Cyber risk assessment and disclosure requirements: What’s important to you?
In this podcast recorded at RSA Conference 2018, Jerry Caponera, VP cyber risk strategy at Nehemiah Security, offers some interesting thoughts on cyber risk assessment and disclosure requirements.
Here’s a transcript of the podcast for your convenience.
We are at the RSA Conference with Jerry Caponera, VP cyber risk strategy at Nehemiah Security, to discuss some interesting thoughts on cyber risk assessment and disclosure requirements. Jerry thanks for joining us would you please share a little bit about your background with us, what Nehemiah does, and maybe how you came to join the company.
Sure Brian, thanks for asking. So, Nehemiah we’re in the business of helping organizations quantify what their exposure is to cyberattacks and helping them prepare to answer the three questions they need to answer:
1. How much risk are are they willing to accept?
2. What options do they have to transfer that risk?
3. How do they mitigate that risk?
I got into this space, I’ve been in cyber, I’ve been a geek my whole life, ever since I was a kid. I’ve been in cyber for about the last 10 or 12 years, and I noticed that every year I come to RSA I see more and more products, up to 2000 I think products on the floor. And the challenge always bothered me was how does an organization know what they should really be doing? When I joined Nehemiah I loved that they had a foundation upon which to build to put a quantifiable verifiable number on that cyber risk. Because I think, at the end of the day, if we can do nothing but help companies start to think about cyber from a business perspective not just a technical one, we’ll have done well, have done good, we really will.
Let’s start the discussion with your perspective on what cyber risk is it’s a fascinating area within cyber security. Let’s talk a little bit about how companies today are measuring it and what they may or may not be getting out of that process.
It’s interesting, most organizations have some understanding that they are at risk to cyber-attacks. I read a recent report of over 400 CEOs who said that cyber risk was their number one risk as an organization, and yet only 26% percent of those CEOs thought they were prepared. And so that in and of itself helps to set this kind of baseline for where the industry is today.
If organizations believe cyber is their biggest risk, yet they don’t know that they’re prepared for it, we’re not doing something correct. And I think part of the challenge is that we’re still trying to apply, you know high medium or low very subjective measurements like high median or low and green to cyber risks, when cyber is first it’s asymmetrical, you’re having to deal with a person on the other end of that who’s causing the risk. And yet while person can cause the large financial impact to your organization, companies struggle with pulling those three together. I’ve seen it in enterprises I’ve seen it in cyber insurance world as well too. We really have get to the point where we get past where we’re at today which is high medium low and red yellow greens and kind of into that next generation of translating cyber risk into business terms.
I think that’s a good point to shift lanes a little bit into the mini regulations being put into place that affect how companies manage cyber risk. Let’s talk about what’s different about how the GDPR dictates reporting on cyber risk versus the SEC’s established guidelines. Do you think these regulations are doing enough? Should they be improved upon? What are your thoughts there?
That’s a great question. I’m probably one of the handful of people who say I’m grateful for what the European Union did with GDPR. Not normally being a guy who’s big on compliance the thing I love most about GDPR is they put dollar values into their fines, they put teeth into that.
You know I have four kids and I always found that if you don’t put a carrot and a stick out there the carrot’s never get taken. And so what GDPR did is they said, hey if you get fined I’m going to take you no I’m going to whack you for4% of your revenue. Think of 4% of your revenue, that could be a really big number and so it’s a great way to kind of start companies thinking that was, thinking down the lines of if I don’t do something I’m there’s a real fine their real dollar values. What the SEC did recently they release some guidance which was good, but it’s kind of the crawl. I mean it’s not as far as the GDPR went. They’re basically telling organizations that they need to start reporting on what their material cyber security risks are. That’s the guidance they gave them which kind of a lightweight first step into the pond if you will, of helping companies think about that.
So did it go far enough? No, I’d love to see us get into a GDPR-like, kind of take the best of GDPR, evolve it for what we’re doing, but get to the point where companies need to start not only disclosing what those risks are in dollars and cents but know that they’re going to get fined, there’s a stick waiting on the other end if they don’t do something to prevent it.
