Menu Close

Why cyber risk is still a main responsibility for board members

VIDEO | September 09, 2022

Authored by RSM US LLP


Boards have contended with many risks recently, from the pandemic to supply chain disruptions to the war in Ukraine to the threat of a recession. But one risk should always remain top of mind: cyber risk. Cybersecurity should be a priority not only within the board’s company, but also within that company’s ecosystem of vendors and customers, as well as in the governments in countries where those parties do business.

Sudhir Kondisetty, a partner, consulting principal and national information technology risk leader at RSM US LLP, sat down with Directors & Boards (D&B) to discuss the board’s role in addressing cyber risk, including how to mitigate potential attacks.

Below is a transcript of the discussion; the conversation has been edited for clarity and length.

D&B: Sudhir, can you provide us a landscape view of potential infrastructure risks and concerns around cyber risk?

Kondisetty: It has really changed over the last decade. It used to be that cyber risk was focused on building a perimeter defense, including firewalls and external devices, to protect your internal data and systems. However, what we’ve seen with the growth of cloud applications and data center outsourcing is that very little information is stored exclusively on-premises of an organization.

In the last few years, there has been a refocus on, how are you protecting your data, wherever it is? Consider cloud due diligence, data center due diligence, vendor risk management, looking at all the possible attack factors for an intruder—for not only yourself, but also your vendors. And that’s been the biggest sea change we’ve seen in cybersecurity in the last 10 years.

“A breach is a big deal. We don’t like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you’re going to call—that’s all important to have built out before an incident happens.”

Sudhir Kondisetty, a partner, consulting principal and national information technology risk leader at RSM US LLP

D&B: As a current RSM board member, you have a unique perspective on how boards can look at such risks. What do you recommend boards do to get ready for those kinds of risks—cloud and off-premises risks?

Kondisetty: It’s twofold. Number one is you really need to dig into what your security department and IT department are doing. If you get the answer, “They’ve just outsourced it, so everything’s fine; they don’t have to worry about the problem,” that is the problem. You have to make sure they’re understanding that their responsibility around security does not stop when they’ve outsourced it.

You need to dig into, what are they doing to perform that due diligence on their vendors? What is their responsibility, as opposed to their vendors’ responsibility? That is when most attacks occur. They originate from inside, meaning someone’s desktop or mobile device is compromised and sends information out. That person may have trusted access to an application in the cloud, and they’re pulling data down, and now that’s available. Your security and IT departments still have a responsibility on the internal network.

But I think the most important thing is, security is not absolute. I think we’ve seen that with Fortune 100 companies that have spent millions of dollars on security infrastructure and personnel, and with government agencies that have been hacked and suffered data loss. The idea must be, it’s not a matter of if we’re going to be hacked, it’s when—and are we going to be in a position where we can suffer data loss?

Having a good plan in place to respond to an intrusion is really important. A breach is a big deal. We don’t like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you’re going to call—that’s all important to have built out before an incident happens.

D&B: Do you recommend that a board go through an incident response drill or a tabletop exercise on a breach to help exercise the muscles?

Kondisetty: Absolutely. Just like you do with a disaster, you go through the exercises. You don’t actually have to call the FBI. You don’t actually have to execute the plan. But, yes, a tabletop exercise making sure people are available.

I’ve seen some clients actually pull the plug on the internet. Those that can operate predominantly in business hours, they can take that step of actually disconnecting and see what happens. That does give you a little bit of extra protection and understanding of, if this system’s down, how does it affect other systems? I would go so far as to investigate if that’s possible. If not, a tabletop exercise with all the parties involved is a great idea.

D&B: What key takeaways do you have for board members as they think about cyber risk? It’s easy to say this is too technically complicated. What can they do to be better at this?

Kondisetty: One important thing is when you are selecting board members, have someone on the board who’s technically savvy. That does not mean they have to be an energy security engineer or a hardcore programmer or anything like that. But they should have a background in and understanding of technology.

Number two, I would have regular updates from the security office—or if you don’t have a security office, the CIO—on what is happening on the security front. We, for example, have a quarterly meeting with our CIO and CSO concurrently in one of our committees, and then they do an annual presentation to the board. This allows us to see trends, what struggles they’re facing, what new technology they’re putting in place.

Security is always changing, and you need that steady rhythm of communication from management to really understand what’s happening.

Do you have questions or want to talk?

Fill out the form below and we’ll contact you to discuss your specific situation.


This article was written by Sudhir Kondisetty and originally appeared on 2022-09-09.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/why-cyber-risk-is-still-a-main-responsibility-for-board-members.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

LaPorte is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how LaPorte can assist you, please call 713.548.2034.