Le CEO et les risques informatiques ou pourquoi se doter d’un CRO (Chief Risk Officer)?

by Benoit Grenier

Dans mes derniers articles Les CEO et l’angle mort des cybercrimes et Les CEO et les cybercrimes, les solutions, je présentais plusieurs des types de risques que confrontent les organisations, les problèmes de communications CEO-CIO, les problèmes de perception de la cybercriminalité des CEO, de l’audit de sécurité et de l’importance d’avoir un CISO (chief information security officer). Aujourd’hui, je continuerai à vous parler de solutions proactives de gestion des risques en vous présentant le CRO (Chief Risk Officer). Depuis un bon moment, les institutions financières se sont dotées d’un tel officier dans leurs organisations. Ils n’ont pas eu le choix étant donné les accords de Basel, Sarbanes-Oxley et le rapport Turnbull. Initialement le rôle du CRO était de prémunir les organisations contre les risques associés à l’évolution des cadres règlementaires imposés aux institutions financières. Puis, ces CRO ont aussi commencé à analyser les audits internes, les couvertures d’assurances, la détection de fraude, les investigations corporatives et… la sécurité de l’information. C’est de ce dernier point que je vous parlerai aujourd’hui.

https://en.wikipedia.org/wiki/Basel_Accords

https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

https://en.wikipedia.org/wiki/Turnbull_Report

https://en.wikipedia.org/wiki/Information_security

La sécurité de l’information (aussi nommé infosec) elle-même a grandement évolué au fil des ans. Elle s’intéressait d’abord  à la sûreté, la garantie, et la protection d’une donnée ou d’une information, pour évoluer vers ces mêmes activités, de formes numériques. Ainsi, le CRO est venu à s’intéresser aux télécommunications, logiciels, équipements informatiques, réseaux, hébergement, base de données, mobilité, cryptage, processus de sécurité physique et humain, menaces terroristes, environnementales, à la protection des données personnelles et vie privée, au cadre juridique et aux assurances diverses. Disons que tout d’un coup, l’assiette commençait à être pleine.

Another huge concern that was virtually unknown just a few decades ago is cybercrime, particularly the threat of hacking by those interested in stealing company secrets or customer data. According to a 2014 report from the Center for Strategic and International Studies, cybercrime drains some $375 billion to $575 billion per year from the global economy.

In recent years, data breaches at major companies in several different industries have cost CEOs their jobs. The risks intensify when companies merge and integrate their IT systems. A BCG report in February noted, « While these concerns hold true for all companies, they are acute in A&D [aerospace & defense], in which companies often are dealing with issues of national security. »

https://www.forbes.com/sites/haroldsirkin/2016/03/07/if-you-dont-have-a-chief-risk-officer-get-one/#192adb36244b

Comme la dimension technologique de cette nouvelle fonction du CRO devenait majeure, tout naturellement le premier réflexe a été de travailler avec les fournisseurs informatiques usuels de l’organisation.  Ils pouvaient fournir antivirus, pare-feu et autres « parades » informatiques. Cependant, les menaces ayant évolué de manière fulgurante, la vision des menaces sous l’œil strictement informatique est maintenant loin de suffire.

An enterprise-wide approach

While cybersecurity was once relegated to a technical or operational issue handled by IT, a cross-departmental, enterprisewide approach to cybersecurity is necessary, according to the Cyber-Risk Oversight, Directors Handbook Series, produced by the NACD. The publication suggests that cybersecurity should be evaluated and managed in the same manner as the organization considers physical security of human and physical assets.

https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2015/BAS-FEI-CFO-whitepaper-150605FIN.ashx

Puis le CFO étant le grand manitou du « cash » qui peut entrer ou sortir (surtout en cas de risque avéré) de l’organisation, il se tourna tout naturellement vers ses conseillers financiers historiques que sont les CPA et les grandes firmes-conseil en gestion. Après tout, ils ont déjà l’habitude des audits et prétendent détenir l’expertise en gestion des risques informatiques. Donc les organisations se sont principalement tournées vers ceux qui fournissent le matériel et le logiciel pour critiquer leurs propres produits et services et verts les grands bureaux comptables qui à leur tour, analyseront les défaillances de leurs propres prestations professionnelles. Il y a ici comme un chien qui se mord la queue… D’ailleurs, les firmes comptables elles-mêmes semblent avoir de la difficulté à gérer leurs propres risques informatiques.

New research shows yet again, accountants are taking sometimes potentially disastrous risks with their firms and – worse – with their clients.

The recent “Accounting Firm Operations and Technology Survey,” published by CPA Trendlines Research, shows these risks go beyond merely “falling behind” the technology curve because of traditionally penny-wise, pound-foolish spending. At one time, “falling behind” risked obsolescence, or worse, maybe irrelevance – either of which was a business risk, but a risk that could only be measured by benchmarking against “the competition,” whatever that was.

