Freedom after the sharks

2021 has progressed with even more challenges and promises to deliver even more changes to the pace of a fast technological environment, risk professionals need to look back and consider the lessons learned from 2020.

Have we returned to where we were, or have we moved on to a new norm?

What does the COVID-19 pandemic market data tell us that will help us to prepare for future global crises?

2020 was a rollercoaster for the financial markets. At the beginning of the year, the economy was enjoying the longest continuous growth stretch on record.

The stock market was constantly hitting new highs. The Federal Reserve was starting to bring Treasury yields back up for the first time since the Great Recession. And, then came March.…

Given that framework, the first question we want to answer is: “As risk professionals, how prepared were we for these types of market swings?”

In the insurance industry, companies rely on economic scenario generators (ESGs) to produce a wide range of plausible, cohesive futures for the variables that drive their results — for example, corporate bond and equity returns, as well as Treasury yields.

These models are not predicting specific events, like a pandemic or a war; instead, they simply attempt to estimate the likelihood of a 20% drop in the equity market over the next year.

So, to answer the question posed above, we need to test how well the ESGs that we use we’re able to predict the financial market movements we have seen in 2020.

If our models covered these types of results, then we can take comfort that we were well prepared; if not, then we have to think about how to adjust our framework to be better prepared for the next calamity.

So, where does this leave an Insurance Chief Risk Officer?

First, we should take a critical look at how well our key economic models performed at anticipating these types of extreme market movements. If our models weren’t up to the task, then we need to rethink how those models are calibrated, as this is likely to lead us to either take on too much risk or the wrong types of risks.

We also want to make sure we perform this review on both the good times and the bad times since we are using these models for much more than just risk measurement.

This now brings us to one of the widest subjects in technology today; Cyber Risk insurance, which has become very popular over the last five years with larger corporations as a means to potentially cover the unexpected cost relating to data breaches and ransomware attacks.

This is not surprising taking into consideration that Global ransomware damage costs are predicted to reach $20 Billion (USD) by 2021 according to the latest report by Cyber Security Ventures.

According to the report, this is a 57X increase in the last five years. Ransomware is expected to attack a company every 11 seconds according to the report.

Ransomware poses the biggest threat as a business is adversely impacted to a point where business is shut down. In 2019 alone, the average business downtime was over nine days. According to Bitdefender, downtime costs due to ransomware on average were 50 times more than the ransom requested from Cyber Criminals.

According to the latest IBM Security Ponemon report on the cost of data breaches, the average for data breaches in the US was $3.8 million (USD) for less than 100,000 records. The average time to identify and contain a breach is 280 days. In breaches of 1 million to 10 million data records breached, the average cost was $50 million (USD), more than 25 times the average of the cost of breaches for less than 100,000 data records.

Looking at the following top Cyber threats to companies for 2021, according to Security Boulevard, the cyber attack surface is increasing as companies accelerate digital transformation and remote work, leaving the company at higher risk for Cyberattacks.

• Cloud-based threats. As more companies move to cloud services and adopt more cloud-based tools from 3rd party vendors, this also increases the security footprint the company needs to look at protecting. It is no longer just the internal systems of the company that poses a risk.

• Insider threats. This involves internal actors (employees, contractors, vendors) with valid credentials to key business systems colluding with cybercriminals to provide them access to data that can lead to data breaches and ransom attacks.

• Remote worker end-point security using unsecured network services leading backdoors open for cybercriminals to gain access to company data and infrastructure.

• Phishing attacks employing social engineering to gain access to access credentials.

• Deep Fakes. A growing threat where artificial intelligence is used to manipulate videos that falsely represent a person to commit more advanced phishing attacks. This could generate synthetic identities to gain access to systems.

• IoT devices. Unless properly secured within the overall part of the business, the introduction of IoT devices increases the complexity and attack surface for cybercriminals to exploit. The recent Verkada cyberattack exposing video footage of over 150,000 cameras of various companies such as Amazon, Tesla demonstrated this risk.

• Malvertising where malicious advertisements including technical support scams are used to spread malware.

• Sophisticated and targeted ransomware attacks. This includes a key risk around personal staff safety.

• Social Media attacks where cyber criminals use social media platforms posing as the legitimate company in order to spread malware.

Taking into consideration that the average cost of Cyber Insurance in 2020 in the US, according to AdvisorSmith was $1,485 per year covering the liability of up to $1 million.

