Dans mes derniers articles Les CEO et l’angle mort des cybercrimes et Les CEO et les cybercrimes, les solutions, je présentais plusieurs des types de risques que confrontent les organisations, les problèmes de communications CEO-CIO, les problèmes de perception de la cybercriminalité des CEO, de l’audit de sécurité et de l’importance d’avoir un CISO (chief information security officer). Aujourd’hui, je 
continuerai à vous parler de solutions proactives de gestion des risques en vous présentant le CRO (Chief Risk Officer). Depuis un bon moment, les institutions financières se sont dotées d’un tel officier dans leurs organisations. Ils n’ont pas eu le choix étant donné les accords de Basel, Sarbanes-Oxley et le rapport Turnbull. Initialement le rôle du CRO était de prémunir les organisations contre les risques associés à l’évolution des cadres règlementaires imposés aux institutions financières. Puis, ces CRO ont aussi commencé à analyser les audits internes, les couvertures d’assurances, la détection de fraude, les investigations corporatives et… la sécurité de l’information. C’est de ce dernier point que je vous parlerai aujourd’hui.
https://en.wikipedia.org/wiki/Basel_Accords
https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
https://en.wikipedia.org/wiki/Turnbull_Report
https://en.wikipedia.org/wiki/Information_security
La sécurité de l’information (aussi nommé infosec) elle-même a grandement évolué au fil des ans. Elle s’intéressait d’abord à la sûreté, la garantie, et la protection d’une donnée ou d’une information, pour évoluer vers ces mêmes activités, de formes numériques. Ainsi, le CRO est venu à s’intéresser aux télécommunications, logiciels, équipements informatiques, réseaux, hébergement, base de données, mobilité, cryptage, processus de sécurité physique et humain, menaces terroristes, environnementales, à la protection des données personnelles et vie privée, au cadre juridique et aux assurances diverses. Disons que tout d’un coup, l’assiette commençait à être pleine.
Another huge concern that was virtually unknown just a few decades ago is cybercrime, particularly the threat of hacking by those interested in stealing company secrets or customer data. According to a 2014 report from the Center for Strategic and International Studies, cybercrime drains some $375 billion to $575 billion per year from the global economy.
In recent years, data breaches at major companies in several different industries have cost CEOs their jobs. The risks intensify when companies merge and integrate their IT systems. A BCG report in February noted, « While these concerns hold true for all companies, they are acute in A&D [aerospace & defense], in which companies often are dealing with issues of national security. »
https://www.forbes.com/sites/haroldsirkin/2016/03/07/if-you-dont-have-a-chief-risk-officer-get-one/#192adb36244b
Comme la dimension technologique de cette nouvelle fonction du CRO devenait majeure, tout naturellement le premier réflexe a été de travailler avec les fournisseurs informatiques usuels de l’organisation. Ils pouvaient fournir antivirus, pare-feu et autres « parades » informatiques. Cependant, les menaces ayant évolué de manière fulgurante, la vision des menaces sous l’œil strictement informatique est maintenant loin de suffire.
An enterprise-wide approach
While cybersecurity was once relegated to a technical or operational issue handled by IT, a cross-departmental, enterprisewide approach to cybersecurity is necessary, according to the Cyber-Risk Oversight, Directors Handbook Series, produced by the NACD. The publication suggests that cybersecurity should be evaluated and managed in the same manner as the organization considers physical security of human and physical assets.
https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2015/BAS-FEI-CFO-whitepaper-150605FIN.ashx
Puis le CFO étant le grand manitou du « cash » qui peut entrer ou sortir (surtout en cas de risque avéré) 
de l’organisation, il se tourna tout naturellement vers ses conseillers financiers historiques que sont les CPA et les grandes firmes-conseil en gestion. Après tout, ils ont déjà l’habitude des audits et prétendent détenir l’expertise en gestion des risques informatiques. Donc les organisations se sont principalement tournées vers ceux qui fournissent le matériel et le logiciel pour critiquer leurs propres produits et services et verts les grands bureaux comptables qui à leur tour, analyseront les défaillances de leurs propres prestations professionnelles. Il y a ici comme un chien qui se mord la queue… D’ailleurs, les firmes comptables elles-mêmes semblent avoir de la difficulté à gérer leurs propres risques informatiques.
New research shows yet again, accountants are taking sometimes potentially disastrous risks with their firms and – worse – with their clients.
