IT Auditing to Manage Cybersecurity Risks and Security ComplianceBy Jan Hogewoning | Wed, 11/25/2020 - 18:02
Q: What is the role of an IT auditor?
A: IT auditors assist organizations confirming that governance and internal controls built into business and IT processes, as well as those configured in IT assets and infrastructure, exists, are reliable and are working as expected. We verify that operational and control frameworks put in place within an organization meet critical data requirements such as completeness, accuracy, integrity, confidentiality, availability and compliance. In addition, we identify areas for enhancing the performance of business and IT processes. The role of IT Auditors is critical during the current trend of digital transformation in which their participation can assist organizations with the design and development of security and privacy practices during the development of such projects. With the intensive and ever-expanding use of the internet by companies and institutions of all kinds and sizes, the role of IT auditors requires a different set of skills to complement their professional profile. New business models supported by cloud computing, artificial intelligence, data analytics and other internet-based models, as well as new regulations protecting consumers data rights, have required our company to develop such capacities. During the last eight years, we have focused more on cybersecurity and data privacy consulting engagements.
Q: Who are your clients in Mexico?
A: We have few clients in Mexico, however, we have worked with several US-based companies with operations in the Mexican oil and gas sector primarily. I was born, grew up and worked in Mexico. My career started as IT auditor and through the years I became the chief audit executive for the leading public company in the petrochemical sector in Mexico.
What we have observed is that many companies in Mexico still struggle to manage cybersecurity risks and security compliance. Often, companies that have strong controls in place are subsidiaries of larger multinationals. We are exploring a way to bring our team and our skills to companies in Mexico and Latin America.
Q: What is behind the weak management of cybersecurity risks and security compliance?
A: The most important part is education. Education and awareness should start at the top of the company, in order to set the tone to address cybersecurity risks throughout the organization. Generally, this is one of our first activities assisting clients. We look forward to offering this type of sessions to key C-level executives at our cost. Ideally, a company includes the discussion and monitoring of cybersecurity and privacy risk within their overall risk management strategy since these should be managed as business risks owned and managed by the business side and not IT.
Companies that make intensive use of credit card payments, for example, need to comply with payment card industry data security standards (PCI DSS). We have assisted our clients with their compliance efforts as well as enhancements to their overall Card Data Environment (CDE).
Regarding data privacy, there are many European subsidiaries in Mexico that have to comply with GDPR requirements. In the case of a California-based company, they will have to comply with CCPA. We have developed our service offerings to fulfill the requirements of these and other regulations and based our practices on general accepted standards and practices such as NIST, CobiT and ISO: 27000 among others.
Q: What is your view on partnering with local companies to offer services together?
A: ERGO CG is a small consulting firm. However, we have won very important contracts as a result of building strong partnerships and our proven qualifications and experience. We frequently design and build delivery teams with other firms, in order to maximize benefits and optimize cost for our clients. One example of a potential partnership could be with a local accounting firm that currently does not provide advice to clients on cybersecurity and data privacy risks but that already has a presence within the country and Latin America. The first step will be to develop the business case among both management teams and establish a collaboration agreement. This would mean that we would not have to start from zero in Mexico. There are other large companies in Mexico that deliver IT auditing, cybersecurity and data privacy professional services such as the big consulting firms, however; Mexico is a very large market and there are always opportunities, particularly in the midsize segment.
Q: Where do you see an opportunity to provide your services?
A: We see an opportunity in the education sector, public or private, state and municipal government, as well as within the healthcare and mid-market corporations in any industry.
In the public sector there are many state and municipal bodies that need help. A trend in the US is that small-town governments are being targeted with ransomware. Many of them are forced to pay out since the overall cost of recovery from the attack could be x times higher. These entities suffer the same situation as many small and mid-size businesses, a lack of resources and skills to protect from these risks.
Q: What do you think should improve in terms of legal framework for cybersecurity in Mexico?
A: I believe consumers, chambers of commerce and educational organizations should require the authorities and/or industries to develop more comprehensive laws and regulations and enforce them. In the future, this will most likely happen. Until then, companies are going to lack an incentive to act, unless they are affected badly by a cyberattack.
Ergo Consulting Group helps companies with the implementation and delivery of strategies, assessments and enhancement activities to manage business and IT risks, improve operational and control frameworks and comply with laws and regulations.