Today accounting firms are taking on a whole new category of risk – the risk of sudden, unforeseen and irrecoverable disaster. The black swan event.

http://www.accountingweb.com/community-voice/blogs/rick-telberg/accounting-firm-tech-systems-are-weak

D’autres organisations ayant plus de flair ont décidé d’internaliser le rôle du CRO. C’était déjà un pas dans la bonne direction. Cependant, cette solution a elle aussi ses écueils, dont le risque de créer une tension évidente entre ce détective des risques et l’inertie et la culpabilité inhérente à ceux qui deviendraient possiblement coupables de manquement ou de faiblesse. On parle donc du problème « d’indépendance ».

Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount.

While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.

Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.

Interaction between the CRO and the board should occur regularly and be documented adequately.

Non-executive board members should have the right to meet regularly – in the absence of senior management – with the CRO.

http://www.chief-risk-officer.com/

Successful CROs acknowledge the possible tension with their new peers and look for opportunities to show that their position can complement what the CFO and CAE already do, take some of the load off their already full plates, and create synergies that benefit the organization and the CFO and CAE. What does the new CRO get from taking this cooperative and conciliatory approach? The CRO gains two strong allies and proponents for ERM and support for creating a risk aware culture, as well as the insights he or she will need to do the job most effectively.

https://web.archive.org/web/20060517033324/http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855

Pour toutes ces raisons, nous demeurons convaincus que le CRO a tout avantage à être quelqu’un d’externe à l’organisation et que de surcroit, il se doit d’avoir l’expérience, la méthodologie et l’expertise technologique, financière, de gestion. Plusieurs organisations (dont celle de votre humble serviteur) se spécialisent dans la gestion et l’analyse des risques organisationnels, sans avoir le parti pris d’être fournisseur technologique ou de service-conseils comptables. Si toutefois l’option d’internaliser le CRO dans votre organisation, nous pourrons aussi certainement lui transférer les connaissances et l’expertise nécessaire à l’accomplissement de cette mission plus que stratégique.

Questions for the CIO Before an attack

  1. What are our major IT risks? Do we understand them? How do these compare with other enterprise risks?
  2. What is our mechanism for reviewing major IT risks and adjusting defence strategies accordingly?
  3. What are our most critical data elements? Where are they held within our enterprise or partner data system? How are we protecting them? What is our approach to cloud computing?
  4. Have we evaluated our supply-chain risk?
  5. Do we have a social media policy? Are all employees trained on it? How do we monitor its application?
  6. Do we have daily cyber threat intelligence/information that is customized for our environment and systems so we can prepare for threats before they strike?
  7. What is our response plan in the event of a cyber breach? Do we have access to professional cyber incident responders – internally or through service providers – who can help us manage and contain a breach? Do we know who to call in the government and law enforcement communities for assistance? How would you evaluate our business continuity program?

http://www.ceocouncil.ca/wp-content/uploads/2014/04/What-Every-CEO-Must-Know-Cyber-April-4-2014-Final.pdf

 

Benoit Grenier
CEO and Co-Founder
Proactive Risk Management

 

Pour la rédaction de cette série d’articles, nous avons consulté ces articles qui pourraient aussi être d’intérêts pour vous.

CEO

Our biggest blindspots as CEOs

https://m.signalvnoise.com/our-biggest-blindspots-as-ceos-5c1bdab8347c#.nwnk0qu4b

What every CEO needs to know about cybersecurity: A background paper By Ray Boisvert President and CEO I-SEC Integrated Strategies

http://www.ceocouncil.ca/wp-content/uploads/2014/04/What-Every-CEO-Must-Know-Cyber-April-4-2014-Final.pdf

Cybersecurity Questions for CEOs

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Why CEOs Are Failing Cybersecurity, And How To Help Them Get Passing Grades

http://www.forbes.com/sites/stevemorgan/2016/05/04/why-ceos-are-failing-cybersecurity-and-how-to-help-them-get-passing-grades/#43da6ebf553b

The Biggest Threat to Cyber Security–Your CEO

Preventing cyberattacks might be as simple as keeping an eye on the C-suite.

http://www.inc.com/julie-strickland/ceo-cyberattacks-hacking.html

Corporate Security Checklist – a CEO’s Guide to Cyber Security

22 essential questions to evaluate your company’s defenses

https://heimdalsecurity.com/blog/corporate-security-checklist-a-ceos-guide-to-cyber-security/

Cyber Risk Management Primer for CEOs

https://www.dhs.gov/sites/default/files/publications/C3%20Voluntary%20Program%20-%20Cyber%20Risk%20Management%20Primer%20for%20CEOs%20_5.pdf

Cyber Security: A Failure of Imagination by CEOs

http://www.theatlantic.com/sponsored/kpmg-2016/cyber-security-a-failure-of-imagination-by-ceos/912/

