What leaders think
Posted on

Cyber Risk – 5 Questions for a CEO to ask

Cyber Risk - 5 Questions for a CEO to ask

What are you and your business doing to measure, manage and mitigate cyber risk? This is a question that is rapidly moving up the agenda of Chief Executives and Chief Risk Officers across sectors.

At a recent pan-industry event we invited Ollie Whitehouse, Chief Technical Officer at NCC Group to pose the 5 key questions CEO’s need to be asking in order to challenge their businesses’ in this key area.

Over the past 20 years, Ollie has worked in a variety of cyber security consultancy, applied research and management roles, including being responsible for security research & assessment at RIM (BlackBerry) in Europe. Ollie is a research and science advisor to UK Government on cyber security and is also a mentor at the 

CyLon incubator. NCC Group works with Apple, Google, Amazon and a wide range of other well-known organisations in this business critical area.

The breakfast was held at the historic Law Society and we were joined by over 50 Chief Executives, Chief Risk Officers and IT leaders from across a wide breadth of businesses and public sector bodies spanning critical infrastructure, industry, financial services and transportation.

Opening his presentation Ollie described that by its nature, Cyber Risk operates in a very fast paced environment and the threats that it poses are ever evolving. As a result, there is often a reticence by senior executives to engage on the matter, as they feel it will quickly descend into a very technical, granular discussion. In addition, unlike health and safety, where there is a very clear manifestation of things that can be quantified and measured, cyber threats are very pervasive. Consequently, there is an anxiety by some leaders of having guilty knowledge, and not being able to address it.

For Ollie the key word is resilience, cyber security is not a binary state and you are not either a secure or insecure business. There are degrees of risk and resilience and these should be aligned with your broader risk strategy. Central to this resilience is good IT hygiene practices, for example staff members using complex, unique passwords, not opening phishing emails and not accessing company systems from unknown 3rd party devices.

The biggest threat posed to businesses is not foreign state actors launching large sophisticated cyber-attacks from underground bunkers, but actually employees trying to go about their work with all the associated pressures and making mistakes. As a result, the vast majority of cyber threats can be eliminated with good IT hygiene practices in place.

Q. Who actively owns and manages the businesses cyber risk?

This was the first question posed by Ollie, and it centres on governance. Who specifically in the business actively owns and manages cyber risk? This is often the first stumbling block when it comes to manging cyber threats, with a lack of clarity between security and IT leadership who advise on cyber risk, and those business unit leaders whose responsibility it is to manage it.

Identifying the owner of the risk is critical, and is beginning to become a legislated necessity in regulated sectors. Without an owner how can a business effectively mitigate a risk?

Once that owner is identified, active management of cyber risk is imperative. Russia could not have predicted how extensive the disruption their “NetPetya” attack would be, but the fact that the NHS’s system were not regularly updated and patched meant that the attack was far more devastating than perhaps was originally intended.

Q. How do we measure our (and our supply chain’s) cyber risk?

If you can’t measure or quantify your cyber resilience, how do you know you are doing it right? Devising a method of measuring performance is crucial to understanding and then improving a business’s resilience to cyber threats.

Using compliance as a yard stick is not enough, compliance is simply a licence to do business. Almost all business compromised by cyber-attacks are compliant.

The thinking about how this risk is measured is becoming increasingly important as insurers begin to play a bigger role in risk transference, with implications on policy price and loss adjustment.

Q. What is our relative maturity for the detection and response to events?

No firm should be an outlier in any particular sector, either becoming uncompetitive by investing too much in cyber security or being overly vulnerable by investing too little.

The best way for an attacker to subvert cyber controls is to attack from the inside and make a user unknowingly complicit. This is how phishing attacks work, using social engineering to subvert basic security controls. Sharing how different business are tackling this issue and educating staff members is key to avoiding cyber events.

Ollie made it clear that it is crucially important to understand how a business’s competitors and peers are performing in managing their cyber risk. How able are they to detect, respond and recover from events in relatively short order. Being able to look over a neighbour’s shoulder will give a CEO a barometer on how well their organisation is doing.

Q. Do we have peer relationships across our sector? Do we share understanding of the threat and practices that work?

Security is not a competitive differentiator and shouldn’t be viewed as one, because all that results in is displacement. As senior leaders, we should be encouraging security best practice to be shared.

This stems from building trust and personal relationships with risk owners across different organisations and this is how a sector will improve as a whole.

Q. How will our risk posture change over the next 12 to 24 months?

This is important from a variety of perspectives, as in all business areas cyber risk posture will and should change as different corporate events occur for example; M&A activity, entering new territories, new regulation, outsourcing etc.

The cyber risk approach should flex accordingly to mitigate these risks, for example increasing security as you adopt new IT from an acquired business.

The risk of buying a breach that already exists in an acquired company’s IT systems is now becoming a key consideration in the due diligence process and stress testing acquisition targets cyber security in fast becoming the norm.

Ollie drew his presentation to a close by saying that a lot like washing your hands after using the toilet, 99% of threats can be mitigated by good basic IT hygiene.