Cybersecurity

The Hidden Costs of Ineffective Cybersecurity and Compliance Functions

November 7, 2020 • Jacob Nix

Now, more than ever the need for a well-defined and effective Cybersecurity and Compliance function has become imperative. As new risks emerge, management needs to balance the operational cost of executing internal controls, and the potential cost of ineffective controls. Is your Cybersecurity and Compliance function, or second line of defense, effective and equipped to address these growing concerns?

While it can be straight forward to calculate the cost of hiring consultants, hiring staff, implementing processes, tools and conducting audits, the bigger cost can be in not doing so. This cost can materialize in data loss, failed execution of business operations, reputation damage, loss of clients and financial penalties. As of January 2020, banking institutions have incurred $36bn in fines since the 2008 financial crisis. The Department of Health and Human Services has continued to increase the fines for breaches of HIPAA. The minimum penalty for violations due to willful neglect and was corrected within 30 day period of when the covered entity or business associate knew (or should have known) has increased the minium fine to $11,904 and the calendar year cap has increased to $1.7M for all violations of an identical provision.

With the continued expansion not just of requirements and penalties for organizations directly covered by regulations, these entities are now ever increasingly requiring their down stream business partners to sign Business Associate Agreements and be subject to these higher standards. Even when these Business Associate Agreements do not directly subject partners to the standards, covered entities are now requiring contractual provisions, insurance and audits to ensure their interests are not put at risk by their partners. Because of these trends, a strong compliance posture is shifting from wise, to a strategic differentiator, to table steaks. This is true for Federal Standards, Data Privacy, and Third-Pary Reporting and Compliance.

Before discussing the characteristics of an ineffective Cybersecurity and Compliance function, let’s first define the objective and role of said function. According to an Institute of Internal Auditors article titled Guidelines for the Compliance Function, “the compliance function should, nevertheless, contribute to helping line management develop and implement an effective system of internal control in order to manage the risk of violating external and internal laws and regulations (compliance risk).”

So how does an organization measure and/or determine if their Cybersecurity and Compliance function is ineffective? By definition, any part of an organization that does not meet its measurable goals and objectives is a candidate for being deemed ineffective. Specifically, for Cybersecurity and Compliance, this could mean not appropriately identifying, detecting, and/or monitoring risks that could or have adversely impacted the organization’s stakeholders (internal or external). Below are examples of common characteristics of an ineffective Cybersecurity and Compliance function, along with considerable remediation activity.

Common Characteristics of an Ineffective IT Compliance Function And The Solutions For Each

  1. A lack of executive and senior management support and commitment combined with poorly defined goals and strategic objectives.

    • Gain an understanding of the factors and influences causing the lack of support.

    • Identify an executive sponsor that will champion Cybersecurity and Compliance at the C-Suite level throughout the organization.

    • Clearly articulate how the Cybersecurity and Compliance function can help the organization achieve its strategic goals.

    • Develop and communicate the purpose, scope, goals and objectives of the Cybersecurity and Compliance function, which should align to both the organization’s broader strategic goals and the specific IT Leadership goals.

  2. A Technical skills gap (i.e. technology, auditing, etc.), experience, and institutional knowledge (including business processes).

    • Identify the requirements and needs of the functions and perform a skill set analysis to identify gaps.

    • Restructure the function to better align to the needed strategic direction of the group.

    • Provide initial and require ongoing training for all resources within the function.

    • Develop a cross-function rotational program with other business units/areas within the organization.

  3. Insufficient or undefined policies, processes, and procedures that actively facilitate strong governance and risk management.

    • Evaluate the existing policies, processes, and procedures against an applicable Governance framework to identify preliminary gaps and inadequacies and make changes as necessary to standardize.

    • Engage and consult with other functions within (i.e. IT Security, IT Operations, etc.) or outside (i.e. Internal Audit, Enterprise Risk Management, Legal, etc.) of the IT organization to reduce redundancy.

  4. Increased number of audit findings resulting from control gaps and/or control design failures; or the presence of recurring IT audit findings year-over-year.

    • Perform a root-cause analysis to determine the underlying issue.

    • Develop realistic and achievable short-term and long-term (if necessary) action plans to address the root cause.

    • Establish a joint committee with representation from Management, IT Compliance, and Internal Audit to actively monitor remediation efforts.

Addressing and remediating some or all of these common shortfalls can be complex and costly, especially if your IT Compliance function exhibits all of these characteristics or if you’re building a function from the ground up.

Please note this is not meant to be an all-inclusive list. Furthermore, the potential remediation activities do not guarantee that the respective characteristics will be successfully resolved. A thorough examination of the organization’s structure, strategic goals, needs, and culture should be performed by experienced professionals prior to implementing any organizational changes.