those risks is why so many organizations took so many baths back in the Great Recession. And, while I do not believe the next downturn will be as significant, the organization that is not prepared — the organization that is not considering and taking precautions against such an eventuality — will find their outcome to be just as detrimental as those experienced by long-lost organizations from the late 2000s.

The second issue is climate change. Let me start by saying that the world is not flat, man landed on the moon, and climate change is real. I am not here to argue that point. There can be some debate as to true cause, but change is happening. Yet, I have seen next to nothing regarding the way organizations will handle the risks associated with this potentially cataclysmic event.

It is going to be a big deal. Even here in the states, where for the last couple of years many in charge have cast stones at anyone who would suggest climate change is real, the government’s own U.S. Global Change Research Program released an assessment of impact, risks, and assessments related to climate change. And it had a lot of nasty warnings. (I won’t go into all the details; you can read that report here.)

From a risk perspective, it is unconscionable for anyone whose responsibilities include risk assessment and management to ignore the potential impacts of climate change on their organizations. Even if you don’t “believe in” climate change (and I’m not going to go into a debate regarding those who say they don’t “believe in” scientific facts), there is enough smoke associated with this particular fire to make it almost mandatory for anyone in risk management to become involved.

And, related to the climate change issue, someone charged with assessing and managing risk should also be looking into what the organization is doing, in a broader context, about climate change. Reputation and brand risk continue to be at the forefront of any executive's watch list. And, as the potential impacts of climate change become reality, all stakeholders will begin asking what the organization was and is doing. For the organization that sits back and does nothing in this arena, there may be consequences.

Cybersecurity is a big risk. But we have spent so much time responding to that gardyloo that we may have quit looking toward the future. Boards want us to look at cybersecurity. Executives want us to look at cybersecurity. Stakeholders want us to look at cybersecurity. And part of our job is keeping up on that issue.

But part of our job is also helping them see where the next attack might come from. 

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • Temple_Dec 2018_Blog 1
  • IIA_AEC_Dec 2018 Blog 2
  • IIA Sawyers_Dec 2018_Blog 3