What are your top priorities when developing a strategic IT risk program? Steve Schlegel (Managing Director, Deloitte) moderates a lively discussion between Greg Keches (Information Security Director, Boston Consulting Group), Greg Boehmer (Managing Director, Deloitte), and Melissa Pici (Senior IT Audit Manager, Syniverse) that covers:
- How IT risk has changed over the last few years and how it continues to evolve.
- Must-haves of effective IT and cyber risk functions, and transformative technologies for IT risk organizations.
- How to effectively position your function for the right amount of investment from leadership within your organization.
Watch the full conversation, and read the can’t-miss highlights below.
How have you seen IT risk change over the last few years, and how do you see it continuing to evolve today?
Melissa Pici (Syniverse): We’ve seen an exponential increase in cyber attacks, IT governance issues, data security, ransomware, and killware. The introduction of additional technology in spaces where it might not have been used previously has changed, too.
Greg Boehmer (Deloitte): I’ll add a quote that I think really sums it up by Peter Drucker. He said: “The greatest danger in times of turbulence is not the turbulence, but to act with yesterday’s logic.” Whatever’s going on — generative AI, ERP implementations, whatever is coming next – if we as professionals in risk management and IT controls don’t get on board and get ahead of things, we’re going to be obsolete really fast and there’s going to be a lot of risks.
How do you stay on top of the various compliance requirements and emerging risks that could disrupt the ongoing activities of your organization?
Greg Keches (Boston Consulting Group): The first element involves jurisdictional awareness. Getting engagement across your business model and trying to understand what bits of compliance are coming out of which verticals is super critical. It’s also about developing a relationship with the business. It has nothing to do with technology, it has nothing to do with advanced analytics. It’s really just trying to make sure you have a rapport with the folks that surround you.
Additionally, sometimes folks in the first line of defense just care about trying to operate against a business norm. What can we do to help ensure our information and communication is actually tailored for them to understand what it is that we’re doing to affect the business? Lastly – and I’ll say this jokingly – all of us should go out and play in traffic, be dangerous, and try to understand new digital technologies. If you know nothing about AI, go get educated and understand what controls are operating.
Melissa Pici (Syniverse): My primary piece of advice, especially for smaller audit shops or organizations where they’re trying to figure out what to prioritize, is to find a champion. Find what each person on your team actually enjoys learning about and put them in charge for keeping up with those things and bringing that back to the team.
Greg Boehmer (Deloitte): I recently read a survey from Cybersecurity Ventures that said every 11 seconds, a company falls victim to a ransomware attack. I know I’m speaking to the choir here, but that gets me nervous as a risk management professional in IT. The stakes are so high for us. To stay up with emerging risks, we have to stay current, we have to research, we have to help protect our organizations.
What would you consider some must-haves of any effective IT or cyber risk function? Are there any tools or technologies that you’ve seen that are really transformative or helpful to IT risk organizations?
Greg Boehmer (Deloitte): We must have good policies, good procedures, and good standards. We have to actually put secure controls in place. To give a little shameless plug to AuditBoard here, is that good technology helps manage a complex environment for IT risk and controls. We can’t, as an organization, manage things on a spreadsheet anymore. I think we’re way past that and I think there’s a lot of risk in errors and mistakes.
Melissa Pici (Syniverse): It’s critical to engage with people at the level that they’re at. We have to come out of the risk and audit bubble and look at what these individuals are doing in their daily jobs and help them understand how they are a part of the risk landscape.
How do you convey the brand mission and value within your broader organization? How have you been able to effectively position your function for the right amount of investment from leadership within your organization?
Greg Keches (Boston Consulting Group): When you walk into a meeting with your executive team, you shouldn’t feel like you’re dragging favors out of them. It should be collaborative: how can we work together to get 1% better every day? Huge monolithic controls projects might not change the world, but forging better relationships in the business will. You can walk into those meetings and help them think through what controls maturity looks like, what that spend might be over the next five years, and how that limits your organization’s exposure. This creates a developed partnership that you can bring into the years that come.
Melissa Pici (Syniverse): The big thing is connecting the dots. I’ll also give a shout out to AuditBoard when it comes to an integrated risk solution–I love calling it a holistic ecosystem because that’s what it is.
Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.