What are you and your business doing to measure, manage and mitigate
cyber risk? This is a question that is rapidly moving up the agenda of Chief
Executives and Chief Risk Officers across sectors.
At a recent
pan-industry event we invited Ollie Whitehouse, Chief Technical Officer at NCC
Group to pose the 5 key questions CEO's need to be asking in order to challenge
their businesses' in this key area.
Over the past 20 years, Ollie has
worked in a variety of cyber security consultancy, applied research and
management roles, including being responsible for security research &
assessment at RIM (BlackBerry) in Europe. Ollie is a research and science
advisor to UK Government on cyber security and is also a mentor at the
CyLon incubator. NCC Group works with Apple, Google, Amazon and a wide range
of other well-known organisations in this business critical area.
breakfast was held at the historic Law Society and we were joined by over 50
Chief Executives, Chief Risk Officers and IT leaders from across a wide breadth
of businesses and public sector bodies spanning critical infrastructure,
industry, financial services and transportation.
presentation Ollie described that by its nature, Cyber Risk operates in a very
fast paced environment and the threats that it poses are ever evolving. As a
result, there is often a reticence by senior executives to engage on the
matter, as they feel it will quickly descend into a very technical, granular
discussion. In addition, unlike health and safety, where there is a very clear
manifestation of things that can be quantified and measured, cyber threats are
very pervasive. Consequently, there is an anxiety by some leaders of having
guilty knowledge, and not being able to address it.
For Ollie the key
word is resilience, cyber security is not a binary state and you are not either
a secure or insecure business. There are degrees of risk and resilience and
these should be aligned with your broader risk strategy. Central to this
resilience is good IT hygiene practices, for example staff members using
complex, unique passwords, not opening phishing emails and not accessing
company systems from unknown 3rd party devices.
threat posed to businesses is not foreign state actors launching large
sophisticated cyber-attacks from underground bunkers, but actually employees
trying to go about their work with all the associated pressures and making
mistakes. As a result, the vast majority of cyber threats can be eliminated
with good IT hygiene practices in place.
Q. Who actively owns and
manages the businesses cyber risk?
This was the first question
posed by Ollie, and it centres on governance. Who specifically in the business
actively owns and manages cyber risk? This is often the first stumbling block
when it comes to manging cyber threats, with a lack of clarity between security
and IT leadership who advise on cyber risk, and those business unit leaders
whose responsibility it is to manage it.
Identifying the owner of the
risk is critical, and is beginning to become a legislated necessity in
regulated sectors. Without an owner how can a business effectively mitigate a
Once that owner is identified, active management of cyber risk is
imperative. Russia could not have predicted how extensive the disruption their
“NetPetya” attack would be, but the fact that the NHS's system were not
regularly updated and patched meant that the attack was far more devastating
than perhaps was originally intended.
Q. How do we measure our
(and our supply chain's) cyber risk?
If you can't measure or
quantify your cyber resilience, how do you know you are doing it right?
Devising a method of measuring performance is crucial to understanding and then
improving a business's resilience to cyber threats.
Using compliance as a
yard stick is not enough, compliance is simply a licence to do business. Almost
all business compromised by cyber-attacks are compliant.
about how this risk is measured is becoming increasingly important as insurers
begin to play a bigger role in risk transference, with implications on policy
price and loss adjustment.
Q. What is our relative maturity for
the detection and response to events?
No firm should be an
outlier in any particular sector, either becoming uncompetitive by investing
too much in cyber security or being overly vulnerable by investing too
The best way for an attacker to subvert cyber controls is to
attack from the inside and make a user unknowingly complicit. This is how
phishing attacks work, using social engineering to subvert basic security
controls. Sharing how different business are tackling this issue and educating
staff members is key to avoiding cyber events.
Ollie made it clear that
it is crucially important to understand how a business's competitors and peers
are performing in managing their cyber risk. How able are they to detect,
respond and recover from events in relatively short order. Being able to look
over a neighbour's shoulder will give a CEO a barometer on how well their
organisation is doing.
Q. Do we have peer relationships across
our sector? Do we share understanding of the threat and practices that
Security is not a competitive differentiator and
shouldn't be viewed as one, because all that results in is displacement. As
senior leaders, we should be encouraging security best practice to be
This stems from building trust and personal relationships with
risk owners across different organisations and this is how a sector will
improve as a whole.
Q. How will our risk posture change over the
next 12 to 24 months?
This is important from a variety of
perspectives, as in all business areas cyber risk posture will and should
change as different corporate events occur for example; M&A activity,
entering new territories, new regulation, outsourcing etc.
risk approach should flex accordingly to mitigate these risks, for example
increasing security as you adopt new IT from an acquired business.
risk of buying a breach that already exists in an acquired company's IT systems
is now becoming a key consideration in the due diligence process and stress
testing acquisition targets cyber security in fast becoming the norm.
Ollie drew his presentation to a close by saying that a lot like
washing your hands after using the toilet, 99% of threats can be mitigated by
good basic IT hygiene.