{"id":214441,"date":"2026-05-15T10:56:00","date_gmt":"2026-05-15T14:56:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/five-critical-cybersecurity-resolutions-the-cpa-journal\/"},"modified":"2026-05-15T11:25:07","modified_gmt":"2026-05-15T15:25:07","slug":"five-critical-cybersecurity-resolutions-the-cpa-journal","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/five-critical-cybersecurity-resolutions-the-cpa-journal\/","title":{"rendered":"Five Critical Cybersecurity Resolutions – The CPA Journal"},"content":{"rendered":"

Five Critical Cybersecurity Resolutions – The CPA Journal<\/a><\/p>\n

https:\/\/www.cpajournal.com\/2026\/05\/15\/five-critical-cybersecurity-resolutions\/<\/a><\/p>\n

Publish Date: 2026-05-15 10:56:00<\/a><\/p>\n

Source Domain: www.cpajournal.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. The new year comes with a new list of cybersecurity and technology risk resolutions. Financial and risk management professionals annually rededicate their organizations and themselves to better manage the ever-present threats posed by technology. It seems that no matter the efforts and progress made in the prior year, the task list remains just as long. Reasons include increasing business demands, pressure on limited resources, and, of course, revolutionary technologies such as artificial intelligence (AI), which provide significant opportunities for hackers to exploit weaknesses, as well as for organizations to enhance their protective strategies.From a governance perspective, similar excuses for why tasks remain are heard annually from management. Audit committees continue to wonder why a particular risk keeps challenging the organization. Committee members are aware of the cost-benefit considerations for implementing controls to mitigate risks, as well as the publicized challenges in mitigating cybersecurity risks. Yet it seems that familiar words\u2014such as misconfigurations, inappropriate access, vendor reliance, inadequate follow-up, staffing challenges, lack of resources, unremedied vulnerabilities, insufficient policies, and noncompliance with existing policies\u2014continue to populate the audit committee agenda and subsequent discussions. Participating in end-of-year reflections focused on these topics could help governance professionals identify the root causes of cybersecurity risks.Some predict that AI will change everything, but that may not be the case. Perhaps both hackers and defenders will have more sophisticated tools that will enable each to perform their objectives with greater efficiency and effectiveness. Defenders especially will need to learn from past mistakes to effectively use the new technology and efficiently protect against more sophisticated, complex attacks.
\nGetting the Right Things Done
\nPeter Drucker, the renowned management consultant of a previous generation, authored the classic book\u00a0The Effective Executive, in which he emphasized that the executive\u2019s role was to get the right things done (HarperCollins, 1966). Managing cybersecurity risks can present overwhelming challenges for executives and board members. For many organizations, efforts have increased dramatically alongside the realistic threats they face. Focusing on what is the right thing or the most essential thing to do may not always be obvious. A popular approach is to focus on why either that organization or others have been breached. Much guidance is available, but executing recommended actions remains a challenge. Tales of management not holding their teams accountable for simple controls, such as compliance with current polies or password management, frustrate many audit committee members.<\/p>\n

