Posts Tagged ‘boardlevel’

Cyber Resilience: Part One Introduction

This blog series is a re-tooling of a white paper I drafted in May 2015 while working at Stroz Friedberg. I want to thank Stroz Friedberg for the support and time to develop these ideas and specifically want to thank Bill Trent and Simon Viney from Stroz Friedbergs London office for their assistance and review. I also recieved valuable feedback from David Porter at Resilient Thinking and Dave Whitley at BAE Systems.

Introduction

The prevalence of digitally-enabled businesses, Internet-dependent customers and Internet-connected supply chains creates near unlimited opportunities and points of entry for cyberattacks, and significantly increases the potential for cybercrime to damage a company’s ability to maintain operations. This has created an environment in which cyberattacks by criminals, hacktivists and state-sponsored actors are more frequent and more damaging than ever.

(more…)

Board of Cyber

I have a lot of sympathy for UK boards of directors.

UK boards of directors have had cyber pushed onto their agenda by the government, regulators and the Financial Times for several years. Unfortunately many board members are often ill-equipped to fully understand the executive decisions regarding cyber they have now been prompted to review. This is exacerbated by a similar lack of understanding of cyber security among executive management teams and a lack of communication skills and business acumen among CISOs.
(more…)

Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

(more…)

Cyber Exercising

Cyber Exercises are a powerful and valuable tool but it is easy to confuse what we mean.

I was a member of the Scenario Design Group for the Bank of England’s Waking Shark 2 cyber exercise this year. It was a fascinating experience, seeing how the top cyber/technology risk people at the banks view a massive cyber attack, what really concerns them as well as seeing the regulators and other government agencies engaging with industry.

Waking Shark 2 garnered a lot of headlines but little of real meat made it to the public domain. I signed up to the participants non-disclosure agreement so I won’t be  adding any details here. There will be a publicly published report from the Bank of England for that soon enough.

(more…)

Cyber’s Dirty Secret?

In 2011 the U.S. Securities and Exchange Commission (SEC) issued guidance on the disclosure of Cyber risks and Cyber incidents where they may significantly affect the risk of investing in the company reporting to the SEC.

This was controversial at the time and has led to an interesting revelation recently; many of the biggest US companies reporting Cyber incidents to the SEC have stated they suffered no major financial losses as a result. The context should be remembered in that on one hand these companies would like to reduce their reporting requirements and would love not to have to show their dirty laundry to the world but on the other hand these financial reports are personally signed off by the C-level executives in these companies and errors, inaccuracies, omissions and lies can all lead to fines and jail time for the individuals involved.

(more…)

Twitter RSS