After 20 years, the internal control framework that is a cornerstone of Sarbanes-Oxley was recently updated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to put an emphasis on controls around technology. Think of COSO as something akin to the high priests of accounting. Technology is embedded in everything people and businesses do, so the update motivates Boards, Chief Financial Officers, Chief Information Officers, General Counsels and Enterprise Risk Managers, as well as external auditors, to reassess the associated risks and opportunities, and to raise the bar on technology controls.
Pervasive data breaches are evidence of weak technology controls and can affect how data assets get reported on the balance sheet under goodwill and intangible assets. Data breaches can compromise an organization's brand and reputation, impairing goodwill. Data assets can be deleted, stolen, or held hostage, among other transgressions by internal and external bad actors. If these data asset value reductions go unaddressed on the balance sheet, the CEO and CFO that sign the SOX Section 404 certificate can face criminal liability.
Having studied the state of IT housekeeping at Fortune 500 companies, it is clear that there is significant room for improvement virtually everywhere. Notwithstanding long-standing frameworks that are well known in the IT industry such as NIST and COBIT, most companies have become vulnerable to weak security relating to both internal and external threats. The control of data as an asset is in need of special attention. The COSO framework update should be an important catalyst for improvement. Security controls traditionally have been the exclusive purview of IT, and many groups within an enterprise have a stake in the topic, but conditions today demand CFO intervention.
It’s 10 PM. Do You Know Where Your Data Are?
Cybersecurity issues plaguing companies and feeding headlines almost every week are largely attributable to weak controls over data. Of all the ones and zeros (i.e. data) coursing through and beyond most companies, the percentage that a typical Chief Information Officer could locate on reasonably short notice is unacceptably low. Compared to data assets, furniture gets tracked at most companies with more rigor. Data tend to exist in silos within the lines of business and in functional support groups like Finance or Human Resources. If management doesn’t know where the data is located, how could they ever hope to offer the necessary protection, or derive the maximum value from it?
Cybersecurity is now a Board level concern, usually addressed within Audit or Risk Committees. However, ownership of data within the management ranks still is unclear at most companies. It is understandable that a CFO would prefer to point a the finger toward that person in the chilly room with the raised white floor when a security breach sends everyone scrambling. Some CFOs feel that by outsourcing their IT to a third party, they have transferred all responsibility for data security. Others seek to transfer risk with cyber-insurance without taking advantage of ways to further lower their systemic risk through better data controls. CFOs need to step up and recognize their fiduciary duty to treat data as one of their company’s most important assets, and sponsor initiatives to protect and monetize them.
The Cloud Changes Everything
When technology purchases involved licensed software and physical hardware, CFOs had visibility because these transactions typically required big, upfront payments. The major shift to software as a service applications (SaaS apps) (e.g. Salesforce.com and Microsoft Office 365) and infrastructure hosted in the cloud (e.g. Amazon Web Services and Microsoft Azure) has made it difficult for the CFO to get visibility over their company's use of technology. What used to be centrally controlled, major capital expenses have become smaller, operating expenses, dispersed within the lines of business. As a result, most CFOs are challenged to say with certainly just what they are even spending on technology.
A large, fast growing, and remarkably under-addressed cybersecurity attack surface has been created by employee use of these cloud-based services. Most companies have almost no visibility over employee use of the cloud, compromising their control over these data assets. Compounding the problem is the ‘shadow IT’ phenomenon, where employees procure and use apps without seeking the approval of an authority figure such as corporate IT. If that weren’t bad enough, the growing use of mobile devices, including employee-owned devices, creates a porous medium at the periphery of an enterprise that increases vulnerability. There is software that enables companies to discover, analyze and control the use of cloud services, but at the moment we are only in the early stages of adoption.
Companies put most of their security emphasis on the strength of their firewall and the potency of their anti-virus software. They seek to secure the network's perimeter; to keep bad things out. Yet, the cloud demands that data course through the perimeter regularly, and it is largely unencrypted. Companies will never reach appropriate levels of data security until they address cloud-related vulnerabilities.
How do you see companies adjusting to the new COSO internal control framework's emphasis on technology? What is your company doing to raise the bar on IT housekeeping and reduce cybersecurity risks?