Below are five common annual resolutions that organizations often declare but do not fully implement. In some cases, despite their efforts, their risk levels remain high. Focusing on resolving these issues can strengthen an organization\u2019s risk posture and better prepare it for the technology landscape ahead.
\nImplement real and effective governance.\u00a0Implementing resolutions starts at the top. Not only must there be appropriate policies that communicate the board\u2019s desires and concerns, but they must also be enforced. When compliance is not possible, the situation should be reported to the policy owner and appropriate deviation approvals obtained. If a policy has not yet been developed, a conversation with the policy should ensue. An unenforced policy can provide managers with the go-ahead to not adequately manage the risk.
\nIn many organizations, policies appear to be a one-time exercise intended to produce documentation in case an external entity, such as a regulator, auditor, or plaintiff\u2019s lawyer, requests it. Those effectively managing cyber security risk use policies to engage management in implementing the requisite controls to mitigate enterprise risk, whether line management agrees or not. They also continually monitor developments to ensure that policies remain relevant. An example of this is the introduction of AI. Some organizations implemented sophisticated tools like AI without having or specifying appropriate governance strategies and expectations. If a specific AI policy did not exist, an emerging technology policy should address expectations for new technologies. Communicating and managing expectations from the board, including ensuring compliance, is critical for any organization\u2019s success.
\nAggressively address high-risk items.\u00a0Many companies, whether they believe in the process or are forced to do so, perform technology risk assessments. Unfortunately, for some organizations, risk assessment amounts to going through a checklist and justifying a yes answer to avoid creating a list of possible actions to consider. For others, risk assessment is the primary tool through which they communicate with the board about which areas management will focus on and which will not be addressed due to a medium risk score. In very large organizations, elaborate tools are used to quantify the risk. In smaller ones, a judgment\u2013based approach is taken.
\nThese assessments are typically conducted annually. Once the appraisal is approved at the board or audit committee level, the corresponding projects are usually approved with quarterly updates. The challenge is that higher risks are often known, and remediation projects are sometimes held up until the entire risk assessment is completed or approved. An alternative approach based on triage procedures is to establish a rapid, streamlined approval process for risks generally considered very high to be approved as soon as possible, rather than waiting for the completion and presentation of the entire assessment. An additional concern regarding the annual technology risk assessment is that business changes occur throughout the year. Depending upon the impact of these changes, an ongoing risk assessment should be conducted to reflect the current environment and determine whether immediate risk mitigation strategies are required.
\nA related area relates to vulnerability remediation. This usually involves cross-department cooperation and at times limited use of certain technology functions until remediated.
\nUnderstanding and managing configurations.\u00a0No matter the technology, the management of configuration is key to successfully enforcing and thereby achieving risk management strategies. Challenges include the large number of configurations each technology supports and the impact of configurations on integration with other applications and systems. For example, configurations can be used to determine the amount and type of logging performed, access control rules, alerts, enforcement of business rules, and methods for calculating accounting information.
\nUnfortunately, business executives often leave the configurations to the technology function. Although one can argue that many configurations relate to technology processing, there is often a lack of direction on what to do. Many organizations, lacking the expertise to understand how these configurations work, may overly rely on technical staff\u2019s experience rather than formally reviewing configuration choices or involving the business in the ultimate decision. Frequently, when deciding which configurations to use, a selection is made between availability and security. There is an inverse relationship between the two, with security being compromised to facilitate the availability of applications to end users and customers. It is a business decision with associated risks and should therefore be made by those responsible for managing and governing the business.
\nGetting everyone on the same page.\u00a0In today\u2019s business environment, employees are typically expected to do more with less. Although no one wakes up in the morning hoping to get hacked, daily behaviors, sometimes performed in the name of efficiency or just getting the job done, can increase cybersecurity risk. This behavior manifests in practices that prioritize individual silos or departments over the enterprise as a whole. A priority for one function, such as \u201cincreasing sales at any cost,\u201d may not sufficiently consider the risks involved in achieving those sales, including exposing system data and other reliability factors.
\nOrganizational leaders must ensure that their associates are all on the same page. This includes communicating the importance of cybersecurity and managing other threats to the organization\u2019s overall well-being. Performance and compensation metrics should be used to promote enterprise-wide rather than just department goals. Leadership should recognize that cybersecurity is not only a defensive posture, but also something that enables an enterprise to achieve its objectives, including ensuring the availability of goods and services to its customers to generate sales. Appropriate training should be provided to prepare employees to both understand and prevent participation in cyber-related fraudulent activities. By doing so, organizations can both manage risk and achieve their objectives.
\nPrepare for and appropriately respond to attacks.\u00a0It is often said that getting cyberattacked and breached is a question of when, not if. Although most organizations recognize the importance of preparing, it is seldom considered an urgent matter. Too often, daily challenges disrupt and deprioritize the importance of preparation. Incident response playbooks should be comprehensive and thoroughly tested. Most organizations usually perform only partial testing. Another critical area is planning for the financial implications of an attack or breach. This not only includes potential funding or budgeting items, but also the ability to maintain appropriate insurance levels and to fully recover on all claims.<\/p>\n

Foundation Steps Go Far
\nAt first glance, the above resolutions appear simple. After all, they are part of the guidance that cybersecurity professionals have been recommending for quite some time. The challenge is that many organizations have been unable to execute these critical controls. Resolving to address them, including taking a governance perspective that forces behavioral changes, can significantly improve any organization\u2019s cyber security risk profile.<\/p>\n

Joel Lanz, CPA, CISA, CISM, CISSP, CFE,\u00a0is a lecturer at SUNY\u0096Old Westbury and an adjunct professor at NYU-Stern School of Business, New York, N.Y. He provides infosec advisory services through Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Five Critical Cybersecurity Resolutions – The CPA Journal https:\/\/www.cpajournal.com\/2026\/05\/15\/five-critical-cybersecurity-resolutions\/ Publish Date: 2026-05-15 10:56:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":214442,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cpajournal.com\/wp-content\/uploads\/2026\/05\/GettyImages-1096875690-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,30,24,31,27],"class_list":["post-214441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-breach","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214441"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214441"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214441\/revisions"}],"predecessor-version":[{"id":214443,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214441\/revisions\/214443"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214442"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}