Tag: CyberRisk

We Don’t Need Enterprise IT?

Among brick-and-mortar corporate functions such as Audit, Finance, Human Resources, Legal, and Public Communications, would Enterprise IT eventually become irrelevant or obsolete?

Some business units argue yes — largely driven by poor past experiences with IT support and system reliability. From lack of agility to bureaucracy and limited business understanding, Enterprise IT has indeed, in many cases, impeded business growth.

Today, technology development and application usage are no longer confined to technology professionals. With the growing maturity and abundance of generative AI, cloud computing and storage, configurable ERPs, RPA, and outsourcing services, business units with embedded IT capabilities (“Business IT”) can readily assemble self-sustaining solutions at a fraction of the cost charged by centralized Enterprise IT. Even for highly specialised areas such as cybersecurity or enterprise architecture, businesses can engage external consultants with a broader and deeper range of expertise than in-house teams.

Another perceived advantage is cost control. Business IT enjoys direct control over technology spending — from headcount to capital and maintenance costs. Subscription-based models allow better management of fixed baseline capacity, while scaling up or down during peak and lull periods without long-term commitments.

Business IT can also eliminate overheads associated with enterprise-wide solutions that are often feature-rich but excessive for specific needs. By selecting best-fit tools, business units become more responsive to functional and technological changes. The result is faster decision-making, shorter product cycles, and increased innovation.

It is therefore unsurprising that many business leaders praise embedded IT teams for their up-to-date business knowledge — an area where Enterprise IT is often perceived to lag behind. Frequent interaction and close proximity foster camaraderie, trust, and a strong sense of technology ownership.

But the picture is not quite so rosy if we look deeper.

A Counter Corporate Perspective
From a corporate standpoint, user-centric services, consistent branding, and enterprise-wide optimisation are often top priorities. Technology solutions that translate into seamless workflows, service efficiency, and product reliability shape user experience and corporate culture. Siloed IT functions with disjointed processes, fragmented data, and inconsistent user interfaces across platforms frustrate users and weaken Board-level governance.

Greater autonomy and decision-making authority also come with additional accountability: security risks, technology obsolescence, vendor dependency, and workforce management. Unfortunately, these responsibilities are often treated as afterthoughts, catching Business IT off-guard.

Cloud services and outsourcing represent delegation, not abdication. Ownership of outcomes, including service disruptions and cyber breaches remains firmly with the organisation. Even seemingly isolated user complaints or minor system defects often require experienced technologists to identify deeper systemic issues and intervene before larger failures occur.

Single Sourcing Strategy
Technology cost structures are complex, but broadly consist of one-time and recurring costs for hardware, software, maintenance, and services. Basic economics applies: volume purchasing especially software licensing delivers significant cost advantages. A larger enterprise-wide user base can substantially reduce total cost of ownership over time.

The same applies when organisations standardise ERP platforms from a single principal vendor across functions such as HR, Finance, Service Desk, and others.

A self-directed, divide-and-conquer approach erodes corporate purchasing power.

Single Source of Truth
Business workflows are inherently interconnected. When these workflows depend on heterogeneous systems across multiple Business IT units, data becomes fragmented and processes inefficient. A Single Source of Truth typically enabled through data warehouses, business intelligence platforms, and related technologies aggregates data from siloed systems.

Its importance cannot be overstated, particularly for high-quality analytics, planning, and decision-making.

Single Data Language
Siloed systems with proprietary data structures, formats, and semantics increase management costs and cybersecurity risk. A data dictionary defines what data means, how it is structured, where it originates, and how it should be used across the enterprise.

It acts as a common language — ensuring consistent understanding and preventing misinterpretation or misuse. As an authoritative reference, it compels data owners to follow consistent lifecycle practices, from creation and modification to retention, backup, and archival.

Single Workforce Governance
Equity in job scope, compensation, and career progression for the same profession is a sensitive corporate issue. Should technologists embedded within non-technical business units operating smaller and less complex environments be placed on the same pay scales as Enterprise IT staff?

