Risk management is moving through three eras: the now passed Era of Compliance (from 2005 to 2012), the present Era of Risk (from 2013 to 2020), and the coming Era of Maturity and Ubiquity (which will dawn in 2020). That's how Deloitte's Andrew Morrison saw it when he opened the panel he moderated at the Global Cyber Innovation Summit in Baltimore on May 1st, 2019.
"Cyber Risk: Whose Job is It Anyway?"
One obvious and necessary approach to an answer to the panel's question is through organization: who reports to whom? At Allianz, Scholz said, the CISO reports to the COO. The intent behind this organization is to move the CISO closer to the business, and farther from IT. There are many cyber risks, Scholz noted, and they affect a company's lines of business, not just its IT infrastructure. To Morrison's rhetorical question, "Are we managing risks or tracking vulnerabilities?" Sholz answered, "Cyber risk never disappears, and it's part of enterprise risk management." That means it must be continuous management. CEOs understand that compliance is important, and that when there is a cyber incident that incident must be contained as quickly as possible.
Companies are showing a greater awareness of third-party risks. They should, Kneip argued, ask what cyber risk exposure comes with new vendors or new initiatives. And every business has a legacy of partners they may have worked with for years, and those legacy partners have often never been subjected to a risk assessment.
Another necessary approach to the question is to frame an answer in terms of communication. Inevitably risk management at an organization's highest levels requires boards and C-suites to deal with issues on which they don't themselves have expertise. So they must be able to draw upon those who do, but in a discriminating and reflective way. Kneip pointed out that it's not news that boards and security people speak different languages and use different metrics. Boards do want metrics, which "are a way of getting your head around something you don't fully understand." Consider the way Consumer Reports uses Harvey Balls and other ways of presenting metrics of quality and reliability to its audience. CISOs could draw some useful lessons from this approach. Scholz has found a traffic-light approach to communication useful, and Monaco argued that boards themselves still required education in cyber risk.
Tabletop exercises are a valuable approach to both education and preparation for boards. Allianz runs its board through crisis drills, Scholz said, and he emphasized that it's important to do this regularly. Monaco agreed, and recommended that companies involve their general counsels in such exercises. Kneip offered the last bit of advice: keep the awareness training simple. "Start with the basics, and empower people."
A CEO's perspective.
The Summit closed with a fireside chat between Christopher Bing of Thomson Reuters and Deloitte's Chairman and CEO Joe Ucuzoglu. It's not difficult, today, Ucuzoglu asserted, to get the attention of either the board or the C-suite when it comes to cyber risk. CISOs should view themselves as collaborative business partners. "From the board's perspective, cyber can seem esoteric, menacing, disturbing," and so the CISO should place cybersecurity issues into a context the board can understand, and risk assessment is important to this dialogue.
Cyber is no longer siloed, if it ever was. It's now pervasive, touching every part of a business. CISOs should build their relationship with CEOs on transparency. "Don't sit on something hoping it turns out to be no big deal." He advocated wargaming as a good way of learning about the adequacy of a business's preparations to withstand and recover from a cyber incident.
It's also important to build relationships with other companies, and with law enforcement, Ucuzoglu thought. Let an understanding of the different motivations of different attackers inform your appreciation of risk. And he isn't getting his hopes up about the likelihood of some Geneva Convention emerging that will deter nation-state bad actors. He dismissed that hope as "pollyannaish."