You didn’t go into business to manage cybersecurity. Still, your business needs to manage cybersecurity if it manages data — and almost every business manages data.
Data comes with risks that spill far beyond technology. “If you identify cybersecurity as strictly an IT domain, then you’re doing it wrong,” said Grant Thornton Principal and Forensic Technology Practice Leader Johnny Lee. “Properly considered, it’s a category of enterprise risk.”
For instance, professional services firms often receive, transmit and hold client data that are far more sensitive than some or all of their own records. These client data might be subject to various privacy regimes and regulatory obligations, depending on the clients the firm serves — and these obligations extend to the professional services firm, either through contractual obligation or good business practice. Yet, the firm’s technology providers, such as cloud-hosting platforms, usually have agreements that explicitly state that the use of their solutions does not indemnify against compromises of the data hosted there.
“If you identify cybersecurity as strictly an IT domain, then you’re doing it wrong… it’s a category of enterprise risk.” — Johnny Lee
Grant Thornton Principal & Forensic Technology Practice Leader
As the saying goes, “You can outsource the process, but not the risk.”
This combination of factors means that professional services firms must ultimately manage their own cybersecurity, even if their IT infrastructure is outsourced to third parties. Lee explained, “A professional services firm’s exposure is higher because they may represent or work with clients that are beholden to a stringent statutory regime and/or fiduciary obligations.” This risk-inheritance dynamic can be significant.
The risks behind cybersecurity Often, firms struggle to manage their inherited risks with in-house resources. “In a law firm with 20 attorneys, it would be unusual to have an IT staff of more than one or two full-time employees,” Lee said.” A firm of that size may not be able to afford practitioners that are adept at both IT operations and information security, especially in the past decade’s shortages of available cybersecurity talent,” Lee said. “I think small to mid-sized businesses assume that IT practitioners have all manner of technology skills, but the fact is that operations and security are markedly different skill sets, each requiring years of study and experience.” These market realities force many businesses to seek outside cybersecurity solutions.
But these realities also require a careful approach. If a business chooses to co-source or outsource its cybersecurity to a third party, that business must ensure that the third party addresses unique risks in a meaningful way. As Lee put it, “We learned this over 30 years ago. If you outsource a broken process, it merely breaks faster and in ways that are more occult to the organization.”
Your cybersecurity provider must be a true partner, where the relationship is grounded in both cost considerations and risk management — especially data privacy and security risk management. If your provider does not understand your obligations and the risks you inherit from your clients, it cannot help you manage those obligations and risks. “With cybersecurity in particular, it’s imperative to think both proactively and reactively. Your provider should articulate how it employs best practices for information security proactively and how it handles reactive incident response,” Lee said. Depending on the data you store, you might also need a provider with demonstrable capabilities in regulatory compliance, fiduciary obligations, industry trends and other areas.
For example, the Department of Labor recently clarified its cybersecurity expectations for benefit plan providers and administrators. “Such clarifications often precede enforcement actions,” Lee said. Lee recently spoke to a plan provider that was reviewing its cybersecurity program in light of the new guidance. “If we’d only involved technology resources, we would have missed the mark. We needed to respond with practitioners who understand fiduciary responsibilities of this kind, as well as the statutory regime in which these responsibilities arise,” Lee said. “So, on that call, we had practitioners from our tax practice with long histories of working with and for the Department of Labor. These practitioners, along with our forensic expertise, provided a grounded functional and technical perspective that homed in on what the Department really wants to know.” This multi-disciplinary approach yields the best and most durable approach — especially when the team combines cybersecurity services with industry and regulatory expertise.
Collaborative cybersecurity Even within the arena of cybersecurity, multiple disciplines are sometimes at odds with each other, Lee said. Most cybersecurity providers focus either on proactive best-practice advisory work or on reactive forensic work.
“A holistic view, informed by forensic investigative work and proactive advisory work, serves businesses best.” — Johnny Lee
Grant Thornton Principal & Forensic Technology Practice Leader
“A holistic view, informed by actual forensic investigative work and proactive advisory work, serves businesses best,” Lee said. Businesses need to be ready to respond to cybersecurity incidents, and they need to proactively secure, monitor and periodically revisit the controls environment with an independent assessor. They need to ensure that the way they defend the environment is appropriate for the ever-changing landscape within the environment and outside of it.
“If you work with someone who explains that to you, and collaborates with you to both identify and address relevant risks, then you are managing your risk properly,” Lee said. “Moreover, you’re managing risk in a manner that lets you demonstrate your diligence and meet your client responsibilities and your statutory requirements.”
The key to cybersecurity resilience Cybersecurity has always been a risk management domain. Lee said, “The goal of cybersecurity isn’t perfect defense; it’s resilience to events that will, at some point, occur.”
To achieve resilience, businesses must identify cybersecurity risk for what it is: a threat to the enterprise. Like any enterprise threat, the proper response involves the engagement of a multidisciplinary team.
“As we’ve seen from the last five to six years in our cyber forensics work, the companies that are truly resilient — that are able to bounce back from a severe cyber incident — are the ones that planned for it,” Lee said. “Part of that preparation is the recognition that cybersecurity is not exclusively an IT domain. It is a category of enterprise risk.”
Principal & Forensic Technology Practice Leader
T +1 404 704 0144