common and concerning risks in it

IT Risk: My Lessons

Common Takeaways from Discovery Meetings

© Paul Hugenberg III, CPA, CISA, CISSP, CRISC

[email protected]

linkedin.com/in/paulhugenberg

Lessons about IT Risk >

Background

• Nearly 75 interviews, 70% of those from NE Ohio

• 3 months of research, testing work processes and researching information asset attributes.

• Primary purpose was to understand approaches to risk, and understand how organizations of all sizes and industry protect from breach risks.

• Secondary objective was to gain an insight into gaps in risk management, real gaps, without pressure of sales, audit, or board reporting.

• How were risk assessments approached, in what formats, and how they were utilized in daily operations.

• Were frameworks applied, or basic data classification routines applied.

Paul Hugenberg III,CPA, CISA, CISSP, CRISC


Everyone is Struggling

• 100% felt educating the board is difficult and was not improving. Almost universally, interviewees did not feel comfortable that non-IT directors understood IT risks.

• 2/3 of respondents believed that 2-3 performance benchmarks are critical to present IT and IT Security in a similar fashion as other executives. Benchmarks would be most valuable when aligned with overall business strategies.

• About ½ felt that their existing management reports were sufficient and informative for IT professionals, but did not initiate insight or opinion from oversight committees.



Everyone is Struggling

• 100% Collaboration, ubiquitous devices, and open communication expands risk faster than controls and budgets can handle. The risks of hindering business “needs” outweighs risk of breach or loss. Often the person accepting the risk is accepting a risk [that if monetized] is over their authority.

• ¾ of IT Risk professionals felt uncertain as to the accuracy of risk assessment reporting; concerned with completeness.

• Monetizing risks is seen as critical to gain a seat at the table and adequately communicate risks. 100% of respondents indicated they were not comfortable applying hard economic values to IT Risks.



Internal Disconnect

• If we began contact with the CEO or CFO, “we’ve got it covered, our network is

secured” was a consistent response, nearly universally.

• From the CIO or IT Manager and nonregulated or small business, “we are doing a

pretty good job, we address the highest concerns, we aren’t a target anyway”.

• Once we spoke to IT Auditor or IT Risk associate, “I am very concerned that we

aren’t addressing our largest vulnerabilities”.

• Information System Risk Assessments, Disaster Recover Planning, Business

Resumption Planning, and Audit Findings are likely stand alone exercises.



Risk Assessments

• Nearly 85% felt the Risk Assessment was sufficient for compliance or audit, but were of little value in operational activities.

• Slightly higher, 9/10 indicated the RA would not be useful after a breach, as they were not accurate enough to understand what actual data was on a device.

• ¾ of Risk Assessments did not address controls that would identify breaches if the target data was still available to normal operations.

• 100% of BYOD organizations were comfortable with personal backup applications such as iCloud as acceptable risks but only 1 in 4 had addressed the legal risks associated with ownership, privacy rights, or rights to search and seizure.



Effective Auditing

• Heads of IT want comprehensive and tough audits, but are fearful of

repercussions from internal sources or from their external examiners.

• As a result, audits often fail to uncover significant risks or add value to the

client; becoming compliance events.



Architecture

• Castle and Moat security remains the most prevalent IT Security

architecture in SMBs, at about 90% of spend. It is only slightly lower (85%)

in enterprise organizations.

• Nearly all interviewees acknowledged that intruders will look for admin

credentials and then pivot internally, yet ½ did not believe those same

intruders could exfiltrate information with those same credentials.

• 100% of organizations tested included the presence of cloud storage

vendors, regardless of policy or device sensitivity.



Vendors’ Vendors

• 100% of companies interviewed had an “business case” exception to their approved Vendor Management Policy that involved a vendor holding regulated or business-sensitive data.

• 24 organizations had a significant vendor relationship to store backup data deemed “critical” in their recovery plan, with no contract or SLA with the backup vendor.

• 0% were comfortable that they understood exactly where the vendor was storing data, the partners their vendors may be sharing data with, or believed they could obtain that information quickly from the vendor. Particularly complex in legal verticals.



Old Consultants

• 100% of interviewed independent consultants maintained client data on

their devices. In 14 instances, that was a personally owned device.

• In many instances, the consultants were contractors to the firm who owns

the client engagement.



Data

• ½ of Non IT Executives believed that boot-level encryption is sufficient

control to secure data.

• The same executives concluded that virtualization of desktops has eliminated

end-user risks related to data loss.

• All respondents with an IT Risk role felt the implementation of a data

classification framework is critical to manage corporate information assets,

but is too cumbersome to implement effectively.



Cyber-Related Insurance

• Requirements are all over the board, insurance policies are not comparable, and often the coverage is not adequate.

• Insurance companies are learning, but want your help.

• Companies are resistant to share pertinent information about their internal ecosystem, creating a unclear picture of risk and the inability to provide tailored and relevant coverage.

• The definition of a record is misunderstood between insurers and the insured.

• Hard costs after a breach are borne largely by the insurer, impacting the willingness of private organizations to address growing breach risks.


Thank You.

Questions?

Paul Hugenberg, III

[email protected]

330-651-7040

mailto:[email protected]

common and concerning risks in it

Business

risk risk assessmentsnearly

risk of breach

risk management

risk professionals

risk associate

risk backgroundnearly

risk internal disconnectif

breach risks