Cyber guru says CIOs need ‘attitudinal shifts’ towards risk

JLT's Sarah Stephens

Tech chiefs need to focus on “internal collaboration” and treat the potential for a cyber security attack as a strategic business risk rather than an IT or information security one, says cyber specialist Sarah Stephens.

Stephens, who’s head of cyber, content and new technology risks at insurance broker JLT, based in London, is visiting Sydney, Melbourne and Perth as part of her three city tour of JLT’s cyber series awareness program hatched in July 2017.

Over the next two weeks, Stephens will be meeting with the government, and private sector organisations to address significant issues within the Australian cyber security landscape.

“The role of the CIO - whether or not the security part of the organisation reports into the CIO or is working together and they report into operations - is as an integrator of disparate parts of the business,” Stephens told CIO Australia ahead of her national tour.

“With respect to cyber security, we’ve seen a huge shift in attitude over the last five to ten years in terms of thinking through the ability to prevent every attack, and prevent every bit of data exfiltration and much more focused on how can we work together to get to a place of better resilience for the organisation. So reforming cyber risk as a strategic business risk versus just an information technology or an information security risk.”

Stephens said this policy of reform and attitudinal shifts go hand-in-hand with risk becoming a much higher profile within many organisations where CIOs can re-conceptualise the risk in terms of the impact to the business.

And she’s seen a huge uptick in the involvement of the CIO in the evaluation and purchase of cyber insurance, which wasn’t the case several years ago.

“Even as recently as five years ago, we would go into a meeting with the CIO and the risk manager and they’d meet for the first time there. The person who’s in charge of managing the overall risks of the organisation hadn’t met the person who was in charge of information systems - and that’s crazy in an environment where most businesses are completely reliant on technology for both business continuity and growth,” she said.

Additionally, there’s been even more “attitudinal shifts” on the part of the CIO, who now recognises there’s no bulletproof solution to cybersecurity and a need to collaborate with a risk management team and with multiple stakeholders within the organisation to achieve resilience.

“Often times, after the CIO and risk manager had met for the first time, the CIO would be really defensive about being questioned. They would say, ‘It’s not possible that anything could get through the security perimeter that we’ve set up, and our systems are completely bullet proof.’ But we’ve seen this attitude totally change to recognising there’s no such thing as 100 per cent security.”

But many CIOs now recognise collaboration involves a mix of prevention from a technology perspective, work prevention and management from a human perspective, and a bit of residual risk transfer from an insurance perspective.

Asked if CIOs are receptive to the idea of collaboration and in taking more active measures to prevent cyber incidents, Stephens said from her experience studying different regions around the globe, it varies by geography.

“You do see it regionally. Probably because US companies have the mandate to report cyber security incidents which manifest into data breaches for over a decade, I think in that geography you’ve seen people be forced into thinking about the eventuality that they may have to say they’ve had a cyber security incident.

“As that type of law, the mandatory data breach notification, has proliferated around the world, I think you’ll see a slightly slower shift to that attitude elsewhere. But what I’ve observed within Australian businesses is it’s a pretty progressive attitude - a receptive attitude that says, ‘I know we can’t prevent everything, so let’s talk about what we can do.’”

And with the recent rollout of the federal government’s Notifiable Data Breach (NDB) laws in Australia, and other cyber security measures, Australian businesses - from all sectors and industries - are taking notice.

“The notifiable data breach is one part of it, but we’re also raising awareness of the fact that insurance and understanding your risk applies to availability of systems, just as much as it applies to the confidentiality of information.”

Attacks on the rise

Stephens said attacks last year like the WannaCry saga highlight the need for greater vigilance.

“It was quite scary and a number of our clients were impacted to the tune of several hundred million dollars by some of those incidents and so we did see it first-hand.

“Many companies were out for a week, even though they had backup data because they had no way to access that backup. That incident illuminated the roadblocks in resilience and recovery, which are really useful learning experiences for a companies worldwide.”

As a result, companies are starting to match their proactive security steps to threat intelligence, and are trying to think ahead. “So it wasn’t just patching vulnerabilities alone, we saw companies take massive corrective steps in really prioritising that access to cyber security after those incidents.”

While she recognised cyber security is still an uphill battle, she’s hopeful companies are arming themselves with the power of prevention and management.  

“We also have seen huge investment in a lot of organisations approved to address cyber security concerns. And it is not just about buying cool, new technology. It is absolutely about training and about overhauling processes so that we can be more proactive.”

But she expects to see more attacks on the horizon. “We don’t see any slowdown in the number of nation-state attacks or quasi nation-state attacks. Those can be not just motivated by accessing information from a personally identifiable perspective. We will see a lot more theft and targeting of intellectual property to usurp effective innovation from more developed economies to less developed economies.”

She also anticipates security threats to rise with the advent of artificial intelligence (AI), one area of game changing technologies that are digitally transforming businesses.

“We are also seeing great strides on the defences side and mining through threat intelligence with the advent and proliferation of artificial intelligence. But you see that on the bad guys side as well and it is important to remember that all of the technology with which we have access to, and that helps to make us more secure, are being exploited on the other side as well.

“They are being exploited on the other side with no rules and no regulations to slow down adoption or experimentation. And that is something that will make this a continual battle that I don’t think is necessarily ever going to be solved.”

In order to combat the threats, she urged businesses to do a scenario based analysis of what could go wrong.

“If you don’t understand what your crown jewel assets are, what your critical systems are, and what could go wrong, then you don’t really know how to prioritise those controls. And you don’t really know what the goals of your security organisations are.

“Always absolutely start with, ‘what does our normal look like and then what would our abnormal look like? - what would our interruption look like?, what would our data breach look like? - and therefore how can we plan for it accordingly.

She said that should be the first step in any organisation, and one that isn’t a static analysis, but one that can evolve as the business changes.

The female factor

And while she’s in constant contact with reams of people, Stephens recognises she’s often a lone wolf working in the security and insurance realms, two industries that are notoriously male dominated. But she said she’s had great support along the way - and positive efforts on the diversity front are taking place.

“I’ve been fortunate to have both great male and female sponsorship and mentorship throughout my career. As a kid, my father always told us, ‘you can absolutely do anything you want. You can achieve anything you want through hard work. Do what anybody else is not willing to do, always go the extra mile.’ So that is what I did.”

It wasn’t until she took on the leadership roles that she started to experience some resistance and barriers. “In the c-suite there isn’t anybody who looks like me, there’s nobody who has my same background - and those are challenges.

“But it’s really changing. . . Women can continue to help lift each other up and encourage others to join the field and that’s how we’ll get more gender equality in the next generation.”