Ensuring fair performance evaluation and rewards is particularly challenging. Without enterprise-wide calibration, assessments are prone to leniency, favouritism, and rater bias.

Personnel overheads associated with Business IT can amount to as much as 20% of base compensation, including recruitment, training, coaching, workspace, equipment, and productivity loss from attrition. Technology teams are not self-managing; they require active leadership and mentoring. High-potential performers often leave quickly in search of broader challenges and career advancement, which smaller units struggle to offer due to limited senior roles.

Single Enterprise Architecture
Enterprise architecture is typically a Board-approved artefact. It governs IT strategy and mandates technology standards across the organisation — including endpoints, server platforms, data models, integration patterns, and essential security controls such as VPNs, single sign-on, and multi-factor authentication, whether on-premises or in the cloud.

The objective is to simplify the technology landscape, reduce skills fragmentation, enhance organisational agility, and lower lifecycle costs.

Conclusion
No Enterprise IT ultimately means no governance.

When strategic and technology decisions are made solely in the interests of individual business units, fragmented and territorial behaviours emerge. Teams become unaware or unconcerned about the downstream impact of their decisions on other systems and processes.

With potentially multiple CIOs, AI models, disconnected cyber defences, and divergent business processes, the cumulative cost of decentralised Business IT is often higher than that of a well-run central IT function. The persistent stereotype of Enterprise IT frequently overlooks the operational complexity it manages and the governance gaps that arise not from centralisation itself, but from weak enforcement and unclear accountability.




Copyedit: ChatGPT 5.2

Reshape Audit’s Roles On Cybersecurity

Cybersecurity audits involve unique practices not commonly found in general business audits. These practices focus on specific cyber regulations, security policies, industry frameworks, digital threats, controls, and real-time risk detection, which are distinct from traditional financial or operational audits.

Most cyber audits assess compliance against documented policies, control measures, and procedures, which serve as the baseline for evaluation. Like a report card to the cyber chief, the audit verdict varies by major or minor findings, non-compliance or observations for improvement. When no exceptions are noted, a standard disclaimer is often included: “Only samples are taken; the audit does not represent a comprehensive review.” In any case, the outcome tends to be neither encouraging nor insightful, suggesting that checklist-driven audits serve compliance more than they deliver value.

Tech staff, overwhelmed by repetitive audit paperwork, find that compliance checklists often take precedence over addressing emerging threats. Audit tends to check against documents prepared by auditees, which may be incomplete or outdated, thus giving a false sense of security. Moreover, audit observations are often made on finished products, leaving risks exposed for far too long when they should have been addressed during development.

According to the Institute of Internal Auditors’ Three Lines Model, Internal Audit (Audit) assumes the third-line role: providing objective assessments of compliance and assurance, with accountability to the governing body. While independence is essential, it should not hinder Audit’s professional growth or its proactive engagement in addressing potential blind spots overlooked by tech teams. Continuous learning and value addition are key success factors for a transformative audit role. These enable Audit to collaborate with the cyber chief, not as a watchdog but as a partner offering meaningful insight into risk and controls.

Collaborate For Compliance
Concerns about conflict of interest (COI) often discourage collaboration, with the view that audits should not become consulting exercises. The belief that audits must only evaluate, not advise is unfounded.

Compliance is both a Key Performance Indicator (KPI) and a goal. Unlike KPIs, goals such as achieving Zero Findings represent a shared aspiration between Audit and the cyber chief. Both sides work together toward this ideal. There is no COI because the goal reflects the organization’s broader ambition for a flawless security posture.

A typical KPI, such as the number of findings per audit, may be used to gauge Audit’s performance. More findings might imply diligence and quality work yet simultaneously reflect poorly on the auditee. This apparent contradiction is best resolved by recognizing that KPIs serve diagnostic and process improvement functions, not individual performance evaluation, while goals set the aspirational direction.

