Getting Executives on Board with Information Security Needs
One of the most challenging parts of an audit can be getting the support you need to do it right.
For any information security audit, assessment, or testing that our firm performs, it’s incredibly important that C-level executives and stakeholders understand and support the organization’s information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will assist in building an information security team? We know that these questions can represent much larger struggles and frustrations, but we also know how important it is to have management buy-in on a project like an audit.
Let’s talk about why their support is so crucial to the success of your audit and how to get executives on board with your information security needs.
Why You Need Executive Support During an Audit
Executives are the link between the success of an audit and the organization. The quality of an audit is strengthened when they are involved. Executive support, insight, and awareness are invaluable to an organization.
From the very beginning of an engagement, executives and management have responsibility. The scope of the engagement, audit period, criteria, description of systems, description of vendors, risk assessments, internal auditor direction – all of this vital information can’t be given to the auditor without executive involvement.
Additionally, each framework has specific requirements that need the involvement of management:
- In a SOC 1 or SOC 2 engagement, management’s assertion is a major part of the report.
- During a PCI assessment, Requirement 12 is all about information security policies that management must set.
- HIPAA requires universal application of training requirements and securing PHI.
- In a HITRUST CSF engagement, the executive charter enables your information security policies to actually be policies.
No matter which information security framework you are audited against, executives are ultimately held responsible for securing data and assets. Their involvement is crucial, which is why we require an executive sponsor to be nominated for any engagement we work on.
Audits Also Require An Executive Sponsor
For an audit or information security assessment, an appropriate executive sponsor must be assigned to the engagement. This person is generally a C-level executive, like a Chief Compliance Officer, Chief Technology Officer, CEO, COO, or CFO. An executive sponsor is the party that is ultimately responsible for an organization’s compliance programs. An executive sponsor isn’t usually a member of the IT staff or IT management because there needs to be an aspect of organizational responsibility to manage compliance at the executive level.
An executive sponsor should be present at any project kickoff or planning meetings and should go through any training that the auditing firm requests, like custom software or portal trainings. Most importantly, an executive sponsor of an audit or information security assessment must be available to the auditor or auditing firm. At KirkpatrickPrice, we always want to take questions or issues directly to the appropriate person at your organization, so an open line of communication is key.
5 Ways Executives Can Support You Before Engaging in an Audit
We’ve found that being engaged in the audit process will increase executives’ and management’s view of the value of the audit. Those who are not involved in the audit process are most likely to believe that the audit itself has limited value. However, support during the audit will only come if you prioritize management’s involvement beforehand.
When considering what kind of information security audit, assessment, or testing to undergo, it’s crucial to consider executives’ and management’s opinions and feedback. After all, they’re the ones approving the budget for this kind of engagement, assigning responsibilities, and empowering an information security program. Further, they have a deep understanding of company processes and priorities, and when those are incorporated into conversations about security and compliance, executives can begin to see how they all work together and benefit one another.
When approaching an executive for their support of an information security audit, assessment, or testing, we suggest you communicate the following benefits:
- Your information security program will align with business objectives. It will help prevent breaches and incidents, mature their business practices, and help you operate more efficiently.
- Data breaches can have a huge financial impact on the organizations that suffer one. Yes, you are asking them to fund an audit – but the spend now will be well-worth it if it prevents a costly data breach or a fine for non-compliance.
- The ability to demonstrate your compliance and information security efforts is a valuable competitive advantage. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the information security program that you have in place.
- Your information security program will protect your organization, but on a more personal level, it will help mitigate threats that target executives. Whaling is a type of phishing attempt that specifically goes after the most senior-level employees of an organization because of their authority and rights of access. It’s not uncommon for whaling attacks to work because so many executives aren’t actively engaged in information security programs and don’t participate in the same awareness training as other employees.
- Security is an on-going effort that is becoming more and more important as threats continue to evolve and mature. By creating a culture of security at your organization, your executives can proactively protect your organization before threats occur and simplify compliance efforts by incorporating them year-round into daily processes.
In addition to the benefits your business will see by incorporating information security and compliance into your company culture, the Securities and Exchange Commission recently adopted rules requiring businesses to disclose the cybersecurity incidents they experience as well as to annually disclose materials regarding their cybersecurity risk management, strategy, and governance processes. In an effort to be more transparent about incidents and the efforts to prevent incidents, the new rules will, “require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” Management’s involvement is more crucial than ever; not only will it improve your overall business processes, it will be requirement from the SEC.
Choose an Audit Partner That Wants to Help You Meet Your Business Objectives and Compliance Goals.
At KirkpatrickPrice, we understand the difficult balance executives have to orchestrate in order to keep their business running smoothly. They are under so much pressure to meet business objectives, but they are also required to meet comply with regulatory laws and frameworks. We believe that the two can work hand-in-hand, and we’re prepared to help you accomplish both goals.
Executives set the strategic direction for an organization, so they should be involved with information security strategy. If your organization’s C-level executives, stakeholders, or management are not involved in your information security program, don’t wait to start building their awareness and knowledge.
Connect with an expert today to learn more about choosing the right audit firm, information security audits, and gaining executive buy-in.