Fascinating, let’s talk a little bit about what material cyber risk is. What are some examples of material risk companies must identify and how they can go about doing that?
The SEC took that term I believe from the fact that in all their other financial reporting you must report material risks to your business. And if you think about it in that context, what’s a material risk to my business if I’m in the manufacturing to distribution world right. If I don’t get product, if there’s a potential storm, or if there’s potential labor challenges, or if the where I’m importing it from there’s challenges, it can materially impact the key things in my organization.
Well, I love what the SEC did with that because that really forces companies to think what is material to my business from a cyber perspective? If you’re an e-commerce retailer, the material risk to your organization is a cyber-attack between November 26th and December 24th. A material risk doesn’t exist on December 26th necessarily. So what that does for businesses and what a material cyber risk is, what is that business that I’m, how does a cyber-attack potentially impact that. It forces companies to start thinking about where digitally are my biggest assets are and what can a cyber-attack do to them. And that’s the first step in turning this technical conversation we tend to have in cyber, into a business one, because we want companies to think that if your e-commerce worried about your you know your shopping platform on November 26. If you’re in financial services, and you’ve got a trading platform, let’s talk about what the material risk for that is. And so it really helps organizations start to prioritize those applications or services based on what matters to their business most.
Okay, so from your perspective what can companies start doing now to prepare possibly facing even more cyber risk regulations?
Where I see this going as I think we’re starting to scratch the surface. I think cyber in the last few years has really started to make the leap from technical to business because of the money involved. When the Verizon went to buy Yahoo and then Yahoo disclosed that they had a breach, Verizon knocked 350 million dollars off the price which is not a small number. And so I think that is that among other things has really started to build this trend towards what’s coming from a regulation perspective. So, I think where you’re going to see over the next three to five years, and there’s a bill in Congress right now to increase the Sarbanes-Oxley requirements for organizations to start reporting on financial risk through there. The long-winded answer to say more is coming in terms of forcing organizations to prioritize what their material risks are.
The best thing the organization can do today is to start with a simple understanding of what, do a business inventory, do an inventory and the business processes that matter most and figure out those applications that power them. Because what I tend to find in especially in medium to large companies is they might have a portfolio of 1,500 different business applications but they’re not all equal value. And the only way to get to kind of that material risk, the only way companies can really start to prepare is to start from the top down and start to drive what matters most to our business, what do we do that is needs to be protected from a cyber perspective. And then start to drill down into identifying what supports them. You can do business continuity planning, you can do a business impact analysis, those are terms that organizations have done, those are two great ways to start thinking about how you build that inventory of what you have.
There’s even frameworks out there like Idol which is a great way to build a process map which shows me what’s my processes at the business level tied to those systems. I would suggest to you that companies start getting their house in order, because there is increased regulation coming, fines will start to come, and the only way you’re going to be ready is to prepare business mappings to the technologies that support them.
Okay so as we bring this in for a landing, what advice do you have for board members or other executives or even down to the technical IT team on how to best communicate about their organization’s risk? You know, in other words what do you tell people who don’t know where to start?
That’s a great question. And so one of the things that we’ve done here at Nehemiah is we’ve built our platform in a way that shows what I like to call the traceable verifiable route to understanding what your cyber risk is.
The very first thing I would suggest to the board is to start with understanding what that kind of top-level business processes are, tie them to the applications and then trace that all the way down to the endpoints or computers that get hacked. Because while we talk about cyber from a business risk perspective, it is at the end of the day it’s the technology that gets attacked. Whether it be our credentials, our computers, or servers, and so on and so forth.
My suggestions to the board would be start an initiative to build out and to understand what your cyber risk is in dollars and cents, because that’s the only thing that really matters. Start with the things that matter most, have a short conversation about what matters most. The way I’ll describe that is – if you wake up tomorrow morning and you’re breached, and you find out it was X process or Y application, what would your reaction be? What it cost you your job would somebody come in after you? Start there and then start to prioritize the applications that power that and down into the end points that make that work.
Brian: Awesome! Jerry Caponera, VP cyber risk strategy at Nehemiah Security. Thanks for your time we appreciate your joining.
Jerry: Thanks Bryan it is a pleasure.