Updated: 45 minutes ago
Author: Mick Brems
Peter Lynch, the legendary Fund Manager at Fidelity Investments, was famously quoted as saying “Know what you own and know why you own it,”. His focus was on financial investments in stocks, mutual funds, or other financial areas.
During my time at Fidelity Investments, I leveraged Peter’s philosophy, but my focus was on financial investments in technology. Many CFOs just look at the financial line items that represent what a company is spending on technology and challenge the spending. Historically, technology spend considered costs of hardware, software, mobile devices, maintenance, etc. Now with the migration to cloud services and applications, subscription services come into play. CFOs should be in lockstep with the CIO, CISO’s and Risk roles to understand and play a key role in the overall security risk of the company. In larger companies where the CIO roles are across business units or divisions, they should all be accountable to the company CIO, CISO and Risk Officers.
To truly capture an understanding of technology costs and the potential security risks associated with those expenses, areas of Vendor Management, Asset Management and Cyber Security Risk Management should be targeted and managed for risk.
Here are our thoughts on the above target areas:
Vendor Management – The CIO and CISO, should have a complete listing of all vendors that provide or support the technology for the company. Each vendor should be vetted and aligned to the company’s strategic goals. Vendors should provide evidence of their security compliance to the company’s vertical industry.
Asset Management – In addition to accurate real time counting of hardware and software assets, there is a need to have implemented a ‘full life cycle’ management program. For hardware that means categorizing all systems into a ‘cradle to grave’ cycle. Understanding where a hardware asset is across this lifecycle provides insight into the overall security state. The life cycle would identify hardware approaching ‘end-of-life’ as well as ‘end-of-support’ as those are vulnerable areas that are targeted. Additionally, a well-managed asset program not only enhances overall company security, but it also goes a long way towards the total cost of ownership (TCO) for the company.
Cyber Security Risk Management (patching, security updates, monitoring, role-based management) - From a software perspective, accounting for all software used to run the business, which business function uses the software, who is the vendor, what is the release / patching level required to be compliant with the overall security requirements of the business. Also, identifying what role should be permissioned to use software goes a long way towards a controlled role-based management program, providing additional levels of security as well as having a clear understanding of who may be impacted in the event of a breach.
If you would like to better understand the risks and compliance associated with these areas, please reach out to Arcas Risk Management.