The recent “Accounting Firm Operations and Technology Survey,” published by CPA Trendlines Research, shows these risks go beyond merely “falling behind” the technology curve because of traditionally penny-wise, pound-foolish spending. At one time, “falling behind” risked obsolescence, or worse, maybe irrelevance – either of which was a business risk, but a risk that could only be measured by benchmarking against “the competition,” whatever that was.
Today accounting firms are taking on a whole new category of risk – the risk of sudden, unforeseen and irrecoverable disaster. The black swan event.
http://www.accountingweb.com/community-voice/blogs/rick-telberg/accounting-firm-tech-systems-are-weak
D’autres organisations ayant plus de flair ont décidé d’internaliser le rôle du CRO. C’était déjà un pas dans la bonne direction. Cependant, cette solution a elle aussi ses écueils, dont le risque de créer une tension évidente entre ce détective des risques et l’inertie et la culpabilité inhérente à ceux qui deviendraient possiblement coupables de manquement ou de faiblesse. On parle donc du problème « d’indépendance ».
Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount.
While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.
Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.
Interaction between the CRO and the board should occur regularly and be documented adequately.
Non-executive board members should have the right to meet regularly – in the absence of senior management – with the CRO.
http://www.chief-risk-officer.com/
Successful CROs acknowledge the possible tension with their new peers and look for opportunities to show that their position can complement what the CFO and CAE already do, take some of the load off their already full plates, and create synergies that benefit the organization and the CFO and CAE. What does the new CRO get from taking this cooperative and conciliatory approach? The CRO gains two strong allies and proponents for ERM and support for creating a risk aware culture, as well as the insights he or she will need to do the job most effectively.
https://web.archive.org/web/20060517033324/http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855
Pour toutes ces raisons, nous demeurons convaincus que le CRO a tout avantage à être quelqu’un d’externe à l’organisation et que de surcroit, il se doit d’avoir l’expérience, la méthodologie et l’expertise technologique, financière, de gestion. Plusieurs organisations (dont celle de votre humble serviteur) se spécialisent dans la gestion et l’analyse des risques organisationnels, sans avoir le parti pris d’être fournisseur technologique ou de service-conseils comptables. Si toutefois l’option d’internaliser le CRO dans votre organisation, nous pourrons aussi certainement lui transférer les connaissances et l’expertise nécessaire à l’accomplissement de cette mission plus que stratégique.
Questions for the CIO Before an attack
- What are our major IT risks? Do we understand them? How do these compare with other enterprise risks?
- What is our mechanism for reviewing major IT risks and adjusting defence strategies accordingly?
- What are our most critical data elements? Where are they held within our enterprise or partner data system? How are we protecting them? What is our approach to cloud computing?
- Have we evaluated our supply-chain risk?
- Do we have a social media policy? Are all employees trained on it? How do we monitor its application?
- Do we have daily cyber threat intelligence/information that is customized for our environment and systems so we can prepare for threats before they strike?
- What is our response plan in the event of a cyber breach? Do we have access to professional cyber incident responders – internally or through service providers – who can help us manage and contain a breach? Do we know who to call in the government and law enforcement communities for assistance? How would you evaluate our business continuity program?
http://www.ceocouncil.ca/wp-content/uploads/2014/04/What-Every-CEO-Must-Know-Cyber-April-4-2014-Final.pdf
Benoit Grenier
CEO and Co-Founder
Proactive Risk Management
Pour la rédaction de cette série d’articles, nous avons consulté ces articles qui pourraient aussi être d’intérêts pour vous.
CEO
Our biggest blindspots as CEOs
https://m.signalvnoise.com/our-biggest-blindspots-as-ceos-5c1bdab8347c#.nwnk0qu4b
What every CEO needs to know about cybersecurity: A background paper By Ray Boisvert President and CEO I-SEC Integrated Strategies
http://www.ceocouncil.ca/wp-content/uploads/2014/04/What-Every-CEO-Must-Know-Cyber-April-4-2014-Final.pdf
Cybersecurity Questions for CEOs
https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf
Why CEOs Are Failing Cybersecurity, And How To Help Them Get Passing Grades
The Biggest Threat to Cyber Security–Your CEO
Preventing cyberattacks might be as simple as keeping an eye on the C-suite.
http://www.inc.com/julie-strickland/ceo-cyberattacks-hacking.html
Corporate Security Checklist – a CEO’s Guide to Cyber Security
22 essential questions to evaluate your company’s defenses
https://heimdalsecurity.com/blog/corporate-security-checklist-a-ceos-guide-to-cyber-security/
Cyber Risk Management Primer for CEOs
https://www.dhs.gov/sites/default/files/publications/C3%20Voluntary%20Program%20-%20Cyber%20Risk%20Management%20Primer%20for%20CEOs%20_5.pdf
Cyber Security: A Failure of Imagination by CEOs
http://www.theatlantic.com/sponsored/kpmg-2016/cyber-security-a-failure-of-imagination-by-ceos/912/
The CISO, the CIO, the CEO, or you: Who is really responsible for cybersecurity?
