From data breaches to AI and cyber security, an IT Risk expert on why every business needs to look at how they use technology
06th Mar 2023
Technology is essential to the smooth running of business today, but it can be tricky to keep on top of its potential pitfalls. Diane O’Regan, Senior Manager in IT Risk Assurance at PwC, explains why it’s so important.
As the technology we use every day becomes more and more complex, so too do the potential risks for those that rely on it for their businesses to run smoothly. The devastating impact of cyberattacks has hit headlines, data breaches are frequently flagged, while the rapid progress of artificial intelligence has equal potential to be useful and problematic.
Diane O’Regan, a Senior Manager in IT Risk Assurance at PwC, points out that there are very few companies that are not reliant on technology. “If you use one system for payroll, that’s really important – and even small businesses like taxi drivers and takeaways are now reliant on apps. Everyone is using some sort of technology, and everything is only becoming more digitalised.”
Those risks are what she and her team are always trying to stay ahead of and identify for their clients. “We’re looking for any type of risk that stems from the use of IT systems and technology that can impact your business,” she explains.
It’s an area that she says is fascinating for its breakneck speed of change, and she loves delving into the workings of each company to identify where problems might arise. She came to the role, however, almost by accident, with no IT experience.
“I actually studied accounting, and applied for a job in Financial Audit in PwC in Cork. Before I started, they asked if I would be interested in a split role between IT Audit and Financial Audit. Given that everything was becoming so digital, I thought, why not? I only lasted about a year in the split role before I asked to move into IT full-time – I just found it so interesting.”
She has upskilled over the years, while also learning on the job. As technology rapidly advances, there are always new developments to stay on top of. “It’s constantly evolving and changing,” Diane says. “When I started, we mostly focused on the systems that were driving everything, but over the last few years, there’s been a huge focus on cybersecurity. We’re seeing bots and artificial intelligence being used in a lot of businesses; you have to run to keep up with it. No two companies really face the exact same risks – they might use a lot of the same technologies, but in really different ways and can have very different control environments.”
A common problem she sees in companies is a struggle to keep up with the pace of change. “If you don’t have a good foundation of your basic IT general controls: your access management and your change management, things can very quickly get ahead of you. Cybersecurity attacks are getting more and more sophisticated; people are generally learning from what happens to other people and trying to implement changes as quickly as possible. But it’s not always a quick fix, especially when the technology is so heavily used day to day; IT teams are trying to keep the business going.”
She understands that it is difficult for small businesses especially to stay on top of these rapidly changing needs. “The size of the IT team is a huge factor – bigger IT teams can separate out and manage what they’re doing a lot easier than smaller ones, where a couple of people, or even just one person is responsible for everything, and that brings its own risks.” She makes the point, however, that even simple changes can go a long way, so it is always worth asking experts like her team for their advice.
“Sometimes the fixes we recommend are very simple, businesses can try and over-engineer things without doing the basics first, so some straightforward changes will make their life so much easier.”
Over the last few years, there’s been a huge focus on cybersecurity. We’re seeing bots and artificial intelligence being used in a lot of businesses; you have to run to keep up with it. No two companies really face the exact same risks – they might use a lot of the same technologies, but in really different ways.
Her advice for any business concerned about their IT security is to focus on their basic controls for whatever systems they use. “There’s a lot of legislation out there, but there’s a lot of overlap in it. If you get some of that foundational control right, it really makes it a lot easier to add bits and pieces as you go rather than running around trying to tackle them all in isolation.”
She also advocates planning ahead when implementing any changes to your IT systems. “Building in the kind of controls you’ll need early on is key. Generally there is a lot of pressure on IT teams to get things done quickly, but by thinking about those things upfront, it can really help the speed of the whole process, rather than trying to come back to it later and figure out where you should have put controls in, and maybe need to reconfigure the system.”
With pressure to deliver high-quality work, as well as often working to strict audit deadlines, it’s a role that comes with a certain amount of pressure, but Diane says that over the years she has found that dealing with this is about good management.
“Managing people’s expectations, managing your team and your deadlines is hugely important,” she explains. “Everyone that I see in PwC who is really successful can manage other people well. Pretty much anyone can pick up the technical knowledge required, but it’s about being able to manage relationships well that separates the best people.”
And although IT in general is still quite a male-dominated field, Diane says that she hasn’t found IT Risk to follow the same pattern. “I think it’s because there are so many different avenues – you don’t have to have studied IT. There are people with accounting, economics, and finance degrees – all of that merges into risk and control, so you have a bigger pool to choose from.”
She would encourage any women who are considering the sector to pursue it, not only for its exciting pace of change, but also the ability to focus on what interests you.
“You can specialise in certain industries, or work across lots of different ones. There are lots of different avenues you can go down. Even within PwC, in our Risk team we have people from so many backgrounds all doing different things. And it only gets more interesting as technology advances.”
Managing risk isn’t about responding to change. It’s about changing the way we see risk, shifting our perspective and considering different angles to anticipate and be agile. To find out how PwC can help your business, visit PwC.ie.
Photography: Kieran Harnett