1. What are the practical ways to break down silos in our company?
The practical way is for the risk leader (Chief Risk Officer / CRO) to form a risk committee, and set objectives for that committee. When the risk leader can bring this audience of business leaders together, the members educate and assist each other as an enterprise family, and build relationships to set common goals. The CRO should establish a regular meeting for these leaders (it could be face to face or via video conference depending on your organization or global structure). Additionally, make time to spend one-on-one with each leader, understanding their unique perspective and concerns. The CISO, HR leader and General Counsel may sit on these committees, bringing focus from their own business unit concerns. It’s really about relationship management, and there is no alternative to spending time together respecting each other’s functions to determine how your combined efforts can impact the company together.
2. I don’t think my company is large enough to have a cross-functional team. What do you recommend that we do?
Look to supplement your leadership with skilled resources and partners who provide advisory or fractional services based on subject matter expertise. In addition, whether you need full time armies or need help building one, advisory and testing services help assess and address your security needs.
3. How do we prepare for incident response in advance?
Invest in an incident response plan which basically spells out what it is you will do in the event of an incident. This plan shouldn’t be in a huge binder that sits on a shelf – it should be a game-time actionable list for your incident responders who are business and technology resources and leaders, outside counsel, consultants and industry experts. The plan will define what will be done that is unique to your organization. In addition to the plan, there are other steps you can take such as a readiness review looking at what your organization needs to respond to an incident, and assessing what gaps you may have – assess around people, process, technology, and identify where you should prioritize to avoid looking for things in the moments of an incident. Lastly, the most advanced stage of preparing for an incident response is a tabletop exercise where you bring in your leaders and technical resources from across the business areas we talked about today, to assess how you would and should act in those moments where your “hair is on fire.” Tabletops walk you through a realistic scenario based on actual incidents that have occurred in the industry, are unique to you, your operations, or your solution and customer risks. These are major steps when it comes to plan development, readiness review, and tabletops with your cross-functional leadership team.
4. So now that you’ve tied all these pieces together, how does that translate to risk transfer, and how does the cross-functional team develop risk transfer solutions?
It will depend on each individual organization, but generally once you have identified the cyber risk, and once you’ve understood that you want to transfer that risk, it really becomes about partnering with a broker to develop the appropriate policy or appropriate risk transfer vehicle. There are a myriad of different vehicles that can be utilized for risk transfer, whether it be through traditional cyber policies in the marketplace, or whether it’s through a captive, or whether it’s through some other alternative risk transfer vehicle. Most important to this exercise, is being able to articulate the needs of the organization to the broker and to the market, so that you can build a policy around the needs of the organization. This can be scenario-based where you’ve talked through different scenarios that could occur that are important to the organization and the losses that would emanate from those scenarios, or it can be by identifying specific costs that you would want to make sure would be covered should an event occur. Again, there are a myriad of ways that this could be done, but our first suggestion would be that is once you have determined risk transfer is the appropriate step, and once you have a clear picture of what your risk profile looks like, is talking with your broker to ensure that a product can be created around that very specific risk profile.
5. What are your suggestions to broaden the “risk” discussion when a company already has security tools and policies, yet remains vulnerable to attack?
A company will always have vulnerabilities. What’s most important is how you manage those vulnerabilities as an organization. Understanding that they exist is one of the first steps to take, and making sure you are aware the company does have them, and then discussing those across the organization. Cyber risk is not a conversation that is had at the top of the year with policy being set, then shelved until the end of the year. This needs to be a continual topic for the organization. Part of the point of having cyber resilience committees is that they meet regularly and discuss changes and issues that may exist within the organization. What we have found to be quite helpful for many organizations, has been the tabletop exercise where companies have gone through these scenarios and talk through how these vulnerabilities impact the individual components of the organization, and talk through the incident response or business continuity plan, and how it’s supposed to look. We have seen on more than one occasion where some of the internal stakeholders from these different disciplines are meeting for first time at these tabletop conversations, as opposed to meeting regularly throughout the year. It just goes to show that these are critical conversations that really need to be happening, and happening often to make sure that cyber resilience is at the forefront of the organization’s mind, and that we are putting forth the effort to have continual conversation.
There are policies which can be generic, or they may not be enforced or communicated. When they are not communicated or enforced well, you will see that impact on people. When it comes to people, process, technology there is a balance that must happen. Depending on the change, it’s business and cultural change. You just can’t affect how people use email, or mobile or working without impacting all the business process. So, it’s not just a technology decision. It’s why we talked in the program about all the puzzle pieces coming together to improve what happens with these vulnerabilities. You must decide what’s unique to your business, and decide how will you avoid, accept, transfer or act on that risk. That strategy is sometimes having a discussion across leadership and if needed, extending that discussion to include experts (whether its advisory functions or outside consultants), to help you make those decisions based on what we see in the industry from others facing the same challenges.