Audit Committee Brief May/June 2014 Audit Committee Brief Select a topic Emerging Technologies Technology at the forefront 2 Big data 2 Social media 3 Cloud computing 3 IT implementations 4 Questions to ask the CIO and other IT specialists about emerging technologies Cybersecurity 5 The audit committee’s role in cybersecurity 5 Developing and monitoring a cybersecurity plan 6 NIST Framework The increasing adoption of emerging The opportunities presented by access to a 7 Working with law technologies across all types of businesses wide array of data and informational sources enforcement mirrors the rapid expansion of high-tech devices must be balanced with a recognition of the 7 Questions the audit and applications that have transformed the daily challenges and risks—both known and committee may lives of people around the world. Given their unknown—that they pose. Accordingly, audit consider asking management to assess global significance, technology implementations committees can benefit from understanding the company’s readiness and related security activities can no longer be the company’s overall technology landscape, to prevent and respond considered just the purview of the IT function. plans, and priorities. To do so, it can be helpful to cyber attacks Such efforts are becoming inextricably linked to for the audit committee to meet with the CIO 8 Conclusion broader business, governance, and risk activities and other technology leaders at least annually. for the audit committee, other board members, 8 Additional resources and management. This issue of the Audit Committee Brief surveys recent trends and developments in several areas related to technology, including big data, social media, cloud computing, IT implementations, and cybersecurity. Also included are questions audit committee members can ask management and IT specialists to confirm that risks and opportunities are properly overseen. © 2014 Deloitte Development LLC. All rights reserved. 1 Audit Committee Brief t Back to topics May/June 2014 Emerging technologies and innovation. The CIO will be aware of Big data many aspects of the value and risks such The world of big data is expanding technologies provide, and other members of exponentially in both volume and complexity, management and the audit committee can and continued growth makes each year a contribute their knowledge of enterprise-wide virtually new landscape for data management. risks and business needs. As noted in Deloitte’s The Dual Roles of the CIO in the Digital Age: Another aspect of data analysis technologies to consider is the impact of new • The number of mobile devices and wireless implementations and approaches on legacy connections grew to seven billion globally in systems. Many older infrastructures and 2013, an increase of 500 million in one year.1 applications are inflexible and can be riddled • Enterprises spent more than $30 billion with extra coding that did not fully meet globally on big data hardware, software, requirements or was unnecessarily complex, and services in 2013, 25 percent more than which undercuts the ability to be agile in in 2011. 2 implementing new approaches. Consequently, • Social media advertising increased by 60 there may be challenges related to gaining percent between 2011 and 2013 to $6 billion.3 buy-in from senior organizational executives or IT leaders due to concerns about the There has clearly been a significant increase in maturity and stability of new technologies the volume of available data, but the term “big that leverage big data. These considerations data” encompasses not only data that is large further highlight the importance of regular in quantity, but also information that is communication with the IT function to unstructured, nontraditionally sourced, or accurately weigh the risks and benefits of available in real-time, including through mobile adopting new technologies. devices. Companies face the sometimes daunting prospect of efficiently storing and Social media analyzing this diversely sourced data. Analytics gathered from social media are no longer just the purview of the marketing Though managing such data can be department; they can also illuminate various challenging, there can be substantive and internal data points in near real-time that can even transformative benefits to harnessing improve company performance, thus making new data analysis technologies. They can be the use of social media more forward-looking used to enhance a company’s responsiveness than many traditional data measures. In and productivity, develop new models for addition, the strategic use of social media conducting business, and provide innovative venues may offer an important way for insights on customers. As such, the IT employees to innovate and collaborate with organization may have important one another. Companies should consider contributions to make with regard to strategy whether there are effective means by which to use social media for business purposes 1 http://www.cisco.com/c/en/us/solutions/collateral/service- beyond marketing, and what metrics would provider/visual-networking-index-vni/white_paper_c11- 520862.html. be most useful in enhancing operational 2 IT Hardware Report,” UBS (September 17, 2013). efficiency and performance. 3 IA/Kelsey U.S. Local Media Forecast, http://www. marketingtechblog.com/social-ad-spending-forecast/; http:// www.clickz.com/clickz/news/2174656/social-media-spending- reach-usd98-billion. © 2014 Deloitte Development LLC. All rights reserved. 2 Audit Committee Brief t Back to topics May/June 2014 IT implementations IT implementations affect the entire organization, since they often frame the approach by which business is conducted and information is disseminated. Viewing such an implementation as a purely IT-related task can increase the risk of the project’s failure and can negatively affect the organization’s bottom line, since the full value of the solution may not be realized. The prospects for success are enhanced by the active involvement of Cloud computing senior management and the leaders of all Recently, there has been an important shift in affected functions of the organization. many companies regarding how to store data. Organizations are increasingly moving from Problems can also arise if an external provider traditional IT setups that include in-house implementing the system does not fully take storage for relatively low volumes of into account the organization’s IT control structured data using traditional technology environment. The provider’s technical architectures, and toward a more flexible and knowledge should be complemented by adaptable environment that uses hybrid and company-specific input from the internal IT public cloud architectures. team, with active oversight from management and the board. Additionally, business disruptions Cloud computing provides widely can arise if there is insufficient allowance for disseminated access to data, since shared data potential delays in the project. The rigor of can be accessed by users from any location. testing and risk assessment activities can also be Such an environment allows organizations to affected if shortcuts are sought to stay on pace work with multiple types of data and volumes with an inflexible schedule. of information that far exceed those allowed by traditional approaches. With the increase in Though it is important to recognize the risks the portability and quantity of data comes an inherent in IT implementations, it should be attendant increase in the complexity of data understood that system upgrades can also that can be analyzed. mitigate a broad range of risks and inefficiencies. For example, many companies The business purpose and value of cloud have widely disseminated systems in disparate computing should be discussed at the outset of locations around the world due to offshoring any associated implementation. The control and other efforts to increase cost-effectiveness structure should be planned ahead of time and and efficiency. Though there are certainly carefully monitored to avoid costs associated situations in which such approaches can be with retrofitting. Companies should also confirm useful, consideration should be given to that external cloud providers will appropriately whether cloud computing or other approaches protect their data, and that the providers’ could centralize and consolidate the value regulatory compliance and security governance provided by such disparate systems, and activities meet the company’s standards. whether data redundancies could be reduced. Examining what architecture and technological approaches make the most sense on a global basis can improve security, add value, and result in long-term cost savings. © 2014 Deloitte Development LLC. All rights reserved. 3 Audit Committee Brief t Back to topics May/June 2014 Questions to ask the CIO and other IT specialists about emerging technologies include the following: • Which technologies or other opportunities have the potential to provide substantial or transformative benefits for the company? • Is our data structure appropriately and thoughtfully organized, and does it mitigate the risk of critical information leaving the company? • How do we secure our mobile devices and disseminate a policy governing their appropriate use? • Is our organization using cloud-based computing, and if so, have the financial benefits been weighed against the attendant risks? Do we have a plan for monitoring cloud- specific risks? • How can cloud-based and traditional systems