What leaders think
Posted on

Cyber Risk: “Bigger than Brexit?”

Technology such as big data, new digital channels and the internet of things (IoT) present huge opportunities for organisations across all sectors. However, risk management around these new enablers is often not as sophisticated as the new technology itself. If this continues, then business strategies based on these new technologies will ultimately fail.

Therefore, we were delighted to be joined by senior stakeholders from across a diverse set of businesses to share insights and questions on the topic of cyber risk management. We asked our speaker Tim Roberts – VP, IBM and global leader for their Security Strategy, Risk and Compliance practice, to talk us through ‘the human element’ of cybersecurity, emerging threats and new technologies.

Cyber Risk not Cyber Tech! Looking at Cyber Security through the lens of risk management rather than purely treating it as a technology topic provides a much wider view for the board and executive. The role of senior management goes beyond hiring a Chief Information Security Officer (CISO) who has a technology background and giving them a large budget to manage risk.

Cyber Risk is not going to go away and is always in the headlines. Late last year, the Wall St Journal produced an article predicting the biggest cause of CEOs being fired in 2018 would be a poorly managed cyber-attack/breach or technology failure. Cyber or Technology Risk is much broader than a hacker trying to break in to your systems. That is part of a spectrum of risks, which include; malicious external attacks, malicious internal attacks and human error. And many of the biggest breaches have caused some form of regime change in the company where they have taken place.

The Wall St Journal produced an article predicting the biggest cause of CEOs being fired in 2018 would be a poorly managed cyber-attack.

The Regulators Regulators across all industries are focusing on Cyber Risk, especially in Financial Services where regulation is more intrusive and involves active supervision. Front of mind for the regulators in Financial Services for a long time has been security and privacy as the key twin topics. However, it’s also worth thinking about the related points of resilience and data quality, ensuring your customer’s data is available and is not corrupted, for instance.

If your organisational structure has business continuity as an entirely separate function from your security team, privacy experts sitting in the legal function and the Chief Data Officer worried about quality and not security, it is almost impossible to have a joined up strategy. All these categories of risk must learn to speak the same language. Regulators are placing greater focus on the Board. Regulators in the US require an annual attestation from the Board that their Cyber Security is fit for purpose.  Whilst the Senior Managers and Certification Regime (SMCR) in the UK is much broader than purely Cyber Security, organisations will have to create a clear Cyber Security chain of command and a link from the boardroom down to the business front line. 

The Data Challenge The issue of managing data inside the organisation is proving to be extremely difficult for large international companies and smaller businesses alike. Advanced analytics on customer data and the on-going management of digital channels and services produces copious sets of data. Different stakeholders sit around this data worrying about different things. Privacy people are worrying about compliance and data governance teams are concerned with how data is protected. If you are a financial institution you have anti-money laundering experts worrying if customers are real and genuine. Reporting functions who are responsible for reporting to the regulator are concerned with the Regulator’s requirements. These are different tribes operating with different agendas and speaking in different dialects about the same set of data. 

Understanding where all the data is housed without falling over your own feet presents another key challenge. For example, a data mapping exercise in one organisation following a breach, resulted in the identification of unencrypted customer data sitting in a test environment leaving them highly exposed. The complexity of managing data from an internal perspective is equally challenging as protecting your organisation from the external threat, especially when you have multiple teams working around the same set of data.

Organisations will have to create a clear Cyber Security chain of command and link from the boardroom down to the business.

One of the biggest challenges for senior management is to simplify and clarify the handling of Cyber and Data Security. It’s understandable the issues around data become complex. It’s a new risk category in many ways. Historically, most non-financial institutions have not had a great deal of data to manage. Now, organisations are swimming in data and trying to exploit it for commercial purposes. Companies historically had traditionally built functional areas which have grown organically. Companies must now rationalise the data challenge and make the management and security of data more holistic and coherent across all functions throughout the entire organisation.

Each individual risk category or silo approaches the challenge from different perspectives and each has their own focus. Privacy people tend to be lawyers, security experts come from a technology background and compliance teams come from either law or regulation.  Risk people are typically either career risk practitioners or have transitioned from finance.

One of the global banks received a letter in London from the PRA seeking clarity about their Cyber Security programme. Their Compliance team knew how to handle an enquiry from the PRA supervisors, but did not understand the content of the questions or have the expertise to respond effectively. The bank’s Security experts understood the questions, but weren’t in any way used to communicating with regulators.  We therefore assisted with their response. This seems to be a common phenomenon across financial services.

One of the biggest challenges for top management is to simplify and clarify Cyber and Data Security.

Often the business strategy is to keep racing ahead to keep up with or beat competitors and thus out-strips the pace of risk management development, exposing the organisation considerably. Looking back at the financial crisis, the technology to exploit and originate opportunities in credit risk had raced ahead of the required risk management. Some of the banks that failed did not know what they had acquired or exactly where this credit risk sat in reality. This is analogous with what we are seeing with digital strategies.

Responding to the challenges This is broken down into 3 key steps:

  1. Master the fundamentals
  2. Adopt an immune system approach
  3. Change the game (keep moving, don’t relax)

Looking at recent breaches, a lot of them are as a result of poor decision making. They are not down to an ingenious attack. Basic steps are not being taken such as: passwords which are not adequately complex, poorly designed networks or failure to effectively monitor the network. In some cases, software that has been bought externally is not even being used or nobody has taken the time to calibrate it. Firms are not enforcing their own Cyber Security policies they have in place. Mastering the fundamentals is doing the very basic things, right, all of the time!