There are a number of factors such as company revenues, and the number of sensitive data records, to name a few, that impacts Cyber Insurance premiums.

Looking at the averages for Cyber insurance and the explosive growth in the cost of data breaches, most companies are grossly under-insured to cover the costs of potential data breaches or ransomware attacks.

Cyber-insurance may be a good option for covering some of the liability and cost in the event of a breach, however, it falls way short in minimizing the actual liability in the cost of a data breach or ransom attack to the company.

How should companies and the Board balance the cost to cover the liabilities due to cyber risk in the company?

Spend more money on insurance with higher premiums vs. more investment to implement risk management across the organization and supply chain through policies, incidence response preparedness, cyber training, and Cyber Security systems?

The latter part of the equation can be quite daunting, and the “easy” way out seems to be to rather take out the insurance, and deal with it when a breach happens.

What shall companies look at in order to solve an increasingly complex cyber governance problem when looking at the cost, and where to most effectively spend the money to mitigate the risk?

The typical cost for a cyber attack when that happens can be broken down into the following elements:

• Forensic analysis for identifying the attack source
• Unplanned IT spend to recover data, remove malware, recover from downtime, implementation of new systems to prevent similar attacks, 3rd party vendor or supply chain systems updates, other
• Public relations services
• Notification of clients, shareholders, and regulators
• Credit monitoring services (if financial data was stolen of customers)
• Loss of income
• Regulatory penalties depending on the breach

The best strategy is to as much as possible, avoid the additional cost through better governance and incidence reporting and planning and implementation of automation of security as reasonably possible.

Worldwide spending on information security and risk management technology and services continued to grow through 2020, although at a slower rate than previously forecast, according to Gartner, Inc.

Information security spending grew 2.4% to reach $123.8 billion in 2020. This is down from the 8.7% growth Gartner projected in its December 2019 forecast update. The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies, and cost-saving measures.

“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, managing vice president at Gartner. “Overall we expect a pause and a reduction of growth in both security software and services during 2020.”

Gartner’s survey showed the top 10 categories of expenditures as follows:

1. Application Security
2. Cloud Security
3. Data Security
4. Identity Access Management
5. Infrastructure Protection
6. Integrated Risk Management
7. Network Security Equipment
8. Other Information Security Software
9. Security Services
10. Consumer Security Software

How big is your cybersecurity budget? Probably not big enough. Organisations need to invest more in their security.

Over the years, spending on cybersecurity has changed substantially. In 2019, worldwide spending for security products and services is estimated to be more than $124 billion, an increase in growth of 8.7% from last year.

Companies around the world are no longer considering cybersecurity a minor part of their spending budget, but rather a priority. One of the main reasons for this is the large security breaches that have occurred in the past few years, putting business and personal data at a higher risk than ever before.

According to IBM’s report, companies with fully deployed security automation saw a cost-saving of $3.58 million (USD) on the cost of a data breach vs. companies with no security automation.

Companies with incident response preparedness so an impact of $2 million (USD) savings on average on the total cost of a data breach.

Boards and companies should have clear plans and strategies around the following four cost centers. Where cost centers are missing, these need to be taken into consideration. Start with assessments of the status of the activities within these four key pillars for cyber governance and make these a strategic part of all budget spend and activities across the whole company, as well as 3rd party supply chain of the company.

Detection and escalation. Activities that enable a company to reasonably detect the breach.
• Forensic and investigative activities
• Assessment and audit services, including Incident Response
• Crisis management
• Communications to executives and boards

Lost business. Activities that attempt to minimize the loss of customers, business disruption, and revenue losses.
• Business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers
• Reputation losses and diminished goodwill

Notification. Activities that enable the company to notify data subjects, data protection regulators, and other third parties.
• Emails, letters, outbound calls, or general notice to data subjects
• Determination of regulatory requirements
• Communication with regulators
• Engagement of outside experts

Ex-post response. Activities to help victims of a breach communicate with the company and redress activities to victims and regulators.
• Help desk and inbound communications
• Credit monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product discounts
• Regulatory fines

(Cost center model per IBM in the Cost of Data Breach Report)

Digital technologies are ushering in a new era and driving transformative changes in every industry, as organizations adopt these technologies to redefine how they create, deliver, and capture value.

