Cyber Security: It Isn’t as Clear as Us vs. Them

Vincent Tophoff | October 24, 2014 | 2

As more companies report major cybercrimes and many of us learn we have been a victim—compromised credit card information or data breaches online—cyber risk is increasingly recognized as a serious threat that companies need to address. Recent events demonstrate that cybercrime is increasing rather than decreasing. Therefore, additional and concerted effort from all parties involved (perhaps even the cyber criminals themselves—more on that later) is required to stem the tide.

In this light it was very timely for the Association of Chartered Certified Accountants USA and Pace University convened the second annual cybercrime symposium and panel discussion, Cybercrime in the World Today 2014: Emerging Threats, in New York on April 3, 2014.

After introductions from Judge Robert G.M. Keating, Vice President for Strategic Initiatives at Pace University, and David Szuchman, Executive Assistant District Attorney Chief, Investigation Division, Manhattan District Attorney’s Office, moderator Jonathan Hill, Associate Dean, Seidenberg School of Computer Science and Information Systems, Pace University, chaired a panel discussion that featured:

  • Charles F. Gilgen, Special Agent, US Federal Bureau of Investigation;
  • Bernadette Gleason, North America eCrime Laboratory Manager, Citi;
  • Robert A. Zandoli, Senior Vice President, Global Chief Information Security Office, AIG; and
  • myself, representing IFAC and the accountancy profession.

From the ensuing discussion it became clear that enhanced cyber security is not only a technical issue, but equally a behavioral issue. People and their motivations are behind every threat but people also make or break the lines of defense. Here are some examples.

Ingrained in all your actions

It is important that organizations regularly talk about cyber security with their staff to give them a baseline understanding of the risks involved and the potential consequences , as well as what they can and should do to address it. However, many people and organizations alike seem to separate the management of cyber risk from their regular decision making and activities. As if cybersecurity is something separate, often to be dealt with by others.

Maybe we should, therefore, not look at cyber threats as an individual risk category, but instead at how these risks might affect the achievement of an organization’s objectives. After all, technology and the resulting risks to a company’s processes and data are infused throughout the enterprise. As a consequence, not only the IT team but everyone in the organization—and its external counterparts—should take cyber risk into account while making business decisions, integrating the notion of cyber security into all organizational decision making and operations that involve the company’s computer networks and data.

It’s a little bit like driving a car. Safety is an issue all the time you’re driving. The same applies with risk management and taking care of cyber risk. With employees connecting to a firm’s systems from remote locations, often from a mobile phone or tablet, it’s not something that you do only on the afternoon when we have our cyber risk meeting. It’s something you need to integrate in every decision we take and in everything we do.

Us vs. them?

And what about the cyber criminals themselves? In the fight against cyber threats, is it really the good guys against the bad guys? Who are the bad guys? Can you easily recognize or identify them? Who tells us that the good guys cannot turn bad or, alternatively, that the bad guys cannot turn good?

A clear theme in the discussion at Pace University was that cyber security is not an “us versus them” scenario where the line is clearly drawn between “us” and rogue employees and/or external hackers who are threats. Every login to the network bears some associated risk and the responsibility for risk assessment is as incumbent on the users as it is on the IT staff.

The current approach against cybersecurity seems predominantly focused on “end-of pipe” solutions: countering rather than reducing the threat, for example by building ever “higher” firewalls. However, we know from combatting other forms of crime that a multifaceted approach is often more effective. For example, organizations may also need to pay attention to the front end through lowering the incentive to commit cybercrimes, decreasing the opportunity to carry out the crime, rewarding good behavior, and discouraging bad behavior. Perhaps even engaging former cyber criminals in the fight against cybercrime. At least they would bring a lot of knowledge and experience!

Interested in more?

If you are interested in seeing more of the discussion, the webinar is available online. We would also like to ask your assistance with Dr. Hill’s new cybercrime research by filling out a short survey about your company’s security practices. The survey is anonymous and should only take 2-3 minutes to fill out


Vincent Tophoff

Former Senior Technical Manager

Vincent Tophoff was a senior technical manager at IFAC, working with the Professional Accountants in Business Committee. Previously, he was a partner at INTE-Q Integration Management, a management accountancy consulting firm in The Netherlands and senior lecturer at the postgraduate accountancy program of the Vrije University in Amsterdam.  See more by Vincent Tophoff


Join the Conversation (2)

To leave a comment below, login or register with


Kolawole Waheed November 7, 2014

Interesting and educating. Thank you

Geraldine Magarey November 3, 2014

I agree cyber security is not a technical issue, it really is an issue for the board and CEO. At the launch of Chartered Accountants Australia + New Zealand's thought piece `Protecting our Cyber Future: Be proactive before it is too late' we were told there are 4 points to consider: 1. expect to be hacked 2. understand your critical assets 3. raise awareness 4. get the basics right around controls. Developing cyber resilience is essential.


Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.