Cybersecurity: Three Dynamics Working in Our Favor

Cybersecurity risk is one born from profound disruption. Just as the internet transformed our businesses and lives for the better, it also spawned new categories of wrongdoing and a true rogue’s gallery of cybercriminals. As once described by Securities and Exchange Commission Chairman Jay Clayton, these unsavory types include "identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, so-called 'hacktivists,' terrorists, state-sponsored actors and others."  

A 2018 report from the Center for Strategic and International Studies and McAfee put a dollar amount on the annual impact of cybercrime: $600 billion. "Cybercrime is relentless, undiminished, and unlikely to stop," the report says. 

In the face of these grim realities, it's easy to get discouraged, if not overwhelmed. We can’t forget, however, that there are other dynamics that work in our favor too. Here are three. 

1. We're All in This Together 

One positive cybersecurity dynamic is the fact that each of us has a role to play in counteracting the disruption of cybercrime, and our collective efforts can make a real difference. That's why efforts like National Cybersecurity Awareness Month (NCSAM), which takes place each October, are so important. As the organizers of NCSAM say, "whether it’s at a corporate office, local restaurant, healthcare provider, academic institution, or government agency—your organization’s online safety and security are a responsibility we all share."   

2. Our Cybersecurity Awareness Is Growing 

As we commit more and more to our cybersecurity roles, our understanding of those roles is steadily increasing.  

Take, for example, boards of directors, who play a critical role in overseeing how companies manage cybersecurity risks. A recent article from Deloitte noted that "a deep technical understanding is not necessary for board members to oversee how the company’s cyber risks are managed." Instead, the article suggests, board members should focus on a few simple fundamentals: 

• Understand management’s view of the key risks to the organization’s crown jewels.  
• Research cyber risk more broadly.  
• Keep asking questions.  
• Require consistent reporting across the organization.   

3. We Have Powerful New Tools

An outgrowth of greater cybersecurity understanding is that new tools are emerging to help us carry out our cybersecurity roles.  

Let’s return to our example of boards of directors. If we accept that consistent reporting across the organization should be a priority for companies and directors, there is a now a powerful tool that addresses this need directly. The SOC for Cybersecurity offering from the American Institute of CPAs (AICPA) provides a solid framework that companies can use to communicate relevant and useful information about the effectiveness of their cybersecurity risk management program. The framework also enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on the company’s program.

I hope you will join me, my colleagues at the Center for Audit Quality and the AICPA, and many others as we participate in National Cybersecurity Awareness Month. Join the #CyberAware and #SOCforCybersecurity conversations, get tips on staying safe online, and urge others to do the same. Yes, cyber realities can be grim, but remember how powerful we can be when we work together to promote sound cybersecurity.   

As always, I welcome your thoughts in the comments.  

A securities lawyer, Cindy Fornelli has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.