DRM Institute Leader Series
Principal at The Chertoff Group
What are the digital threats to the business that your industry should worry about?
As a global advisory firm focused exclusively on the security and risk management sector, we advise companies on threats that may be pervasive across sectors, as well as individual threats to a particular sector. I currently see the biggest threats to business across industries in a couple areas.
Almost certainly, the theft of financial and personally identifiable information tops the list because it’s the most easily exploitable by cyber criminals. It’s also what concerns financial institutions and retail organizations the most because of the impact on their reputation and economic viability. Secondly, I worry about espionage and the subsequent theft of intellectual property. This doesn’t get a lot of public visibility but it is a significant threat and poses great challenges to the future of our national economy. This type of an attack can provide the recipient of the theft a huge advantage in being able to develop and bring products to market without the resource expenditures it took to develop the IP in the first place. Another growing threat, and the one that truly worries me the most, is exploitation of industrial control systems such as those associated with manufacturing, oil and gas, and the electricity industry.
Last December, there was a cyber attack reported in Germany where a steel mill was compromised and unable to shut down. The hackers were not caught and there is much speculation as to why they would go after an obscure steel mill in Germany. Was it an experiment in preparation for something bigger? No one seems to know at this time but this and other recent events have the security community concerned that control systems will be more frequently targeted as cyber criminals get more experience with the systems.
What initiatives are you spearheading?
At The Chertoff Group, we focus on intelligence-driven global risk management and understanding and assessing security risks as they relate to the overall business. We have a growing portfolio of risk assessment engagements that help us provide experienced advice to both technical and cybersecurity executives, but perhaps more importantly, the Board and executive level leadership for companies who are increasingly interested in understanding the potential impact of those risks.
The information security community continues to gauge the return on investment for those security tools, technologies and services necessary to protect a company’s information resources but it remains a significant challenge. And while these organizations are never going to completely eliminate the technology component of security, if you look at security from a risk and business perspective, it’s much easier for executive leadership to develop and understand a digital risk profile that assists in key decisions such as technology and workforce investments. So that’s really what we focus on – helping large organizations understand cybersecurity and risk from a business perspective.
What is missing in helping companies tackle digital risk?
The recent Sony attack put an exclamation point on the need for executive leadership to start understanding cybersecurity risk – and potential impacts – before they happen. We speak regularly with executive teams and board members who deal with risk – they understand it’s their responsibility to know about financial and regulatory risks. However, they typically think of cybersecurity risk as something only the CIO or CISO needs to worry about. What we are conveying at the Board level is that you can’t assign cyber risks to the IT folks any more than you can assign financial risks to the CFO. It is a leadership issue that requires a greater understanding of what the cyber risks are from a business perspective and being able to prioritize and allocate the resources appropriately to address those risks. Cyber sounds scary but my advice is to simply consider cyber as just another of the many risks they deal with daily.
I’d add that cybersecurity insurance is a growing area and we are actively involved in helping companies understand why they need it. There is increasing demand by both underwriters and brokers that companies need to have some type of risk profile before they will write an insurance policy. This risk profile determines if a company can get the insurance coverage and how much it will cost…or if they need to raise their security posture to a level that allows an insurance company to underwrite their risks.
Ultimately the companies best positioned to deal with risks are the ones that readily acknowledge that it’s not a matter if something is going to happen, but when it will happen. It’s almost become cliché to say that everybody is at risk and the ones who minimize it are the ones that are probably going to be in the worst shape when something happens because they did not recognize they were even susceptible to a problem.
What do you do to “unwind” and have fun?
I live in Colorado for a reason. I love the Rocky Mountains and my wife and I do a lot of hiking and backpacking. My ideal location is any place where cell phone service is limited and I don’t have to go far from my house to find that place. I read a lot and actually have a lot of fun in my job. I really do love the security business.