Audit, Risk Trends: Insights from David Melnick of Deloitte
What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on:
Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.
TOM FIELD: Hello this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about audit and enterprise risk and with us is David Melnick, a Principal in the Security and Privacy Services with Deloitte & Touche. David thanks so much for joining me today.
DAVID MELNICK: It's my pleasure to be here.
FIELD: Just to give our audience a bit of context, why don't you tell us a little bit about yourself and your role with Deloitte & Touche?
MELNICK: Your topic was perfect because the group I am in, in addition to my specialization in security and privacy, is labeled the Audit and Enterprise Risk Services Group, so it sounds like I am ready for the topic. I am, as you mentioned, a Principal in Deloitte & Touche, LLP and also an elected board member to ISC2, which is an education and certification organization for the security profession. So I spend the majority of my time focused on these topics.
FIELD: Excellent. I would like to ask you then about the top issues. Let's go through them in order. Give us a sense of what the top trends are in audit and then in enterprise risk.
MELNICK: Audit, as the listeners probably will know, tends to focus quite a bit on financial risk and financial reporting risk and is driven by SOX and some of the requirements there, but much broader in more recent days. I think what you see in the current economic environment is a number of things.
One, there is focus on anti-fraud programs as the economic situation has continued. The conditions that give rise to fraud, the opportunity, the incentive or pressure, the attitude and rationalization have all sort of created an additional risk around fraud so anti-fraud programs would clearly be one area.
I think directionally trending it is probably no surprise to hear the topic of third-party vendor relationships and the contracts with those. I think SOX within audit drew a lot of attention to this starting in 2003 and 2004, but with Red Flag Rules and other things going on you don't see any let up in our continued efforts, especially as we increasingly rely on third-parties in more intricate and complicated ways. The third-party relationships have gotten a lot more attention and in more recent years it has started to focus on data and data privacy topics, as well as just some of the things that are pure in audit.
If I was going to throw in maybe one more on the audit side I might bring up application security and our continuing effort around dealing with the enterprise role-based access control issues across applications. Within the ERP space this has become much mature. I think what is happening is the broader array of applications still is an area that hasn't gotten a lot of adequate attention. It's furthest down the topic and even extends down to spreadsheets and the end user computing-type environments.
It's not going to be a quick one on audit; if I was going to step up to enterprise risk I might introduce just maybe two more ideas. One of which, at an enterprise level, would be especially within financial institutions; getting your hands around the broad array of programs you have focused on managing risk.
You may have group focus on SOX and financial risk, you may have another group focused very specifically on one particular regulator and regulatory risk around that topic, you may have another area dealing with some other type of risk and each one may have its own program and its own audit function. At an enterprise level there is a great deal of attention around this idea of an integrated approach to risk management and how do you bring that together. It is essentially one of the base ideas in enterprise risk management but it is also an operational challenge. The second thing I would mention is at enterprise risk level it is often challenging to broaden our view. I started our conversation just now on financial risk and financial reporting risk and as you think about enterprise risk there are so many other dimensions that come into play, not just regulatory or risk of non-compliance regulations. And not just operational, not just market or other external risk factors, but even positive risk and strategic risks. In order to be successful, executing an opportunity takes a risk. There are many issues dealing with these topics in many organizations, from creating that broader view to as far as going Green IT. FIELD: We deal with a couple of different verticals, one certainly is financial institutions, but also with federal government agencies. What are some of the specific security issues you see facing these groups today?
MELNICK: If I broke those down, banking and financial institutions, I might draw on some of my partners in Deloitte. We complete an annual security survey in financial services and then broader globally each year. I have a little bit of data I can lean on. Year after year there are some that are regular favorites and a couple that would be security related regulatory compliance. Another one is access and identity management, a maturing space still considered one of the top risks and in my top three in my surveys in 2007 and 2008. The one that is a little more interesting, that rocketed into the top five in 2008 and wasn't even in that list of top five in 2007 is the topic of data protection and information leakage.
The timing of our survey in 2007 pre-dated the largest data breach related event that we had in history. That is part of what I think is responsible for that number going way up, but I think those three might be kind of a starting point.