Identifying, understanding, and addressing new risks associated with digital transformation will help businesses derive more value from their efforts in the future. What’s more, understanding how digital transformation can be applied to risk management will enable organizations to take a more balanced view of digital technologies as both a source of risk and a way to manage risk.

As your organization embarks on its digital journey, we invite you to learn more about the evolving risk landscape and new opportunities to better manage risk.

Misalignment between an organization’s goals for digital transformation and employee values and behavior creates new culture risks.

The final topic we would like to address is digital ethics, being more in tune with digital ethics and having plans and processes in place will also help organisations respond more effectively when an incident does occur.

Firms not only need processes in place to ensure that they are ready to respond quickly to address problems but also to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers.

As part of their digital transformation efforts, organizations need to act responsibly and promote ethical use of technology.

They also need to have pre-established influencer relationships that they can leverage to counter any hysteria or misinformation which might arise that could interfere with their business or impact their brand.

Organisations that have a culture that takes digital ethics seriously, will behave in ways that will minimise the risk of incidents and will act in ways that help build stakeholders’ trust. Those that don’t take digital ethics as seriously will not only be at higher risk of impact but will struggle to establish such trust.

Making data ethics a key corporate value can have a significant potential upside. Implementing data privacy policies and updating crisis management plans to address data breach scenarios will minimise any downside.

At the very least, engaging with Influencers or Cyber professionals/experts early can help you be better prepared to respond to calamities, our definition of influencers is quantified as Cybersecurity specialists who play a key role in securing information systems.

By monitoring, detecting, investigating, analyzing, and responding to security events, cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities.

While taking their advice or using them to independently assess or benchmark your data privacy policies and crisis management plans can be used to demonstrate best practice in these areas, which in turn can mitigate potential fines or legal exposure in the event of a calamity.

Your customers want you to take a stand on data security and privacy, and be transparent about it – seeing it as more important than either your diversity or sustainability efforts.

Each and every company, regardless of its industry, has weaknesses that hackers exploit for their own gain. Just because a business is small or not in a vertical often associated with valuable data (such as healthcare or financial services) doesn’t mean it won’t make an enticing target for an opportunistic cybercriminal.

In fact, there are a number of reasons why start-ups and small businesses are sometimes more likely than even big businesses to be targeted.

• Customer Information: Even the smallest start-ups often store or handle customer data such as financial information, Social Security numbers, and transaction history.
• Proprietary Data: Start-ups often carry innovative and creative ideas for products and services, as well as internal research data that could be valuable to outside parties.
• Third-Party Vulnerabilities: Hackers also target small businesses and start-ups because they sometimes do business with larger companies as third-party vendors and can provide entry points into those more valuable networks. Target’s infamous 2013 credit card breach, for instance, happened because of vulnerabilities in a third-party vendor’s system.
• Multiple Interfaces: Another reason for increased attacks is the growing use of Internet of Things (IoT) devices that increase the attack surface of networks. Small businesses are turning to IoT devices more often due to their lower costs and growing capabilities. Unfortunately, hackers often exploit poorly secured devices as a backdoor to access broader, more sensitive networks.
• Lack of Finances: Since small businesses and start-ups are working on a tight budget, they don’t always place cybersecurity is not at the top of their priorities list and often neglect the latest patches and updates.

The power of digital technologies to enable new sources of revenue can be significant. Due to the proliferation of digital technologies and the particular ethical challenges they present, organizations are increasingly expected to consider ethical obligations, social responsibilities, and organizational values as guides to which digital opportunities to pursue and how to pursue them.

As discussed in the “Managing data risks for value creation” trend, responsible and unbiased collection, handling, use, and privacy are top areas for concern when it comes to data. Also, there are increasing calls for digital services that are fair and equitably accessible, promote physically and mentally healthful uses, encourage inclusion, and are geared toward socially beneficial uses.

Digital adopters want technologies that aren’t harmful or abusive and are safe and error-free. There’s an opportunity to do well by doing good—pursuing digitally responsible growth strategies that build stakeholder trust.

Finally, organizations are conscious that digital transformation involves more than technology adoption. It requires concerted efforts to define how enterprises organize, operate, and behave by aligning strategy, structures, processes, people, and technology to build a unique digital DNA.

Organizations can sidestep unnecessary risks and harness risk to power performance by adopting a risk lens and a holistic approach as part of their efforts. Below are a few guiding principles.

