For any information security audit, assessment, or testing that our firm performs, it’s incredibly important to us that C-level executives and stakeholders understand and support the organization’s information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will assist in building an information security team? Let’s talk about how to get executives on board with your information security needs.
Support Before Engaging in an Audit
When considering what kind of information security audit, assessment, or testing to undergo, it’s crucial to consider executives’ and management’s opinions and feedback. After all, they’re the ones approving the budget for this kind of engagement, assigning responsibilities, and empowering an information security program. Being engaged in the audit process will increase executives’ and management’s view of the value of the audit. Those who are not involved in the audit process are most likely to believe that the audit itself has limited value.
When approaching an executive for their support of an information security audit, assessment, or testing, we suggest you communicate the following benefits:
- Your information security program will align with business objectives. It will help prevent breaches and incidents, mature their business practices, and help you operate more efficiently.
- Data breaches can have a huge financial impact on the organizations that suffer one. Yes, you are asking them to fund an audit – but the spend now will be well-worth it if it prevents a costly data breach or a fine for non-compliance.
- The ability to demonstrate your compliance and information security efforts is a valuable competitive advantage. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the information security program that you have in place.
- Your information security program will protect your organization, but on a more personal level, it will help mitigate threats that target executives. Whaling is a type of phishing attempt that specifically goes after the most senior-level employees of an organization because of their authority and rights of access. It’s not uncommon for whaling attacks to work because so many executives aren’t actively engaged in information security programs and don’t participate in the same awareness training as other employees.
Support During an Audit
Executives are the link between the success of an audit and the organization. The quality of an audit is strengthened when they are involved. Executive support, insight, and awareness are invaluable to an organization.
From the very beginning of an engagement, executives and management have responsibility. The scope of the engagement, audit period, criteria, description of systems, description of vendors, risk assessments, internal auditor direction – all of this vital information can’t be given to the auditor without executive involvement. In a SOC 1 or SOC 2 engagement, management’s assertion is a major part of the report. During a PCI assessment, Requirement 12 is all about information security policies that management must set. HIPAA requires universal application of training requirements and securing PHI. In a HITRUST CSF engagement, the executive charter enables your information security policies to actually be policies. No matter which information security framework you are audited against, executives are ultimately held responsible for securing data and assets. Their involvement is crucial, which is why we require an executive sponsor to be nominated for any engagement we work on.
The Executive Sponsor
Who is considered an executive sponsor? For an audit or information security assessment, an appropriate executive sponsor must be assigned to the engagement. This person is generally a C-level executive, like a Chief Compliance Officer, Chief Technology Officer, CEO, COO, or CFO. An executive sponsor is the party that is ultimately responsible for an organization’s compliance programs. An executive sponsor isn’t usually a member of the IT staff or IT management because there needs to be an aspect of organizational responsibility to manage compliance at the executive level.
An executive sponsor should be present at any project kickoff or planning meetings and should go through any training that the auditing firm requests, like custom software or portal trainings. Most importantly, an executive sponsor of an audit or information security assessment must be available to the auditor or auditing firm. At KirkpatrickPrice, we always want to take questions or issues directly to the appropriate person at your organization, so an open line of communication is key.
Executives set the strategic direction for an organization, so they should be involved with information security strategy. If your organization’s C-level executives, stakeholders, or management are not involved in your information security program, don’t wait to start building their awareness and knowledge.
Want to learn more about choosing an audit firm, information security audits, or gaining executive buy-in? Contact us today.