Cyber-security: An ongoing journey
The C-suite must embark on a journey of constant improvement in order to stay one step ahead of the evolving cyber threat
The cyber threat is amorphous, and the technology it exploits is advancing at a dizzying pace, so the risk landscape is never going to stand still. Leaders might think they have grasped the threats to their firms, only to feel that certainty slip away as the next attack reveals new vulnerabilities.
Emerging technologies create new entry points for cyber-attackers, but they can also offer a lifeline. In looking to find ways to improve visibility of new threats within their organisations, the C-suite will have to harness sophisticated new tools and the expert talent that can exploit them.
The data revolution
The C-suite is well aware of the cyber threat, but many leaders are not able to quantify its potential impact on their businesses. Data can help here: leaders can use historical data to predict imminent attacks.
Using big data analytics, businesses can develop baselines that show up the differences between normal and suspicious activity.
In this pressurised environment, drawing meaningful insights from data becomes even more important: “It's all about making sure that data is recognised and understood within your own context and making sure that it is used in the correct manner,” says David Molony, Director Cyber Risk, Cyber Solutions EMEA at Aon. “That's where we'll start to see the real revolution.”
We have to start looking to outpace the attacker. Cyber attackers are exploiting vulnerabilities ever more quickly, and will also use data analytics in the future.
Vodafone, Global Head of Risk Governance, Risk and Control
Smart risk management
Some organisations have gone one step further, working with data analytics tools and technologies that use machine learning and AI-type algorithms to assess the baseline of activity in their networks and systems. This opens up a new realm of possibilities for cyber risk management.
Automated solutions such as Edgescan both identify and risk-rank known and unknown vulnerabilities in real time. By using machine-learning techniques instead of traditional approaches, it can analyse and classify hundreds of thousands of characteristics per file to identify suspicious activity. “Through applying AI technology to detect suspicious behaviours, for both cyber and fraud-related threats, we have decreased at least 90% of our false positives that we had in the past,” says Gorka Diaz de Orbe. CISO at Bankia.
In 2018, 93% of malware observed by security firm Webroot was polymorphic – it could constantly change its code to evade detection.1 “Machine learning helps us understand the constantly shifting nature of the cyber threat,” explains Andy Simpson-Pirie, CTO, Lloyds Development Capital, UK. “You don't necessarily have to follow prescribed signatures or processes. An attack could just behave in a certain way. And those ways can change, as humans do. Machine learning capability supports the business taking that evolution into account.”
Getting the right expertise on board
Technology underpins all aspects of business, so organisations are prioritising technological expertise in their hiring processes. The appointments of a Chief Technology Officer, Chief Information Security Officer or Chief Information Officer are attracting growing interest from business stakeholders and the media, and their presence on executive boards is becoming more commonplace.
“The CISO role is becoming much more of an enabler for the business in general,” says Patrik Bless, CISO at Partners Group. “The focus is shifting from a purely compliance-driven approach, which is obviously still a necessity, to a strategic and risk-focussed role. It's important for the CISO to be involved in business decisions early on and to be involved in strategic initiatives. Becoming involved at a later stage can be very detrimental in terms of risk exposure, timeline, and also cost.”
There are approximately 365,000 pieces of new malware emerging every day, and there is no way to keep up in the long run. The only step companies can take to combat this is to use AI to understand what exactly a virus looks like. Cyber-attackers are increasingly using AI technology as a tool, so you have to fight fire with fire.
HP, General Manager, Global Head of Commercial
Beyond the hiring and elevation of cyber security expertise, it is crucial to educate ‘non-technical’ leaders within the business. In this way, cyber security can be embedded in the fabric of the organisation – and plausible deniability is no longer an excuse. In order to achieve cyber resilience, different functions across the business must unite. “The risk function needs to be a strong communicator. It is important to build an open culture of information sharing,” says Bless. “It's very important that executives feel empowered to speak up and ask questions,” he adds.
A journey of constant improvement
In order to achieve cyber resilience, the C-suite must constantly look to improve its cyber risk-management strategy and processes.
Beyond developing an understanding of the cyber risks, businesses must now go further – by drawing actionable insights from data. Getting the right technological skills on the board is central to gaining a greater understanding of the threat. Educating non-technical leaders in cyber issues will ensure accountability across the organisation.
1 2019 Webroot Threat Report, Webroot, 2019