3 Lines of Cyberdefense

Effectively Assessing Information Risks within the Enterprise

By , August 22, 2012.
3 Lines of Cyberdefense
Read Transcript

By combining responsible management, risk management and compliance functions and internal audits, organizations will go far in securing their data and systems, says PricewaterhouseCoopers Partner Carolyn Holcomb.

To succeed, Halcomb says in an interview with Information Security Media Group, internal auditors and business systems owners, including chief information security officers, must collaborate more closely to assure the security of their organizations' data systems.

"Yes, sometimes they continue to talk past each other," says Holcomb, who leads PwC's Risk Assurance Data Protection and Privacy practice. "The terminology can be challenging. The auditors talk about controls, and the CISOs tend to talk about technology. I think both parties do really have to be careful and talk each other's language so they can understand and really get to what each other is saying. That really is important, and it can be improved by both parties understanding the other one's perspective."

Halcomb coauthored a new report from PwC, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, which identifies three lines of cyberdefense:

  1. Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks.
  2. Risk management and Compliance Functions: Risk management functions facilitate and monitor the implementation of effective risk management practices by management, and help risk owners in reporting adequate risk-related information up and down the enterprise.
  3. Internal Audit:. The internal audit function provides objective assurance to the board and executive management on how effectively the organization assesses and manages its risks, including the manner in which the first and second lines of defense operate.

Holcomb says it's vital that internal audits be at least as strong as the management and risk management and compliance functions for critical risk areas. Without internal audits that provide proficient and objective assurance, she says, organizations risk having their information privacy practices becoming inadequate or outmoded. This is a role that internal audit is uniquely positioned to fill, the PwC partner says, but, it must have the support and the resources to match to do so.

Based in Atlanta, Holcomb specializes in IT and business process, and as lead in PwC's Risk Assurance Data Protection and Privacy practice, she assesses and provides recommendations for improving clients' information security and privacy programs in addition to serving as the independent assessor.

A certified information privacy professional and certified public account, Holcomb holds an MBA in business and accounting from the Georgia Institute of Technology and a BS in math from Bucknell University.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Could Costs Impede Info-Sharing Plan?

Small and mid-size businesses might not be able to afford participating in voluntary programs to...

Latest Tweets and Mentions

ARTICLE Could Costs Impede Info-Sharing Plan?

Small and mid-size businesses might not be able to afford participating in voluntary programs to...

The ISMG Network