Most people gravitate towards the controls element of a Cyber Security programme. Essentially, products they can buy to help them control the problem. This is part of the solution, but less common are questions such as, how do we set risk appetite for cyber risk, what metrics should we use to measure cyber risk, who owns it or what does an overall strategy look like? Cyber Security is still treated as something that can be delegated to Technology or done in isolation from other functional areas.

It’s very easy to get lost in jargon, hearing weird and wonderful expressions that only exist in cyber security. All functions use their own individual jargon, but the key is to convert this into business language. If the security team would like new investment, they have to articulate what it will deliver, what risk it is addressing and how it is mitigating that risk. Essentially, what is the business case for the new investment? Answers to these questions will always need to be given before any money is granted by the Executive team.

If the security team would like new investment, they have to articulate what it will deliver, what risk it is addressing and how it is mitigating that risk. Essentially, what is the business case for the new investment?

IBM’s immune system approach brings everything together to add up to more than the sum of the parts. Different components in the immune system, as with the human body, will collectively protect you and reinforce each other. IBM adopt this approach for Cyber Risk.

No firm has got the complete answer to the problem. No provider has got all the tools an organisation will need. Lots of new ideas are emerging within this relatively new risk type and we all need to work together against a common enemy.

Cloud security is very different from storing data within an organisation’s own data center, operating under the same risk appetite, but requiring different methods to get to the same risk identification. IBM is currently helping develop a standard technology control framework with a consortium of banks. This framework has now been mapped to 24 regulatory jurisdictions around the world, helping companies articulate compliance with their controls.

‘Change the game’ is not referring to gaining competitive advantage, moreover, getting one step ahead of your attackers, when your attacker is relentless, well-funded and well organised. To deal with multiple types of attacker, it’s important to try and identify people who are attacking the network, locate them and track them once they are in the network. Firms often put in place a security operations centre (SOC), but in many cases, data being accumulated in SOC is not being used effectively to analyse risk. We recommend using the SOC as a centre of analytics to understand the patterns it’s producing i.e. when people are attacking you, how they are doing it and are they repetitive and persistent? Essentially, what can be learned from this data and can it be crystalised and presented to the board and executive? Finally, the use of cognitive technologies to monitor networks is a huge benefit to organisations and an increasing trend being witnessed.

Following the presentation, guests were invited to share observations or ask Tim questions:

“There are existing forums and collaborations. For example, Cyber & Information Security Consortium CISC, an on-line platform to share information anonymously. If organisations have a Chief Information Security Officer (CISO) who is not talking to the Board in business language, then you have not got a CISO. At best, you may have a Head of IT Security. A CISO should not be from a technology background”.
CISO, Major Manufacturing Business

Q How do you ask the $64m question, how much is enough?
Chief Risk Officer, Challenger Bank

A“It’s a very difficult one. It’s linked to assessing risk appetite in a measurable way. IBM have a big library of metrics which can be tailored to individual firms based on their business to help them set risk appetite against the metrics. Secondly, look at your peer group and determine what they are spending and using to ensure you are at the front of the pack and therefore not a more attractive, easy target because you are the straggler.”

Q How do you see cyber insurance – a hindrance or a help?
Chief Risk Officer, Life Insurer

A“We are starting to better understand how the insurers and brokers operate. Indeed, we have just signed a partnership with Willis Towers Watson. Cyber insurance is still a market under development. Placing too much reliance on insurance is problematic at this stage, when factoring in quantification, claims and contributory negligence. Having some cyber insurance is good as it contributes towards the cost of a breach in some way, but it should not be used as a sole strategy, in my opinion.”

Q In the world of disaster recovery, people have plans but do not test them. From a Cyber Security perspective, what is the maturity of independent testing in an organisation across the marketplace?
Non-Executive Director, Major Building Society

A“It’s variable. Within financial services there are regulatory driven testing programmes. In other cases we do regular testing programmes for clients outside of financial services, who are trying to be imaginative in how they test. Some clients implement routine, annual pen (penetration) testing. We have not yet reached a steady state to determine what is normal. In relation to testing a disaster recovery plan, we bring clients in to a simulated security operations centre in Boston to rehearse an attack and they have to respond. There is a TV studio with a fake news reporter to interview people. Essentially, we are looking for vulnerabilities in using a fictitious scenario.”

Q Do you assess an organisation’s overall joined up architecture?
Chief Credit Officer, 1st Tier Bank

A“We do various types of testing. From testing a particular set of narrow controls to holistic testing of people, technology and policies. Banking is going through significant change at the moment, requiring a more holistic approach to Cyber Risk.”

Summary Cyber Risk is the risk topic of our time, spanning all industry sectors. Whilst progress has been made, it’s apparent that organisations are not moving as quickly as technology. The status of Cyber Risk within many businesses does not appear to be comparable with other risk categories – credit risk in banking, for instance. Breaking down silos and adopting a truly holistic approach to Cyber Risk requires strong support and leadership from the Board and Executive teams. Cyber security needs to win over the hearts and minds of the people within the business to provide an effective defence against both the obvious external threats and less obvious internal threats.