FULL EPISODE TRANSCRIPT
Welcome back to Count Me In, IMA's podcast about all things affecting the accounting and finance world. Cybersecurity is something that truly affects management accountants, but really all individuals and firms. So Mitch spoke with Ray Hutchins and Mitch Tannenbaum about what cybersecurity really means and how to acquire the appropriate knowledge to be of great value to your organization. To hear why you need to understand cybersecurity. Keep listening as we head over to their conversation now.
Mitch R.: (00:40)
All right, so at a high level, how does cyber security really impact the finance department of an organization? You know, why does this stuff really matter?
Well, from Mitch and my perspective, of course we're cybersecurity guys and we're also business professionals. So we've been in business all of our life we are a couple of boomers. We've got a lot of experience and we know that and we deal with a lot of companies. Where the, all the cybersecurity, the risk questions, the risk questions are dealt with and delegated to many times. The finance department, finance takes control in a lot of organizations. They haven't spent a lot of time setting up their internal, authority around, well, who's gonna be responsible for the risk and compliance for the organization? Who's going to be responsible for cybersecurity and privacy. And so in a lot of organizations that falls naturally right onto the finance department and specifically the CFO. that's been a problem we've dealt with in the past many times in an organization saying really the CFO shouldn't be the one in charge of all of this. You know, there definitely play a role. Of course they're always important on it, but there's, there's more people need to be involved in this, but that's the nature of the beast. The finance department is involved, they pay for it, they're accounting for it, and therefore they need to understand something about it so that they can participate in an intelligent level in conversations around this risk category.
Mitch T.: (02:30)
Let me add something to that. Every organization has a chief risk officer. Now, in many organizations, that person doesn't have that title. But in every organization there is, somebody is responsible for that. Whether that's the CEO, the COO, or more often the CFO. If we assume that cybersecurity is a business risk that needs to be mitigated, just like every other business risk. And if we assume that the CFO, is the chief risk officer, in fact, then it makes perfect sense that the CFO and the finance team needs to understand cyber risk to be able to lead the conversation. They don't need to be the experts, but they need to understand how that ties to business risk.
Mitch R.: (03:19)
So these are all really great points and I really like the idea of, you know, grouping this together as a true business problem. It's not an it problem. And if the CFO is going to act as this chief risk officer, as you said, really manage, you know, the risk initiatives here. What specific type of information do you think the CFO or their finance team needs to acquire in order to effectively lead this risk mitigation and implement these cybersecurity procedures for their organization?
Good question. And it brings up something, you know, both Mitch and I have, my Mitch, my partner Mitch as opposed to you, Mitch. But, both Mitch and I have of course spoken at multiple IMA meetings at this time and we're familiar with IMA as an organization, as something that we find out there in the IMA organization. You've got a lot of executives and transition from one company to another and within they're moving up in their career and whatnot. And something that I have found to be the case is when I'm talking to these people out there is that, and I make the point that as a financial services professional, no matter what your rank, no matter what your position within the organization you can make yourself much more valuable to the organization if you have a business grasp of cybersecurity and privacy and is in business implications and you can speak the language, you've got some jargon, not technical jargon, just general jargon about it. Perhaps knowing some of the regulatory environment, knowing some of the regulations and the standards that affect all businesses, kind of understanding that and being able to engage on that companies have a terrible shortage of anybody who can talk the talk of cybersecurity and privacy. So if you can demonstrate any level of competency, any level, well that changes your value proposition within the company.
Mitch T.: (05:27)
So I would say that, just like any other risk problem, you want to create a governance risk and compliance framework, a GRC framework. And the good news is the federal government and the guys of the department of commerce, National Institute of Standards and Technology has created a great governance framework, which is the NIST cybersecurity framework. And as of this past January, it's partnered the NIST privacy framework. These are governance frameworks, high level governance frameworks that every organization needs to be looking at. And I will tell you, and we do a lot of work with this, nobody is a hundred percent when it comes to these frameworks, but the framework provides a set of guidance for organizations big and small. So if you go look at policies for example, and it ask questions about policies, well a small organization is gonna need a different set of policies than a big organization, an organization that operates in multiple States and multiple countries might need different policies than one that doesn't. But if you all lay this into that framework and then you can go off and say, as the chief risk officer, okay, you know, this is a network problem or this is an IT problem or this is a, you know, what level of risk are we willing to assume problem? And you can go off and assign different part, different people in the organization to go help you complete this framework and see where you stand. The first thing that I would always do, and we do a lot of these, is a GAAP analysis. Let's go look at where we are versus where we want to be and we have these conversations and we generate a a list of of gaps and then it becomes a business conversation for the C suite and for larger organizations for the board. Very importantly, the board has to provide guidance on this to say what is a level of risk we're willing to take? And the risks could be a compliance risk. It could be a legal risk, it could be a reputation risk, it could be a whole variety of different risks that we could be taking on. But what's important for every organization is to understand the level of risk that they're taking. Go Look at, Equifax is a great example. The whole Equifax breach started because they didn't patch a server. Now that comes down to having a inappropriate understanding of what is the level of risk of having all these servers out there and and having a patch management program that works so that it gets into the technical weeds, but you can go look at every breach that's out there, whether it's capital one, whether it's Equifax or these are mega breaches, hundreds of millions of records in some cases, Marriott, Starwood, you know, and you can get, you can create lessons that you can learn. Let's go look at what they did wrong and let's see how we can do things right. We go look at the Sony breach from 2013 you know what was very clear in the aftermath of that breach is that Sony did not have an incident response plan that was appropriate to the problem. Neither did by the way, Equifax in 2018 or 2019 so you know, if you're the chief risk officer and you want to ask these questions, okay, so I just saw this breach that happened to XYZ company in the news. You know, how would we do, let's assume that we got hit with the same kind of attack and it's something that's very much in the news these days is ransomware and there's two kinds of ransomware. One where they just encrypt your data and one where they steal it first and then they encrypt it your response to those kinds of attacks are two different responses because one says, if you don't pay me the money, I'm going to publish all your data. That's what happened to Sony. The other kind of ransomware as well. I just grind your business in the ground , you go bankrupt and go out of business. So those are two different problems. But as a chief risk officer you want to say, are we prepared for this kind of risk. Show me how we're prepared. Explained to me in layman's terms, business terms that I can understand how we're prepared to deal with this kind of risk.
