Fall 2017 issue of Horizons

Unfortunately, many businesses have not identified their crown jewels, much less who is allowed to access this data and on which types of devices. “If you don’t know where the critical information is, how can you secure it?” Katcher said.

And boards of directors expect accurate reporting on the security of the organizations they serve. Without clear visibility into business and market data, these goals are thwarted. “To validate the client’s cybersecurity in today’s demanding real-time environment requires transparency into their data and overall cyber-risk management,” said Katcher. “Otherwise, CPA firms may not be able to accurately present the financial figures to regulators and external auditors.” Reporting On Steroids Reporting used to entail an analysis of the financials and the application of judgment. Today, accurate reporting depends upon how data is input, processed, and stored, and the security risks presented in each scenario. “Simply stating information and reporting that the data is accurate no longer is enough,” said Katcher. “CPA firms must provide evidence demonstrating that a client’s data is complete, accurate, valid, and secure. An example is SSAE 18, which provides additional guidance on how to validate ‘information produced by the entity.’” Skill Set Shortages With technology increasingly driving how business is conducted, the tasks traditionally performed in the work environment are rapidly changing. Augmented intelligence, machine learning, robotics, and other transformative technologies are combining in unique ways to replace some jobs, augment others, and demand the development of new skills. The challenge for many organizations is the dearth of talent to fill these roles. The war for such talent that has ensued separates companies into winners, losers, and those in between. For the last two categories, talent gaps can generate cyber risks that are underappreciated. “In advising our clients, we have to feel their pain,” said Katcher. “They’re grappling with having the right skill sets in place, yet may not realize that not having these people is increasing their susceptibility to cyber risks.”

A case in point is the vast number of employees that use cloud-based

applications to conduct their work more efficiently. However, the extent of this usage is unknown, the solutions are not managed by the organization, and when an employee leaves, their information leaves with them. “Engineering might use an app that puts the company’s intellectual property in the cloud, but since IT or someone charged with governance does not know this, the controls may not be there to protect the information,” said Katcher. “Ensuring a controlled vendor risk management program is in place to protect the most critical information is paramount.” Opaque Transparency The transparency of cybersecurity risk management is important for the good governance of all business entities. Corporate leadership seeks transparency into business and market data to increase the speed of operational decision-making.

CYBER SECURITY ADVISORY SERVICES GROUP

RubinBrown’s dedicated team specializing in cyber security services is designed to meet each client’s requirements, providing executive consulting, security risk assessments, vulnerability and penetration testing, vendor risk management and specialized security consulting. For more information, visit www.RubinBrown.com/Cyber-Security .

Audrey Katcher, CPA, CISA, CITP, CGMA Partner Business Advisory Services Group 314.290.3420 audrey.katcher@rubinbrown.com

Furious Rush of Digital Disruption

10