Collaborate for Continuous Learning
Cybersecurity presents a steep learning curve for Audit, demanding full-time effort to stay abreast of growing technical complexity. A collaborative role allows Audit to work closely with the cyber chief for continuous learning. Real-life practices, security events, and incidents can reinforce this learning. Together, they can share concerns, align critical controls, and evaluate business impacts to ensure compliance at an optimal level.

AI-assisted audits are maturing, giving Audit greater confidence in this evolving role. Some AI models can now analyze vast amounts of incoming data to detect attack profiles and assess countermeasures in real time. They can identify abnormal authentication patterns like excessive login failures, understand intricate protocols and transactions between servers and clients, and assign appropriate risk levels to findings.

Another practical AI use is code analysis, which flags security loopholes and missing controls for compliance purposes. What was once a “coding myth” is now accessible and intelligible to auditors.

Collaborate For Project Work
The IT project lifecycle includes interconnected stages from planning, design, and development to testing, operations, and eventual decommissioning. Each requires built-in cybersecurity. As the saying goes, a stitch in time saves nine; rework at any stage can be costly and delay time-to-market.

A participative Audit role in project work enables just-in-time guidance, for example, highlighting missing access logs or control gaps that could lead to internal fraud. More importantly, this presents Audit as a value-adding partner rather than a bureaucratic obstacle.

Collaborate In Cyber Drills
There is growing number of organizations mandating table-top exercises and cyber drills as to prepare the business leaders, tech staff and users in responses to cyberattacks, and be apprised of their roles in service recovery and media communication. However, the planned scenarios in the drills are limited to the staff awareness of the existential threats without accounting for unexpected episodes in real-life like absentee key personnel, missing resources or previously undetected breaches that surface during the drill. Audit, with its external perspective, can introduce such realistic variables into the scenario, serving as a reality check that enhances the drill’s effectiveness.

Collaborate for Staff Development
Tech teams struggle to keep up with fast-evolving domains such as cloud computing, virtualization, and generative or agentic AI. Constrained by limited workforce and training budgets, some resort to trial-and-error or stopgap fixes, leaving root causes unresolved.

While we often focus on business or technology risks, we may overlook the underlying issue or impeding risk of staff competency. Audit, through compliance assessment, can help identify and flag competency gaps, an unconventional yet valuable contribution to workforce development.

Conclusions
The broad scope of audit functions is crucial to keeping stakeholder trust and public confidence in corporate governance. Transitioning Audit into a collaborative role does not mean sacrificing compliance; it means evolving it to be more practical, risk-aware, and value-driven.

AI marks a significant inflection point after years of stagnant checklist-driven audits. It introduces new levels of capability, precision, and adaptability for assessing cyber risks; it enables Audit to rise to a more strategic role in the digital age.

Copyedit: ChatGPT

Becoming an Effective Board on Cybersecurity

A board directorship is a prestigious appointment, signaling public recognition of an individual’s industry expertise, business acumen, and leadership qualities. According to PwC’s 2024 Annual Corporate Director Survey, 13% of board directors reported that their boards had added someone with cybersecurity expertise in the past year. Given a typical term of five years, most corporations should have dedicated board oversight of cyber matters. However, what does it take to be effective?

Among the many cybersecurity challenges, some argue that the board should focus on governance and strategy rather than technology and operations, even though these are integral to cyber safety. Certainly, a sensible approach is that the board neither interferes with daily operations nor loses touch with on-the-ground realities. However, an overly narrow focus on governance and strategy can backfire, overlooking volatile business and operational changes that leave the organization more vulnerable.

In the aftermath of a security breach, every cybersecurity chief is prepared to address the board’s anticipated inquiries: How did it happen? Who is affected? What are the damages? While the report may highlight technical missteps and lessons learned, it often sidelines underlying office politics and unclear risk ownership. To uncover these issues, the board must cut through technical jargon and probe deeper.

