Are You Protecting Your Digital Assets?
Safeguarding assets has been an important objective of all organizations for centuries. In today’s digital age however, what does safeguarding your assets really mean? Who is responsible for it? And how is “protection” actually achieved?
The COSO framework for enterprise risk management recognized the importance of safeguarding assets as an implicit component of effective internal control. Its landmark 1992 framework even defined internal control as: “[A] process … designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.”
You can’t provide reasonable assurance of your operations or financial reporting unless you know what your assets are, where they are, and who is doing what with them. You need to know your assets are protected.
In much of the 1900s, protecting an organization’s assets consisted mainly of physical safeguards, asset management (for example, taking inventory of your goods), and monitoring asset values. Although these practices are still critical in today’s business environment, additional processes, procedures, and controls are required to protect our information assets. With a high percentage of market value now accounted for by intangible assets such as intellectual property, reputation, brand, and electronic records, information is now a vital business resource. And, as with physical assets in earlier post-industrial times, the vulnerability of today’s valuable informational assets to theft or other criminal attack has made protection of such assets a matter of immense urgency for all organizations.
Who is Responsible for Information Asset Protection?
While chief information security officers and chief financial officers are important players regarding information asset protection and security, they are not the true “guardians” of the organization’s critical informational assets. For example, in hospitals, CFOs are not responsible for safeguarding patient records; at insurance companies, they are not the guardians of policyholder records. In the pharmaceutical or technology sectors, the company’s crown jewels (its intellectual property) are not the direct responsibility of the CFO or the CISO.
All of these forms of data have associated expenses and are used to generate revenues (billings, annual fees, royalties), for which the CISO has ultimate security oversight. The CISO in turn must ensure the integrity of the chain of custody by enforcing rules applicable to key managers and other authorized personnel in their roles as the day-to-day “guardians.” In short, internal control is affected by people at every level of an organization. In fact, many managers are more directly responsible for day-to-day asset protection than the CISO or CFO.
What Are the Implications?
Addressing these questions will help determine key implications of how to protect your digital assets and what actions to take.
- Will an organization’s information security management system become critical to the safeguarding of the CFO’s financial records? Will those systems emerge as the key means of safeguarding an organization’s assets?
- Will CFOs and finance staff need to understand and implement informational asset protection measures to be effective in their roles of supporting the guardians of the organization’s assets?
- Will we need more guidance on the definition, classification, and protection of information assets?
- Will CISOs need to work more closely with and educate the finance function (and all operating departments, really) about how to best implement a sustainable information protection and security program?
- Should the organization establish a data management function and data governance policy, standards, and procedures? Both the function and governance could be the headed by a senior manager reporting to the chief operating officer or chief executive officer. What role(s) could the chief information officer take in information protection?
- Will the Board and CEO need to provide more in the way of expectations?
- Will internal audit and external audit spend more resources on evaluating the protection of all of an organization’s assets, physical and digital? The internal audit function in particular needs to think more strategically about enterprise-wide security and ensure that enterprise-wide risk management is a guiding theme for prioritizing the organization’s efforts.
The Big Question: What Should We Do?
First, top management must organize a council of chief-level executives including the CEO, CFO, CIO, CISO, CAE (chief audit executive), and other chiefs including compliance, risk management, and all areas of the business that own, maintain, use, or rely upon information. The most senior members of this council must ensure all members understand the critical reliance on information security and the financial, regulatory, social, and other impacts that can befall the organization if information security is breached. This understanding must be expressed in non-technical business terms to ensure everyone competently understands the level(s) of risk the organization can and cannot accept with regard to protecting information assets. Only with this comprehensive level of understanding can management ensure resources dedicated to information security are in line with the criticality of protection required by the organization.
As a next step, this C-level council must collectively ensure the security resources and solutions in place are appropriate to manage the business risks within the bounds of external requirements and the business appetite for risks. And security monitoring must ensure the appropriate level of protection will remain in place and functioning.
The bottom-line: Top management must implement an information security management program that truly safeguards all assets of the organization.
Organizations that have not done so already should immediately:
- Discuss information security with the board and senior management, ensuring their understanding of the key risks and gaining their support for the necessary controls;
- Link security investments and resourcing to core business priorities and risk-assessment results;
- Leverage existing security standards, guidance, and practices and define the organization’s information security management system;
- Explicitly assign responsibility and accountability for protecting informational assets across the organization;
- Revisit IT and related strategies to align business and IT efforts, and ensure that overarching information security requirements are explicitly defined;
- Inventory and classify the organization’s information: Identify it, assign a business guardian to it, and determine how best to protect it based on risk-assessment results;
- Implement common security practices and solutions to meet business needs and comply with ever expanding regulatory compliance requirements;
- Identify continuous improvement opportunities and prioritize them, and then invest in improving the operational resilience of the organization;
- Strengthen the business continuity program;
- Configure security into both business processes and the supporting IT systems, to strengthen technical and procedural security practices;
- Include “Asset Protection in the Digital Age” as one of the discussion items in quarterly business performance review meetings, and develop action plans for improvement as needed.
We must build security into and across all organizational efforts. The CISO and CFO each have a mandate to work with the other key corporate players—and especially the business guardians of informational assets—to ensure effective asset protection. This is definitely a responsibility shared by various players throughout the organization. The question is, do the players work together to ensure effective asset protection? Or do they work on this critical responsibility in silos, allowing things to fall between the cracks? Are we also addressing information protection in all the outsourced activities that are so prevalent today?
Leaders also need to ensure that all vendors, suppliers, and other third parties responsible for protecting information used in outsourced activities are included in the mix of information asset protection and security actions.
As a colleague recently indicated, we need to move away from financial, operational, and technological thinking and decisions toward a critical-thinking methodology meant to maximize the benefit to the enterprise as a whole, not sub-units of it. That is based on enterprise-wide risk assessment and management.
Are all your organization’s assets appropriately protected in the digital age? I recommend making this a topic of discussion at your next management committee meeting, or better yet, put it on the board agenda. An effective tone at the top starts with top management and the board taking action to implement appropriate security controls.
To make suggestions about “Are You Protecting Your Digital Assets”, please contact the author at dswanson_2008@yahoo.ca.