![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
As companies —board members, senior management, risk and information technology managers - strive to grow while strengthening reputation, minimizing security incidents, preparing for and responding to them; they often find themselves struggling with the cybersecurity approaches they thought would help. Unlike Avengers and Captain Marvel, a losing endgame. As cyber threats and attacks become more sophisticated; this article first explains how daily struggles cannot be fixed just by better implementation. Why? Because so many struggles are caused by structural, not implementation, flaws. Thus, structural flaws must be fixed. Second, it points to a better endgame – using proven business management methods to simplify complexity and improve outcomes, especially Total Quality Management and innovation initiatives. Third, because change is challenging, the article offers backstories, tips and engaging questions to make it easier for leaders to manage daily operations amidst shifting priorities while fostering transformation in the spirit of innovation.
Acknowledgments
This article was written specifically for EDPACS readers, adapted from several objectives-acceleration workshops of ValueBridge Advisors, LLC and content originally included in The Operational Risk Handbook.
Notes
1. Explanation of film industry Q Scores https://www.qscores.com/.
2. Here, “hygiene” does not refer to security activities such as better firewall management or having end-users watch security videos or individual IT actions. It refers to the good use of IT service management processes, such as those described in COBIT or ITIL (https://www.axelos.com/about-axelos).
3. The Life of Reason: The Phases of Human Progress (1905–1906), Vol. I, Reason in Common Sense, http://www.gutenberg.org/files/15000/15000-h/15000-h.htm.
4. Harold Evans’ much-praised book https://www.amazon.com/They-Made-America-Centuries-Innovators/dp/0316277665/. PBS series was also based on the book.
5. For a list see, https://www.mos.org/leonardo/activities/gadget-anatomy.
6. As featured on history-computer.com https://history-computer.com/Dreamers/Evans.html.
9. Lee, T. A. “The Historical Development of Internal Control from the Earliest Times to the End of the Seventeenth Century.” Journal of Accounting Research, vol. 9, no. 1, 1971, pp. 150–157. JSTOR, www.jstor.org/stable/2490208.
10. Hay, David. “INTERNAL CONTROL: HOW IT EVOLVED IN FOUR ENGLISH-SPEAKING COUNTRIES.” The Accounting Historians Journal, vol. 20, no. 1, 1993, pp. 79–102. JSTOR, www.jstor.org/stable/40698098.
12. https://www.sec.gov/spotlight/fcpa/sec-report-questionable-illegal-corporate-payments-practices-1976.pdf.
13. The Introduction of “Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934,” included a historical review of “reasonable assurance” https://www.sec.gov/rules/interp/2007/33-8810fr.pdf, starting with the FCPA definition ‘‘such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The PCAOB’s Auditing Standard 1015.10 states, “Although not absolute assurance, reasonable assurance is a high level of assurance.” https://pcaobus.org/Standards/Auditing/Pages/default.aspx.
18. Michael Cangemi was also the International President of ISACA http://raw.rutgers.edu/carlab/cangemi.html. He is author of Managing the Audit Function, 3rd Edition, with translations in Chinese and Serbian. https://www.amazon.com/Managing-Audit-Function-Department-Procedures-ebook/dp/B001GNBWPW/and of a seminal work on continuous monitoring https://www.researchgate.net/publication/239315112_Internal_Audit’s_Role_in_Continuous_Monitoring.
19. From coso.org, “COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting.” Note the emphasis on “causal.”
20. The IIA Glossary, “Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.”
21. The IIA Glossary, https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards-Glossary.aspx.
22. The IIA Glossary from “Control Processes”.
23. SEC/PCAOB Appendix A, Illustrative Reports on Internal Control over Financial Reporting https://www.sec.gov/rules/pcaob/34-49544-appendixa.pdf.
24. The IIA Glossary, adapted from “Control Processes”.
25. SEC Release No. 34–54122; File No. S7-11-06.
26. https://www.sec.gov/comments/s7-11-06/ecjohnson3911.pdf.
28. https://www.sec.gov/rules/interp/2007/33-8810fr.pdf The SEC staff added a caution about “ … unintended consequence of establishing “bright line” or “one-size fits all” evaluation approaches.” https://www.sec.gov/news/speech/2007/spch052307zvp.htmhttps://www.sec.gov/news/speech/2007/spch052307zvp.htm.
29. Daniel Goelzer is a retired partner in the law firm of Baker McKenzie. He is a member of the Sustainability Accounting Standards Board and advises a Big Four accounting firm on audit quality issues. From 2002 to 2012, he was a member of the Public Company Accounting Oversight Board and served as Acting PCAOB Chair from August 2009 through January 2011. From 1983 to 1990, he was General Counsel of the Securities and Exchange Commission. Mr. Goelzer is a CPA and a lawyer.
30. http://www.dgoelzer.com/.
31. For example, see this IBM presentation. IBM collaborated with Cisco, Microsoft and various others in similar approaches http://public.dhe.ibm.com/software/cn/tivoli/download/whitepapers/wp-autonomic-guide.pdf.
32. https://www.cisecurity.org/controls/cis-controls-list/.
33. Life-like, robust scenario analysis and the risk evaluation outcomes-accelerator workshop are discussed in two sections of The Operational Risk Handbook (Harriman House, Great Britain, 2011) by Brian G. Barnier. www.brianbarnier.com.
34. Why Controls Have Become Wasteful, False Sense of Security, and Dangerously Distracting—and How to Fix it, Taylor & Francis EDPACS, May 2015 by Brian Barnier https://www.tandfonline.com/doi/abs/10.1080/07366981.2015.1041815.
Additional information
Notes on contributors
Brian Barnier
Brian Barnier is a director at ValueBridge Advisors, helping leaders manage risk to growth. He has served on ISACA bodies that created Risk IT and COBIT5, co-chair of the OCEG Steering Committee, and an editorial panel member of EDPACS and ISACA Journal. He has been a non-profit audit committee chair. In prior roles, he was at IBM, Lucent (now Nokia), and Ameritech (once and again part of AT&T), across which he led teams to nine patents. He is a frequent keynote speaker and workshop teacher. He is the author of The Operational Risk Handbook (Harriman House, Great Britain, 2011), a contributor to Risk Management in Finance (Wiley, 2009) and Risk and Performance Management: A Guide for Government Decision Makers (Wiley, 2014), and author of over 100 articles. He can be reached at [email protected].
Prachee Kale
Prachee Kale is a director in diverse talent management and advancement at a mid-sized financial markets firm. She was previously the director of strategy and program management in the risk department, where she was responsible for Cybersecurity and Information Security initiatives. She successfully implemented sound program and budget management practices, drove long-overdue projects to completion, and significantly cut spend. She spent a decade at a Big 4 consulting for financial services firms where she focused on strategic business and technology transformations and regulatory requirements. Prior to that she was at the World Bank. An influencer and conversationalist, she has helped stakeholders navigate corporate governance boundaries, develop partnerships and manage change associated with high impact efforts.