Conclusion; Boards can harness risk to power performance in a digital world, but only with a responsible Digital DNA and hopefully with the Digital Services Act (DSA) that will bring digital reform.

As Tom Golway, Chief Technologist in the Advanced R&D organization of Hewlett Packard Enterprise once said:

“The deeper, philosophical question is does the 1st Amendment apply to AI algorithms. Resolving this is an immediate challenge that needs open dialogue that includes a broad set of disciplines, not just technologists”

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Boards of directors have been working hard to fulfill their risk oversight responsibilities in a challenging environment. Regulations are changing rapidly in most industries, and vary significantly across countries.

Investors, analysts, and the public are demanding greater transparency into risk and risk management, as are creditors, counterparties, and other stakeholders. Many boards legitimately wonder not only what regulators want, but also which approaches to risk oversight actually work.

Deloitte set out to study a specific and very effective risk governance mechanism: board-level risk committees. This report revealed the prevalence of board-level risk committees (whether standalone committees focused solely on risk, or hybrid committees such as audit/risk) based on an analysis of 400 large public companies in eight countries.

In summary, these were some of the findings:
§ Board-level risk committees are well-established and widespread — present in 38% of the 400 companies analyzed. About a quarter (22%) have standalone board-level risk committees, while 16% oversee risk through hybrid board-level committees.
§ As might be expected, board-level risk committees are most prevalent in FSI companies (88%), but are also present in other industries (26%), often to a significant extent, depending on the country.
§ Local regulations affect risk oversight structures. Australia, Brazil, Mexico, Singapore, the UK, and the US have regulations that require risk committees at the board level for FSI companies (sometimes dependent on the type and size of the company).
§ Overall, 62% of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.

Every week, a new data and security breach seems to be reported that appears to exceed previous breaches and hack in scale. This year we are also seeing different uses for Distributed Denial-of-Service beyond simple volumetric attacks, including what we call quantum attacks.

Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation.

These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.

This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

If it were to be measured as a country, the facts are; cybercrime which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.

The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data, and systems, and reputational harm.

Some with more complexity in the hack such as the Solar Winds supply chain breach, and others with less complexity, such as the recent global breach of Verkada of over 150,000 security camera data by hacktivists. Once again, the data breach was global in nature and exposed again the security policy and process vulnerabilities these hackers are using to gain access to corporate data via root access.

Industry research has shown that hackers are active in corporate systems for an average of 8 months before they may do something or make themselves known. Over 76% of cyber risk is due to insider risk, involving collusion between hackers and corporate insiders. It is no longer just a “technical” hack.

What is root access? A root administrator or gatekeeper is a superuser account on a computer or network and that has complete control over all aspects of the system or network. The root administrator can access all data, software, configure, delete and change software code in the systems or network.

One of the top risks identified in cybersecurity audits today is a regulatory governance risk. This requires a legal requirement to be audited with respect to IT security, making audit and compliance metrics highly relevant and important.

Some examples include:

Audit and compliance metrics
➢ “Are we ISO-27001-compliant?”
➢ “Do we have a vendor risk management program?”
➢ “Do we have any outstanding high-risk findings open from our last audit or assessment?”
➢ “What percentage of the NIST framework are we implementing?”
➢ The NIST framework has roughly 80 questions associated with it. If a board member asks if you’re doing the NIST framework, you might say, “Today we’re doing 60% of it.”

Operational effectiveness metrics
➢ How many intrusions were detected this year?”
➢ “How quickly are we detecting, investigating and remediating threats?”
➢ “How much have we spent this year?”
➢ “How many vulnerabilities were in our network and how quickly were they fixed?”
➢ “How many compromised systems did we have compared to last year?”
➢ “Has our risk profile changed?”
➢ “How did we compare to our peers across X time span?”

Knowing the best practices on how to present cybersecurity to the board is one thing but without substantive data, you won’t have a very compelling (or helpful) presentation.

The first thing you need to keep in mind regarding metrics is context. Board members likely don’t know what it means if you say that “500,000 intrusions hit the detection system.” You need to focus on being concise with your explanation and show them how the metric impacts the health of the company.

You’ll want to focus on showing metrics over time that the management, or lack of management, processes and policies of root admin passwords. In most cases, these processes are manual at best and there seems to be little appetite to implement additional security technologies that can dramatically reduce this risk.