Interestingly, in the survey we actually saw a decline in the number of both internal and external security breaches from 2007 to 2008. But security and regulatory compliance, data protection, information leakage and access and identity management would be my top three. As you go into the government agency side of the house, this is a very uncertain time and with the kind of change we are looking at in that environment. Whether it is in agencies that might be in the regulatory side or financial services, which are the creation of new agencies, the potential merger of longstanding existing agencies, like those you see in OTS, there is a great deal of uncertainty, even the Cyber Security Office that Obama has driven forward. In addition to evolving standards and requirements there is a sense of change going on with the government side. It is not where I focus most of my time but when I talk to my other partners it seems like a pretty dynamic environment right now.
FIELD: You're right. David, what are some of the successful security strategies you see being deployed?
MELNICK: Not to lean too much on that survey, but the one thing that I thought was very interesting about the idea of a strategy is that 61% of the companies surveyed actually had a strategy. Not to be too cute, but I think one of the first strategies is to actually have a strategy and so I am happy to say that it seems like more companies are actually focusing their attention.
In fact, fewer companies have elevated the idea of IT security and governance as a key issue. We interpret that fact as more companies are taking for granted that IT governance and security governance is a part of their organization. There is a bit of maturing there. Part of this is the elevating reporting relationship of the CISO, so we continue to see movement forward on the information security officer or equivalent role elevating its reporting relationship and there are a number of drivers for that, for example S&P's and EOM requirements. There are a number of factors that are helping to push that.
One of those factors is within IT governance. Often the security professional can be a driver of an integrated approach to risk management, at least within the IT governance side of the house. It's bringing together the simple ideas so that you don't have ten different ways of evaluating how to deal with change or evaluating how to deal with an issue of incident response, things of that nature.
FIELD: I know you have some specialty in e-commerce as well. What are some of the specific security trends and threats that you see in e-commerce?
MELNICK: It is an interesting space for me because I have been working in e-commerce related topics for many years and it used to be quite a bit about payments, credit cards, the evolution of e-check and how you can leverage ACH and other networks to execute payments. More recently we have looked at the rise of social networking and the associated concerns that can be created around data protection, the increasing risks around identity theft and broad data protection concerns, even around e-commerce.
Within the payment side, from a regulatory view, you see a lot of concern and focus around credit card companies and the Unfair Deceptive Practices Act, activities to UDPA's related activity. But you know those are broader, more systemic sort of changes that may or may not occur and impact the basic activities around e-commerce.
FIELD: David, one last question for you. We've talked a lot about audit and enterprise risk and e-commerce. What are some of the key topics you are going to be focusing on for the remainder of 2009?
MELNICK: A passionate area for me and one that has always been spoken about over the last few years but never had the resources to do much has been in the area of privacy programs, and more broadly data and information protection.
We tend to be, in my efforts with companies, so application centric, so function centric, and the way data moves within and outside an organization really crosses those boundaries so quickly and the idea of understanding your data flows and the sensitivity of information as it moves and transforms through its lifecycle and through your organization is something that has not gotten a lot of attention by most organizations. I've seen in this year a lot more willingness, especially in certain regulated industries where there are some stronger drivers, an attention and focus on really understanding data flows and how to protect that information, whether it is DLP solutions or other kinds of point solutions that come together with a broader understanding of your data and the classification of that data to, in a more holistic and comprehensive way, address that topic. One other one I would say is as the area of identity and access management has continued to mature. We are finally at a point where we see comprehensive enterprise solutions, robust solutions that are being deployed and reaching further and further into the enterprise application architecture to bring under management discipline to authorization and access controls within an organization. IA implementations is an exciting area this year that I will clearly be spending time on. FIELD: David I appreciate your time and insights today and look forward to catching up with you again to talk about what you see for the rest of this year.
MELNICK: I appreciate your time as well. Thank you very much.
FIELD: We've been talking with David Melnick with Deloitte. For Information Security Media Group, I'm Tom Field. Thank you very much.