role of the board in it governance & cyber security-steve howse
TRANSCRIPT
I.T. Strategy, Risk Management & Governance
Steve Howse, C.Dir.
President, Millington & Associates Inc.
President, Millington & Associates Inc.• Facilitator, Strategist, Communications & PR, I.T.
Assessments & Risk Mitigation, Governance• 16 years Corporate LeadershipForum Chair, MacKay CEO Forums• The CEO peer learning group partnered with Canada’s Best
Managed Companies.Adjunct Professor,• DeGroote School of Business, McMaster University
- Strategy, B2B Marketing, International Business• Executive Education
- Sales Leadership, Strategic Planning, Crisis Management• The Director’s College
- IT Strategy, Corporate Reputation Management Professional Speaker• Conferences, Corporate Events, Sales RalliesBoard AppointmentsNumerous For Profit and NFP Boards
What is IT Strategy & Governance
• Assure IT assets are leveraged effectively
• Understand the risk & rewards, therefore making informed choices
• Understand IT capacity & capability and assess alignment with organizational goals and objectives
• Appropriate exposure and discussion at the board level
• Measurement and course correction
June 12, 2015• Cyber attacks raid small firms too: City's NoMoreClipboard a victim• Store your medical records in one place online, be able to update them from your
own home when needed and, more importantly, be able to share them with a physician or other health care group before you get to a doctor’s office or emergency room.
• But what happened last month to the NoMoreClipboard network – as well as the network for the Fort Wayne medical software company behind it – is also the latest in a growing trend plaguing the health care industry as a whole:
• They were hacked.
• People’s names, addresses, dates of birth and Social Security numbers as well as other information were all vulnerable for nearly three weeks in May until officials with Medical Informatics Engineering – the parent company of NoMoreClipboard – discovered the hack.
Why is IT Governance Important?
• Target: Credit Card information
– Target spent $61 million through Feb. 1 responding to the
breach, according to its fourth-quarter report to investors.
– Target’s profit for the holiday shopping period fell 46 percent
• Others in 2014: K-Mart; Home Depot, Dairy Queen & Goodwill
• Bell Mobility - Billing
• TJX (Winners / HomeSense) hacker stole client info including
credit cards
Carol Meyrowitz, President and Chief Executive Officer of The TJX Companies, stated:
"From the inception of our Company, our customers have always come first. We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system”.
• Estimated costs to TJX related to this settlement were reflected as part of the $107 million (after tax) reserve for estimated potential losses…
• Future non-cash charges of $21 million (after tax) anticipated to be taken in fiscal 2009.
May 8, 2013: Nearly 70% of Canadian businesses hit by cyber
attacks, says year-long survey• Over a one-year period, 69 per cent of Canadian businesses said
they experienced some type of cyber attack• Dubbed the Study of the Impact of Cyber Crime on Businesses in
Canada, the survey followed 520 small, medium and large Canadian businesses over the course of one year and tracked how their bottom line was affected by cyber crime.
• "About a quarter (26 per cent) of those interviewed say that attacks had a considerable impact on their business both in terms of financial loss and reputational damage with financial fraud being the biggest threat," the report states.
Areas to Address
Strategic Issues1. Strategy and
Planning2. Technology Trends3. Performance4. Personnel Internal Control
Issues5. Governance
Risk Issues
6. Risk and Controls
7. Personal Information and Privacy
8. E- Business
9. Availability
10. Legal Issues
The Bart Study
• The questions are a good idea
• Those who use them have higher performance
• Some questions are over-asked
• Only 40ish percent use them
• Everyone uses them after a problem
Going to the Gym• Everyone believes exercise
is a good idea• Exercise leads to physical
and mental wellness• Doing one exercise over
and over will have little result
• Most people can’t find the time to go
• Everyone takes care of their health after a scare
Bring the 20 questions to meetings – process makes you SMART
Strategic Issues
I Strategy & Planning1. Does management have:
– A plan that is monitored and updated– Link to annual and long term budget– Basis for project prioritization
II Technology Trends2. Does management have:
– Procedures to investigate trends– Assess them in efforts to better position the company
Strategic cont’d
III Performance3. Does the IT department have
– Key Performance Indicators in place– Monitored & benchmarked to industry standards
4. Is the same same in place for 3rd Party ProvidersAnnual report cards, penalty clauses
IV Personnel5-6. Has management processes:
– Identified required skills– Attract, develop and retain key personnel
Internal Control Issues
V Governance
7. Has the Board:
– Created an IT subcommittee (OR)
– Assigned 1 member
- Investment in, processes & use of IT
8. Has Management:
– Assigned IT corp. governance to sufficient senior management
– Communicated IT policies to personnel
9. What compliance policies are in place
– SOX, CSA
Risk Issues
VI Risk & Controls10. Does risk assessment occur for:
– Internal systems and processes– Outsourced services & third party communications– Any other services– HOW ARE THE RESULTS ACTED UPON
11. How does management ensure data integrity in regard to:10. Relevance, completeness, accuracy & timeliness11. Appropriate use
• How often are systems audited for– Risk mitigation– Controls in place for major business processes
Risk cont’d
VII Personal Information Privacy13. An individual assigned to Privacy:
– Policy, legislation and compliance14. Identify and comply with legislation in regard to
protecting personal information
VIII E-Business15. Review of risks and controls for E-Biz transactions16. What protection (internal & external) is in place to
protect against financial loss or embarrassment
Risk cont’d
IX Availability17. What availability policies are in place for systems and data18. Does the organization understand
– The impact of service interruptions– The need for business continuance / disaster recovery– If Business Continuance (BCP) are tested and improved
regularly
X Legal Issues19. Has management considered and addresses:
– Software, hardware, service agreements & copyright laws20. Has the above policies been disseminated to all personnel
Top Risks of 2014
• Overreliance on one security monitoring software: • Technology innovations that outpace security: • Outdated operating systems:• Lack of encryption:• Data on user-owned mobile devices: • Lack of management support:• Challenges recruiting and retaining qualified IT staff• Segregation of duties
What we can do?• The Millington Way – be vulnerable
Be open about what you don’t understand
• Bring the 20 question books with you to board meetingsSubmit the 20 questions as an agenda itemAssign to committee for a report/assessment based on 20 questionsReview the report by committee (audit/risk)Submit report to board for approvalAdd to Internal Audit reporting process
• Dedicate 1 Board member or form an IT Committee or a Risk Committee
Qualifications: Work for a Tech company; former CIO, Risk Expert, sits on other boards
• Ensure the CTO / CIO reports to the CEO and not the CFO–Not a budget controlled area–CEO needs a strong understanding
• Invite the CTO to joint strategy sessions–Ask for a risk assessment of strategic plan
• Benchmark the IT knowledge of the Board as it relates to the company
–As it relates to your industry
• Ensure Business Continuance plans are in place and tested regularly
Including a Crisis Communications Plan
• Ensure Internal Audit measures ITBoth internal and external systemsConsider a Chief Risk Officer
• Complete an assessment of your vulnerabilitiesThe board can hire a firm to attack the system