Whether you are growing your business organically or through mergers and acquisitions (M&A), establishing strong technology governance and a cybersecurity framework that aligns with the organization’s vision and strategic growth plan is crucial for success. Today, technology is a critical success factor and competitive differentiator for driving business operations and the key to an organization’s data, people, and processes. Optimizing technology tools and safeguarding these areas is paramount to maintaining and growing business operations. If the IT strategy is not aligned with business objectives: disjointed processes, low margins, and poor customer experience are often the result. Compounding that problem is a lack of adequate cybersecurity, which represents an existential threat to any business.
Set Your Organization Up for Success
Once the business strategy is defined and the growth plan identified (whether organic growth, M&A, or a combination), it’s critical that the IT and cybersecurity risk management frameworks are in alignment to support the business and drive strategy. The IT framework will need to support the growth plan, which should be part of the broader business strategy. For M&A strategy, as a transaction approaches, an assessment of the IT and cyber environment of the target company must also be conducted to ensure successful integration and prevent buyer’s remorse. This is essential to ensure that the existing infrastructure is compatible and can be efficiently integrated, maintaining continued and uninterrupted support to the newly formed organization.
Here are 5 key considerations to keep in mind when developing an IT and cyber framework include:
- Analyze, define and document the program: Critical IT and security controls should be identified, designed, and put into operation to support the plan and vision. Policies and procedures should be drafted or updated to reflect implemented best practices and strategy in alignment with the plan.
- Senior leadership team acceptance: For the plan to be successful, senior leadership and the C-suite need to be on board with the strategy for execution. Senior leadership buy-in is critical for success – if leadership doesn’t agree with the approach or the importance of strong IT solutions and cybersecurity practices, then the program is doomed to fail from the beginning. The importance of tone at the top cannot be understated. Companies that recognize the importance of strong IT and cyber controls at the highest levels are far more likely to facilitate change throughout the rest of the organization.
- Inventory applications and consolidation: Developing and maintaining an inventory of the IT assets (hardware, software, infrastructure, etc.) that are utilized at the organization is critical for knowing where your data is and how it’s being used. This also allows for those charged with operating and securing systems to have full visibility into all the data points in an organization’s environment. It will also help determine what applications, hardware, vendor relations, etc., are still required after an acquisition or merger. As well as what might still be needed, and what could potentially be consolidated or decommissioned.
- Perform a cybersecurity risk assessment: This is an essential step in understanding the current state of the environment and knowing where vulnerabilities exist. Industry recognized frameworks (COBIT, NIST, CIS, ISO, etc.) should be mapped to each tailored environment to identify vulnerabilities within the security framework and help formulate plans to remediate those gaps. This will result in a stronger control environment, and more secure and trustworthy stakeholder relations.
- Regulatory assessment: Does your organization or target entity need to adhere to certain regulatory requirements? It’s critical to understand the technical and security requirements that go along with certain regulations. HIPAA, PCI, GDPR, etc. all have specific IT and cyber requirements that will need to be addressed. Tailoring or performing additional assessments alongside regulatory requirements to ensure continued or go-forward compliance is a must-have.
Senior leadership has approved and supports the IT initiatives, IT asset inventories have been developed and a cybersecurity risk assessment has been performed. Now what? Now is the time to ensure you have the right resources (in quality and quantity) to help mitigate the identified risks and put the right pieces in place to ensure these accomplishments can be maintained on an ongoing basis. Part of this will include educating the rest of the organization on the importance of cybersecurity hygiene to protect your data going forward. Cybersecurity is not a “one-size fits all approach.” It needs to be customized to your organization, environment, culture, and vision. Having the necessary people involved is critical from the start. Investing in the right resources to ensure the right tools are implemented efficiently upfront will provide your organization with a competitive advantage and allow for peace of mind for investors, customers, and future business partners.
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management aligns with the specific needs of your company.
Rich Sowalsky, CISA
Managing Director | IT Risk & Cybersecurity Practice Leader
Rich is the Managing Director and IT Risk & Cybersecurity Practice Leader at Centri. He has more than 13 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits & accounting. Over the years, Rich has provided a variety of risk advisory and compliance services for clients across various industries, including insurance, healthcare, life sciences, financial services, and higher education.
Karyn DiMassa, CPA, PMP, CISA, CFE
Director | IT Risk & Cybersecurity Practice
Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri. She has over 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. Karyn has provided risk advisory and project management services to various clients throughout several industries, including utilities, manufacturing, pharmaceuticals, life sciences, insurance, financial services, and healthcare.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
For more information, please visit www.CentriConsulting.com
Eight Penn Center
1628 JFK Boulevard, Suite 500
Philadelphia, PA 19103
New York Office
530 Seventh Avenue
New York, NY 10018
50 Milk Street
Boston, MA 02109
Tysons Corner Office
1775 Tysons Blvd
Tysons, VA 22102
8310 South Valley Highway
Englewood, CO 80112
4509 Creedmoor Rd
Raleigh, NC 27612
615 Channelside Drive
Tampa, FL 33602