Target CEO Fired – Can You Be Fired If Your Company Is Hacked?
CEOs Can No Longer Sit Idly By on Cybersecurity
https://www.entrepreneur.com/article/233911
CEOs disconnect between cyber security perception and reality; report
http://www.itp.net/610976-ceos-disconnect-between-cyber-security-perception-and-reality;-report
CEO/CIO
The CEO/CIO relationship
http://www.computerworld.com/article/2586489/vertical-it/the-ceo-cio-relationship.html
The Differences Between CIOs and CEOs
http://www.cioinsight.com/it-management/expert-voices/the-differences-between-cios-and-ceos.html
The CIO in Crisis: What You Told Us
https://hbr.org/2013/07/the-cio-in-crisis-what-you-tol
Is There A CEO-CIO Disconnect?
http://www.huffingtonpost.co.uk/vincent-delaroche/is-there-a-ceocio-disconn_b_12768684.html
CIO vs CEO: Finding Middle Ground
http://www.mavenwave.com/fusion-blog/cio-vs-ceo-finding-middle-ground/
Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
https://securityintelligence.com/securing-the-c-suite-part-1-lessons-for-your-cio-and-ciso/
CRO
The Chief Risk Officer: What Does It look Like and How Do You Get There?
https://web.archive.org/web/20060517033324/http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855
Chief Risk Officers Are Taking on a Broader Role
http://blogs.wsj.com/riskandcompliance/2016/04/01/chief-risk-officers-are-taking-on-a-broader-role/
The Triumph of the Humble Chief Risk Officer
http://www.hbs.edu/faculty/Publication%20Files/14-114_60866b77-6b5c-4fd3-9ce1-e2ab8d5da654.pdf
If You Don’t Have A Chief Risk Officer, Get One
The role of the Chief Risk Officer in the spotlight
https://www.towerswatson.com/DownloadMedia.aspx?media=%7BA590F5C1-5630-45A8-9133-4C04AF5B80BD%7D
CFO
Three ways to strengthen the CFO-CIO partnership CFO Insights
https://www2.deloitte.com/us/en/pages/finance/articles/cfo-insights-cfo-cio-partnership.html
When technology meets finance: how the CFO can become an innovation catalyst
Accountants as aggregators of data – Evading a Cyber Attack
http://www.lexology.com/library/detail.aspx?g=7ea05894-ca30-4ab8-b14e-f39cdb5a6abb
Cyber Security Big Four get serious on cyber security
https://www.ft.com/content/270d2894-ecb5-11e3-a754-00144feabdc0
Data and Dollars: The Role of the CFO in Cybersecurity
http://www.connectedfuturesmag.com/a/F15A1/data-and-dollars-the-role-of-the-cfo-in-cybersecurity/
The CFO’s role in cybersecurity
https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2015/BAS-FEI-CFO-whitepaper-150605FIN.ashx
Accounting Firm Tech Systems Are Weak
http://www.accountingweb.com/community-voice/blogs/rick-telberg/accounting-firm-tech-systems-are-weak
Cybercrimes/Cybersecurity
TOP CYBERCRIMES WHITE PAPER HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS
http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/CyberSecurity/DownloadableDocuments/Top-5-CyberCrimes.pdf
Cybersecurity Best Practices Guide For IIROC Dealer Members
http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf
Study shows businesses the ROI behind a strong security program
http://www.ncxgroup.com/2016/04/study-shows-businesses-roi-strong-security-program/#.WLc9NBLhAdU
IT security auditing: Best practices for conducting audits
http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits
Internal Audit’s Contribution to the Effectiveness of Information Security (Part 1)
7 Types of Hacker Motivations
https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/
No Business Too Small to Be Hacked
https://www.nytimes.com/2016/01/14/business/smallbusiness/no-business-too-small-to-be-hacked.html
Percentage of companies that report systems hacked
http://www.cbsnews.com/news/percentage-of-companies-that-report-systems-hacked/
Jeu de briques
Snake
Pacman
Bubble