The CISO, the CIO, the CEO, or you: Who is really responsible for cybersecurity?

http://www.zdnet.com/article/who-is-really-responsible-for-cybersecuritythe-ciso-the-cio-the-ceo-or-you-who-is-really-responsible/

Target CEO Fired – Can You Be Fired If Your Company Is Hacked?

http://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/#d9abd317bc1c

CEOs Can No Longer Sit Idly By on Cybersecurity

https://www.entrepreneur.com/article/233911

CEOs disconnect between cyber security perception and reality; report

http://www.itp.net/610976-ceos-disconnect-between-cyber-security-perception-and-reality;-report

 

CEO/CIO

The CEO/CIO relationship

http://www.computerworld.com/article/2586489/vertical-it/the-ceo-cio-relationship.html

The Differences Between CIOs and CEOs

http://www.cioinsight.com/it-management/expert-voices/the-differences-between-cios-and-ceos.html

The CIO in Crisis: What You Told Us

https://hbr.org/2013/07/the-cio-in-crisis-what-you-tol

Is There A CEO-CIO Disconnect?

http://www.huffingtonpost.co.uk/vincent-delaroche/is-there-a-ceocio-disconn_b_12768684.html

CIO vs CEO: Finding Middle Ground

http://www.mavenwave.com/fusion-blog/cio-vs-ceo-finding-middle-ground/

Securing the C-Suite, Part 1: Lessons for Your CIO and CISO

https://securityintelligence.com/securing-the-c-suite-part-1-lessons-for-your-cio-and-ciso/

 

CRO

The Chief Risk Officer: What Does It look Like and How Do You Get There?

https://web.archive.org/web/20060517033324/http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855

Chief Risk Officers Are Taking on a Broader Role

http://blogs.wsj.com/riskandcompliance/2016/04/01/chief-risk-officers-are-taking-on-a-broader-role/

The Triumph of the Humble Chief Risk Officer

http://www.hbs.edu/faculty/Publication%20Files/14-114_60866b77-6b5c-4fd3-9ce1-e2ab8d5da654.pdf

If You Don’t Have A Chief Risk Officer, Get One

https://www.forbes.com/sites/haroldsirkin/2016/03/07/if-you-dont-have-a-chief-risk-officer-get-one/#192adb36244b

The role of the Chief Risk Officer in the spotlight

https://www.towerswatson.com/DownloadMedia.aspx?media=%7BA590F5C1-5630-45A8-9133-4C04AF5B80BD%7D

 

CFO

Three ways to strengthen the CFO-CIO partnership CFO Insights

https://www2.deloitte.com/us/en/pages/finance/articles/cfo-insights-cfo-cio-partnership.html

When technology meets finance: how the CFO can become an innovation catalyst

http://www.information-age.com/when-technology-meets-finance-how-cfo-can-become-innovation-catalyst-123460018/

Accountants as aggregators of data – Evading a Cyber Attack

http://www.lexology.com/library/detail.aspx?g=7ea05894-ca30-4ab8-b14e-f39cdb5a6abb

Cyber Security  Big Four get serious on cyber security

https://www.ft.com/content/270d2894-ecb5-11e3-a754-00144feabdc0

Data and Dollars: The Role of the CFO in Cybersecurity

http://www.connectedfuturesmag.com/a/F15A1/data-and-dollars-the-role-of-the-cfo-in-cybersecurity/

The CFO’s role in cybersecurity

https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2015/BAS-FEI-CFO-whitepaper-150605FIN.ashx

Accounting Firm Tech Systems Are Weak

http://www.accountingweb.com/community-voice/blogs/rick-telberg/accounting-firm-tech-systems-are-weak

 

Cybercrimes/Cybersecurity

TOP CYBERCRIMES WHITE PAPER HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/CyberSecurity/DownloadableDocuments/Top-5-CyberCrimes.pdf

Cybersecurity Best Practices Guide For IIROC Dealer Members

http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf

Study shows businesses the ROI behind a strong security program

http://www.ncxgroup.com/2016/04/study-shows-businesses-roi-strong-security-program/#.WLc9NBLhAdU

IT security auditing: Best practices for conducting audits

http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits

Internal Audit’s Contribution to the Effectiveness of Information Security (Part 1)

https://www.isaca.org/Journal/archives/2014/Volume-2/Pages/Internal-Audits-Contribution-to-the-Effectiveness-of-Information-Security-Part-1.aspx

7 Types of Hacker Motivations

https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/

No Business Too Small to Be Hacked

https://www.nytimes.com/2016/01/14/business/smallbusiness/no-business-too-small-to-be-hacked.html

Percentage of companies that report systems hacked

http://www.cbsnews.com/news/percentage-of-companies-that-report-systems-hacked/

Previous post: