IPA Spotlight On … Dan Schroeder, Aprio

Name: Dan Schroeder

Dan Schroeder

Dan Schroeder

Firm: Atlanta-based Aprio, formerly known as Habif Arogeti & Wynne (FY15 net revenue of $73.5 million)

Title: PIC, Information Assurance Services

Accomplishments:

  • Served as chairperson of the AICPA’s Information Management and Technology Assurance (IMTA) committee, and helped lead the rollout of Service Organization Control (SOC) reporting to the profession.
  • Founder of Aprio’s Information Assurance Services practice, which serves leading national and international tech-based businesses.
  • Leads cybersecurity and privacy risk assessments, SOC reporting, ISO 27001 (an internationally recognized information security standard) assessments and certification reporting, and Payment Card Industry Data Security Standard (PCI DSS) Reports on Compliance (ROC) assessments and certification.
  • Frequent speaker and author on IT risk management subjects, including cybersecurity, audit and compliance reporting, privacy and cloud computing.

As the “Internet of Things” evolves, will the nature of risk increase?

Absolutely. In some settings, IoT can represent an order of magnitude increase in the number of endpoints that can be exploited where exploitation could represent some compromise of the function being performed. In a recent case, a large number of consumer-deployed IoT devices were compromised and employed en masse to conduct a denial of service attack against an Internet service provider.

What does it mean when businesses are advised to become “cyber resilient”?

Generally speaking, resilience is the ability to adapt and function effectively in the face of adverse events. With respect to cyber, this means deploying not just effective approaches to reduce the potential for cyber events, but also measures and capabilities to respond and recover if a cyber event does occur. The National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) is an example of a robust framework for the entire spectrum of cyber risk management. The CERT Resilience Management Model (RMM) is a very detailed, if not comprehensive, framework for building resilience and can serve to supplement cyber frameworks such as NIST CSF.

Is this a growing service line for the profession? If yes, what other roles / services will come out of this demand?

Yes, undoubtedly. There are a range of services across both advisory and assurance. Businesses will continue to need assurance reporting such as SOC to gain comfort with their trading partners. A few firms like ours focus on assurance reporting, and have extended their capabilities to include PCI DSS Compliance and ISO 27001 certification. Advisory service opportunities are also very significant – these include consulting related to cyber risk program definition, deployment and oversight.How can accounting firms best assess the cyber security risks they face?

Just like any other business it has to start with a proper risk assessment (e.g., ISO 27005, NIST 800-30). This includes understanding the flow of any potentially sensitive data, assets that enable the data flow, vulnerabilities inherent in the data flow, threats to the confidentiality, integrity and availability of that data, and the resultant business risks. When done properly, this will provide the firm with a clear rationale for their cyber risk management objectives and associated risk management activities.

How do traditional IT security approaches fall short?

Traditional IT security approaches focus on technology and not the business, address only part of the problem, and do not elicit the involvement and support of management needed to make risk management effective and sustainable. Cyber is a business risk and can only be effectively managed with clear support from senior management for policies, procedures and investment deemed necessary to fulfill the company cyber risk management objectives.

What is the next big thing in this area?

We expect that IoT-leveraged attacks will become more common (such as when IoT was recently leveraged to disrupt a significant ISP). Historically, cyber-attacks have been about data loss. Increasingly, because of IoT, they will become about loss of data integrity and availability. It is possible that IoT attacks will be used to compromise critical infrastructure, manufacturing operations, health care delivery, etc., or at least monetize the ability for such disruption through ransomware. This, in turn, will lead to marked increase in compliance requirements, likely from industry groups and potentially from the federal government.

Final thoughts?

It sounds trite, but this is an exciting and rewarding time to be providing information assurance services. When done properly, what we do helps our clients manage critical dimensions of risk and strengthen their business relationships, and they in turn consider us to be trusted business partners.

Do you know someone else who would make a good Spotlight? Contact Christina Camara.