Cross-Industry Compliance Leadership Summit eyes the intersection of two disciplines
“It’s called the cloud,” Deloitte & Touche LLP Principal Julie Bernard remarked. “It’s not called the vault. Keep that in mind.”
Bernard and Deloitte & Touche LLP Managing Director Susan Ameel moderated a session at Deloitte Advisory’s recent Cross-Industry Compliance Leadership Summit about the ways compliance and cyber security meet, and how the executives responsible for those areas might benefit by coordinating their efforts.
Many of the industries most subject to cyber attacks are also among the ones that have the most sophisticated regulatory and compliance obligations. Financial services, energy and utility companies, health care organizations, defense and aerospace – they all have to safeguard their own sensitive data, their customers’ information, or both.
Bernard noted that according to one study, 89 percent of data breaches have a financial or espionage motive.1 Many of those breaches involve insiders, and much of the data lost includes personal information such as Social Security numbers and dates of birth.
Organizations can’t repair losses like that just by changing a credit card number. Confidences they have pledged to maintain have been broken. That’s a good argument for compliance leaders and cyber security leaders to work in sync. The question is, do they?
Business Line Information Security Officer Mike Leking of U.S. Bank, a former Department of Homeland Security (DHS) official, was a featured panelist at the summit. He said building that kind of partnership takes “handholding, communications, and feedback.”
“Cyber security and information security needs to be embedded into the culture of an organization,” Leking said. “It’s not just something you do during cybersecurity awareness month.”
Leking noted that in his work at DHS, he learned incident management was a frequent weak spot – that some organizations proceed as if they expect never to be hacked, when it’s actually a matter of “when,” not “if.” Threats can come from professional criminals, “hacktivists” fighting for a cause, or from nation-states and terror organizations. Or they can come from a teenager just looking for a challenge. The internal awareness and controls that compliance uses can also help detect and deter those threats.
Other participants in the summit, representing a variety of industries, offered varying assessments of how well they were engaging with their security counterparts:
In some cases, Susan Ameel pointed out, cyber and compliance teams can find shared satisfaction in one approach to potentially damaging data: destroy it. But that can be easier said than done.
Another area that concerns both compliance and security leaders is the activity of third parties. The first question may be which unit is responsible for the relationship – be it business unit, information technology, legal, or another? Others said they make vendors and other third parties complete long questionnaires about their security practices, or sign agreements promising a certain standard of performance. But just as a company cannot contract its own fiduciary responsibilities to another, the cyber security buck stops at home as well.
All participants in the summit discussion acknowledged the stakes are high.
“The defenders have to be right 100 percent of the time, so it’s an uneven playing field,” one compliance chief said. Another noted, “One single click can significantly impact the future of an organization.”
And Bernard recalled desperate times she has witnessed first-hand: “I’ve been involved in cases of the devaluation of a company so they could be bought by a Chinese company for a quarter of a billion dollars less than they should have been, all based on an external threat,” she said. “That’s the freak-out. What if someone got into your systems and changed your financials so that you disappeared overnight?”
1Verizon’s 2016 Data Breach Investigations Report, available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/