A Cyber Risk control approach based on a financial control model

A Cyber Risk control approach based on a financial control model

As part of the launch of the new version of our CyberRisk CISO-360 Control tool and methodology, Eficio is launching a Cyber Security folder for Managers. Through these six articles, we are addressing managers who are concerned about cyber risks and their associated impacts. Like an independent financial audit report, an organization should also obtain an independent view from an external expert on the organization’s posture in the face of cyber risks. Our series of articles explains the functions of cybersecurity while drawing an innovative parallel with an organization’s financial controls. 

Pierre Farley
Eficio Partner and CIO

Accurate and reliable financial information is essential to the good management of an organization. External financial controllers have tools to validate the accuracy and compliance of financial statements so that they represent a true financial image of the organization. Depending on the type of audit report, the external auditors will make a neutral assessment of the state of affairs.

There is a parallel to be drawn between an accounting certification and the management of CyberRisk. In both cases, the use of an accounting standard or the use of a cybersecurity standard allows standardization in the interpretation of results, without leaving this to the discretion of an internal controller. These standards protect shareholders and creditors. Like accounting standards, CyberRisk management has its own standards (NIST, CIS, SOC, ISO27001). In addition, the application of such a Cybersecurity standard provides a framework allowing organizations to standardize good practices without being limited to informal knowledge within the organization.

Just like an audit mission or accounting review mission, an external or certified CyberRisk audit ensures that the posture and knowledge of the risk are known to executives. This offers a real balance sheet of the organization. Shareholders, creditors, insurers, and especially customers are pushing for the implementation of cyber hygiene. Among other things, the customers of an organization adopting security governance themselves impose the equivalent on their suppliers. At Eficio, this is a phenomenon we see frequently.

For all these reasons, managers inevitably focus on CyberRisk management and seek a solution allowing them to know and, above all, understand the risks to which they are exposed. They want to participate in the assessment of acceptable risk and in decision-making to allocate budgets with full knowledge.

Cybersecurity is complex, technical, and evolving. Executives know how to read a financial report but not necessarily a cybersecurity report. Eficio understands these issues and we have put in place a complete methodology to respond to and popularize this complexity and help decision-making.

Since 2014, Eficio has delivered numerous IT diagnostics (CIO 360). Based on this great experience, we have adopted a specific approach to CyberRisk, the CISO-360 CyberRisk Control. This CyberRisk control diagnosis promotes a neutral, agnostic approach that makes it possible to assess the cybersecurity posture and provide an update on the evolution of risks. The results target two audiences: the cybersecurity team and executives.

At Eficio, our CISO-360 Cyber Risk Control projects are always carried out by expert information security executives. One of our chief information security officers (CISO-Chief Information Security Officer) will be able to present the results to you in a clear and transparent manner. Our approach goes far beyond a simple tactical validation of your cybersecurity program. We approach cybersecurity as risk management by assessing the potential impact for your organization. We will propose both tactical and strategic solutions, giving you ways to remedy the situation according to the context of your organization. 

We will, therefore, present this file to you with a series of articles covering the five main functions of cybersecurity. For each of them, we will discuss the cybersecurity aspect, including Law 25 on the protection of personal information. Topics will cover:

• Identify

• Protect

• Detect

• Respond

• Recover

If you want to react to this article or obtain more information, do not hesitate to contact Eficio.

Subscribe to the Eficio newsletter and be the first to receive our updates!