IT organizations have become more fragmented in nature, especially where there are differing roles for Chief Digital-, Chief Information- and Chief Information Security Officers in organizations, each having responsibility for specific aspects of the overall technology stack of the corporation.

Unless there is a close collaboration between these roles, there will remain gaps in governance of access to data, systems and networks in corporations.

Take into consideration that a corporation is part of a business ecosystem of employees, contractors, 3rd party vendors and their contractors, resellers, partners and customers. All these parties require access to corporate data, systems and networks. The management of access and data security is no longer just contained to the closed “bubble” of a corporation and its employees alone.

The cyber strategy needs to incorporate this more complex supply chain risk and how to manage this across the business ecosystem. This is especially true for management of user access into these systems.

Very few companies have checks on when employees from vendors, 3rd party contractors and partners leave, and need to be off-boarded off the corporate systems. The more manual these processes, the higher the risk that their will be dormant user credentials that hackers can exploit.

Where there is little appetite to spend more money in key IT security systems, the typical practice is to have the risk logged in the corporate’s risk register and key executives, and in some cases the board, to accept and sign off on the risk.

Another approach is to do more “training” in awareness of cyber risk and write more policies, which again is only an internal approach to the corporation and employees alone. Training tends to happen when new employees are onboarded, and perhaps retrained after yearly pen-testing.

Employees tend to step through training, which includes reviewing the policies, and then forget about it as soon as they have received the credits for the training. The more extensive the policies are, the less effective they are in having people follow and implement them.

There still seems to be a lot of complacency at board level in managing the cyber risk, or in some cases, this is non-existent at board level. The main driver is the perspective of an “insurance” approach of cyber risk management.

As long as there is an “insurance” cyber risk mindset believing that a breach has not happened and we will “insure” the risk in case it happens, the corporate will remain at high risk when a breach happens. CISO and/or CIO’s are still missing at the board table, although this is changing. This leaves a gap in poor understanding of cyber governance for the company at board level.

Don’t just leave the Cyber risk management up to the audit committee.

When cyber events happen, how do boards manage the challenges, cost and potential reputational risk?

Key steps boards can take to improve cyber governance, strategy and response to a major cyber event:
● Appoint third-party Cyber advisers as non-executive directors of the board.
● Appoint the CIO and/or CISO as members of the board
● Cybersecurity technology and services investment plan and strategy – ensure there is sufficient budget
● Establish a cyber business response plan
● Have a clear plan in place protecting the well-being and safety of employees
● Employee cyber safety reporting – especially where employees may be threatened and at risk
● Cyber incident and risk reporting as part of the monthly board agenda

Cyber risk can no longer be viewed as an “insurance” type of risk. The stakes are too high. The risk is no longer just relevant to your corporate, it involves managing the cyber risk as it relates to your full supply chain and business ecosystem.

The bottom line is that every board should periodically assess the risk oversight and governance needs of the organization and take whatever steps it deems necessary to address those needs. A board-level risk committee, whether standalone or hybrid, is one effective means of attaining the necessary visibility into risks and risk management and of exercising risk oversight. It is also one that most boards should at least consider

Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box-checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy
to simply throw money at the problem and leave it to IT professionals to handle.

The Cyberspace Solarium Commission has an urgent message for the boardroom and C-suite executives: The status quo in cyberspace is unacceptable, which is spelled out in its groundbreaking 2020 Report which proposes a strategy of layered cyber deterrence to protect all U.S. businesses and governments from cybercrime and cyberwarfare.

Finally, We can all agree over the course of 2020, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cybersecurity landscape. Traditional threats such as generic Trojans, ransomware and spambots were transformed.

Every company should have a CISO or cybersecurity expert on their board because cybercrime is the greatest risk to business continuity that every company faces.

Cyber should be at the center of business strategy – not technical strategy only.

The idea that we are describing, is to put a senior cyber executive in the boardroom who will wave the red flag and challenge the severity of the risk and have the main and operational board pay attention to the severity of risks. No longer can you rely upon or expect the CEO to be carrying the competency of cyber risk to the business, but to have the inclusion of Cyber experts and make better decisions on business risk, absolutely.

The question is not whether you will be attacked. The case may be that you have already been attacked or witnessed a vulnerability breach without your prior knowledge. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Brien Comey Jr, an American lawyer who was the 7th director of the Federal Bureau of Investigation (FBI) famously once said: “We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.“

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Sources:
– Deloitte
– Cyber Security Ventures
– CSC Research