Mitch R.: (09:48)
Well I really like going back for a second and framing cybersecurity as a framework and using a framework in order to, you know, acquire and guide the use of all this information here. Particularly at IMA, our vice president of IT, he really emphasizes that cybersecurity isn't really one size fits all, right? There's not just one solution that's an upfront project then you're good. It's really an ongoing process. So my question to follow up on all of this is when implementing a framework and cybersecurity processes and procedures, how much time and effort really goes into first kind of the needs analysis and the risk analysis to see, you know, what are we comfortable with and then ultimately implementing something so cybersecurity and privacy protection is all in place for the organization on an ongoing basis, you know, taking into account this strategic foresight for the company.
Excellent question. Okay. So cybercecurity LLC with the word cecurity, spelled with a C, a cybercecurity LLC. That's our company. We're a full service cyber security company and we specialize in a particular area. We specialize in the building and implementing of cybersecurity and privacy programs. Okay. So any company, whether you're a solo practitioner, whether you're a small company, whether you're a large company, you must implement a cyber security and privacy program. Now, depending on your size and the complexity of your company, complexity defined by number of, okay, size, number of employees, number of offices, complexity of the company, what regulations do you have to adhere to? What industry are you operating in? Have you developed your own internal software applications or not? Stuff like that. That increases complexity. but depending on your size and your complexity, that will dictate the size and complexity of the cybersecurity and privacy program, which you must implement. But you've, you get a program you have to put in place whether we do it for you or someone else that you're going to put into place, a program that's going to cover all these elements and it's going to be ongoing. It's not going to be a onetime thing. Okay, let's put out a policy here. Everyone read it? Okay, let's do some phishing training this afternoon. Okay, you're done. okay. That's the end of cybersecurity. No, no, no, no. Cybersecurity requires a change of thinking in the organization. For typical companies, we tell them it's going to take you six months to implement this because you're not going to stop everything else you're doing. You're going to implement it a little bit at a time, every day, every day, week after week, month after month until it is in place and until it becomes part of what you do when you're having a meeting about a new product you're rolling out. When you're having a meeting about a new territory that you're opening up. In your head, when you're onboarding a new person, every time you're doing anything, security is part of the conversation.
Mitch T.: (13:15)
And if you are a regulated industry, you're in healthcare, you're in finance, you're in defense, you want in the regulated industries, you are either legally or contractually required to go off and make sure that your vendors, here in Colorado where Ray and I live, the law says that before you share data with a third party that is personally identifiable data, you must ensure that that company can protect that data. That is the law. Now other States have similar laws. So, you know, we talked about established companies, but let's move for a second to startups. And startups are always worried about, you know, getting their product out the door, whatever that is. And a lot of times nowadays, that's a tech product. And we've seen this, unfortunately, where we come in, you know, late in the game, they're ready to roll it out and they say, gee, we gotta go review the security. And they've done nothing about security and, and the security of the applications they've built is absolutely horrible. It's a disaster. And we've seen that recently in the news where, you know, companies have released apps and well look at the Iowa caucuses. I mean that was a brand new application. There was very limited cybersecurity. There's very limited oversight and it was an absolute disaster, you know, for a small company that could be the end of the company.
Mitch R.: (14:44)
To kind of wrap things up, you know, we talked about a lot of different aspects going into cybersecurity as far as next steps for our listeners. What recommendations do you have as far as good resources or additional information? I know we mentioned the NIST framework, you know, your company. What else is out there and you know, what do you think our listeners should be doing now?
Mitch T.: (15:08)
So we have a YouTube channel with some great videos on there. executives, nontechnical, videos, they're short, they run five to 10 minutes a piece, probably about a dozen videos there’salso some longer videos on specific topics. we have a blog that's available from our website. We have a lot of content there.
Our website, cybercecurity.com, security with a C and that website by the way, it's not like your regular website just talks about a few things. There's a lot of information on that website, a ton of good content so you can get an education off of that. And then Mitch was getting ready to talk about his blog, which is very important source of information.
Mitch T.: (15:52)
So to just to reiterate what Ray said, if you go to our website under training content, you'll see the videos. And then next to that there's blog and that's the blog I typically write, four or five times a week on different subjects that the conversations are typically nontechnical. They are privacy, security and compliance related. They're short, they typical reads probably five minutes. so I recommend that. And again, it's about just creating that general conversation that you have, if you have an industry trade association that you are part of, that trade association hopefully is bringing up this conversation. I know we've been pretty active in causing some trade groups to go do that, but if they're not, you know, the trade group can reach out to us and we'll be happy to go do a piece of specific to that trade group. We've done that for a number of different industries. Some of those are on our YouTube channel. So that, those are some things that you can do, but generally, you know, unfortunately, because cybersecurity and privacy risk is changing, morphing, amorphous blob right now you know, this is nothing that you will go off and say, okay, I read a book, now I'm an expert. It's one of those things where you're gonna learn and learn and learn and that's really the thing. That's the message here. This is an ongoing never ending forever learning exercise on that part of financial professionals.
This has been Count Me In,
IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org