What We Have Learnt Building a Global Security Conscious Culture
By Nicola McCoy, Chief Information Security Officer at RSM International
The growing cyber risk is impacting global businesses of all shapes and sizes as ‘bad actors’ develop more sophisticated and coordinated attacks. Building a comprehensive cyber defence has never been more important. However, it requires an understanding of the inner workings of an enterprise, the breaking down of departmental silos, and analysis of the organisation’s entire supply chain, and this is not always simple.
Achieving this in a company that operates in multiple jurisdictions or has a group or network structure for example can be complex and increases the need for transparency of interdependencies and differences across operating jurisdictions. In short, creating a security conscious culture across a varied global network, like the one I represent at RSM International, presents some unique challenges and risk management responses.
Cyber security professionals must look beyond purely technology threats and think holistically about the ‘capabilities’ that underpin how they operate and deliver work to their clients to identify high priority risks. By capabilities, I mean the people, processes, technologies and supplier relationships that enable a business to run and grow. Once you have a true understanding of these fundamental elements, interdependencies, risks and impact, you can assess where the threats and weaknesses among them lie and balance where you need to remediate and invest.
The transformation era
At RSM, we talk a great deal about the ‘The Transformation Era’: a time when businesses, governments and communities are focused on post-COVID-19 recovery through digital-first, data-driven technological solutions. As a global organisation, RSM has over the years focused on accelerating the transformation of its entire network while supporting clients of our member firms transform for future growth. Today we are building on our existing agility and resilience by putting in place new technologies to deepen our dedication to quality across the more than 860 offices within our growing network of independent firms.
The adoption of new technology and a continuous focus on innovation is the key to all organisations moving forward, yet it also opens up new areas of risk. It is essential that leaders build a security conscious culture and reinforce it constantly though knowledge sharing and best practice. RSM firms around the world are embracing innovations like AI, big data and automation that can help plug skills gaps created by the great resignation, reduce reliance on manual processes to free-up our experts to focus on more exciting project work, and create new possibilities for businesses.
Emerging technologies and the risk of remote working
New technologies enable these possibilities, but they also create access points, data sources, vulnerabilities and gaps that can be exploited by criminals. It is critical that any decision to implement new technology has security front of mind. To ensure growth and competitive advantages it is important not to slow the pace of innovation and instead continue to enhance our business capabilities. It is also important to ensure the appropriate due diligence checks are carried out so that new solutions designed to help a business do not actually end up causing a negative impact instead.
Another technology risk relates to an organisation’s people and, specifically, the risk that comes from catering to employees’ newly acquired expectations around remote and flexible working. A businesses’ digital infrastructure and data risk now extends into people’s homes and personal devices; the need for up-to-date and tailored training, as well as the skills to embed robust systems and processes into the organisation, has never been more important if this is not to become an easy target for criminals.
Global risk exposure in the supply chain
Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Businesses transact with, rely upon and share risk with suppliers every day. But how many leaders in board rooms know what is really happening on the ground? A recent survey conducted by one of our members, RSM UK, revealed that business leaders are experiencing successful cyber-attacks in greater numbers (up to 27% in 2022 from only 20% in 2021). Perhaps even more worryingly, the survey found that a third of business leaders admit their board does not understand the cyber landscape enough.
Data managed or processed by a third party is subject to the same security requirements as information which is directly held; a successful attack further down the supply chain would be a critical governance issue for the client in just the same way as one that occurs closer to home – with the same financial and reputational implications among the investors and clients who hold the company to account.
Any organisation with global offices, affiliates or partnerships must make itself acutely aware of supply chain cyber risk. It should determine its level of exposure; identify the controls it can use for mitigation and make sure these are embedded into supplier contracts. It should also investigate all aspects of its suppliers’ procedures and operations, from how they store and secure their data; to how they train and vet the employees who have access to it. Backups, encryption standards, audit trails, incident response plans and business continuity contingencies are among the many factors that should be considered.
Furthermore, building in regular reviews of the supplier, including determining if overdependency on a single supplier, is also key and should be balanced in accordance with the relative impact and criticality of the service they are providing.
Building a universal security conscious culture
What all these examples have in common is the rapid change they are undergoing in terms of how businesses use them to operate and work. Because of this, we have long understood the importance of embedding these changes within our overall risk framework. As a growing global organisation, at RSM, we consider cyber risk across our whole organisation and share best practice through working groups and internal training events to ensure consistency in processes, systems and approach to security.
Those capabilities could be the technology we adopt, the ways in which our employees choose to work or the integrity with which the suppliers who support our operations manage their own systems. They are the things that are required to make an organisation successful. And they are also the areas where we should be looking for risks so we can safeguard against them with robust systems, training, policies and skills.
As a global organisation, RSM’s core objective is to bring our team of 51,000 professionals even closer together and to support the provision of cross-border services to clients. While global policies and procedures are fundamental to us working cohesively, true collaboration only comes when the collective shares the same values and vision for the future, as well as best practice like robust cyber defence and security protocols. This is a truly exciting part of my role as the Chief Information Security Officer for one of the world’s largest networks of independent audit, tax and consulting firms.
About the Author
Nicola McCoy is Chief Information Security Officer at RSM International, the world’s 6th largest Network of independent audit, tax and consulting advisers focused on the global middle market.
Nicola can be reached online on LinkedIn and at our company website RSM Global | Audit Tax and Consulting Services.