Page 18 - JUNE 2022
P. 18
WHY IS
Cybersecurity
AN AFTERTHOUGHT?
By Andrew Kennedy
f cybersecurity is a business risk, why is it CISO should also work to build relationships
often treated differently from other areas such with leaders of the business groups to align
I as operations, compliance, and finance? While cybersecurity objectives across the company. This
a great deal of money is spent trying to iron out management-level involvement will help keep
financial processes, attain regulatory compliance, cybersecurity top-of-mind for these key stake-
streamline supply chains, and mitigate a variety holders and allow the CISO to better understand
of other risks, cybersecurity is often left out of the various processes across the organization and
the picture. Part of this growing problem may communicate identified risks to the rest of the
be that a surprising number of companies do management team. By maintaining these lines
not have a management level role dedicated to of communication and regularly following up on
information security. information security topics, this line of thinking
In meeting with countless professionals across will ripple down through the organization and
a variety of industries, I cannot say that I’m start to create a culture of cybersecurity.
surprised to see that many organizations have These relationships can then be leveraged to
delegated their cybersecurity responsibilities to do things such as conduct a risk assessment,
an IT team. While it might make sense to give map the flow of data through the organization,
this business group control over cybersecurity, assess compliance with regulatory requirements,
its employees may not have the necessary expe- draft an incident response plan and business
rience and almost certainly have their hands full continuity plan, in addition to any other security
with day-to-day operations and special projects. measures. The results of these projects will then
Putting the IT team in charge of this area is a be shared at a high level with the rest of the
surefire way of exposing your organization to management team to allow them to get a better
unnecessary risks. understanding of the risks that their organi-
In comes the Chief Information Security Of- zation is exposed to and make more informed
ficer (CISO). This management level role reports decisions going forward.
directly to the CEO and will ensure that the rest At the end of the day, bringing an informa-
of the management team understands the risks tion security expert into the management team
to which the organization is exposed, how those isn’t the only way to bring cybersecurity to
risks can be mitigated, and the overall impor- the forefront, but it’s certainly one of the most
tance of a strong information security environ- effective ways.
ment. A good CISO will be able to filter out any
unnecessary jargon and relay this information Andrew Kennedy is a manager at ABIP Advisors
to the rest of the management team in a straight- with extensive experience in Cybersecurity
forward manner, allowing the team to more and other IT Advisory services such as risk
accurately adhere to risk tolerances, establish assessments, attaining regulatory compliance,
budgets, and understand “buy-in” to proposed developing internal controls, and implementing
cybersecurity initiatives. information security programs. For further
In addition to establishing lines of commu- details, Andrew can be reached via email at
nication with the organization’s executives, a akennedy@abipcpa.com.
18 NBIZ ■ June 2022