Given its fiduciary role, the board is best positioned to confront the most insidious aspects of cybersecurity, such as near misses, risk ownership, peer comparisons, and even the probability of being hacked—critical issues that rarely make it onto the agenda.

Focus on Near Misses
Today, many boards mandate incident updates within 48 to 72 hours. Some require the same for significant cyberattacks on critical services and infrastructure. Analyzing these cases helps identify weaknesses, refine security controls, and prevent future incidents.

Learning from actual incidents, however, is costly and painful, often reflecting poorly on performance. Instead, the board can learn from near misses—situations where threats were detected and mitigated before causing harm. Near misses are positive indicators, encouraging staff to strive for improvement rather than fear repercussions. When risk owners feel less defensive and more receptive to issues raised, the organization benefits. After all, understanding near misses confirms that safeguards are working as intended—or that luck played a role, prompting further scrutiny.

Identify the Risk Owners
Who owns cybersecurity risk? This is a compelling question for the board, yet it has no straightforward answer. While many assume the cybersecurity chief is the risk owner, this perspective is incomplete and can obscure deeper accountability issues within an organization’s hierarchy.

Cybersecurity is a long-tail risk, with repercussions that can span years. Consider a massive personal data breach: the organization could face prolonged lawsuits, hefty regulatory penalties, job losses, and the need for fresh capital to overhaul its defense strategies. Restoring reputation and customer trust could take years. Clearly, no single individual can bear full ownership of these risks.

According to ChatGPT, a risk owner in cybersecurity is responsible for managing and mitigating risks associated with a specific asset, process, data set, or business function—a definition I fully support. For example, corporate infrastructure is a tangible asset, payroll is a financial process, staff training is an HR function, and regulatory compliance falls under legal purview. These risks span multiple business leaders across technology, finance, human resources, and legal and compliance—each of whom is responsible for ensuring compliance and security within their domain.

By setting the tone from the top and clearly assigning ownership, the board can break down silos and prevent disputes over responsibilities in data protection, security controls, and cybersecurity exigencies.

Ask for Peer Comparisons
We are accustomed to grading systems in school, where a pass mark is 50 out of 100. It is appealing to think that cyber risk could be similarly quantified, scored, and benchmarked against peers. Doing so would help align board assessments, track progress, optimize security spending, and negotiate appropriate cyber insurance coverage.

There are tools and services that assess cybersecurity posture by simulating an external threat actor scanning for vulnerabilities. However, since organizations vary in industry, size, technology, risk treatment, and appetite, the self-determined passing mark should be taken with caution. Nonetheless, benchmarking against peers in the same industry provides valuable insights.

Know Your Hacking Probability
When the board is satisfied with regular cybersecurity updates, existing mitigations, and business-as-usual operations, one critical question remains: What is the probability of being hacked in the next 12 months? Since perfect security is unattainable, a data-driven approach offers insight into the likelihood of a breach, potential attack vectors, and staff preparedness.

Simply put, the probability of a successful cyber breach is a function of attack vectors and defensive controls. For example, to model a takeover attack on an administrator account with privileged access, one must consider prevalent attack vectors such as social engineering, malware infections, and password spraying. Then, mitigating measures such as endpoint protection, two-factor authentication, and privileged account management must be factored in. Running simulations with repeated interactions can yield probabilities of an event occurring within a given timeframe. Nowadays, AI models can further refine risk assessments in complex environments with interdependent variables.

Conclusion
An effective board is not confined to governance and strategy. It plays a crucial role in fostering a collaborative environment where the cybersecurity chief and risk owners work together cohesively. It must be willing to challenge the status quo and trigger critical thinking. It drives a cultural shift, emphasizing that the best time to strengthen cybersecurity is during periods of stability, rather than waiting for a crisis. We must remain vigilant, ensuring cybersecurity always remains a priority.