THE DEFINITIVE CYBERSECURITY GUIDE FOR ......Indeed, the National Crime Agency reported in July of 2016 that cyber-enabled fraud and computer misuse sur-passed all other crime in the

T H E D E F I N I T I V E C Y B E R S E C U R I T Y G U I D E F O R D I R E C TO R S A N D O F F I C E R S

U N I T E D K I N G D O M

NAVIGATING THE DIGITAL AGE | UNITED KINGDOMSecurityR

oundtable.orgSecurityRoundtable.org

CONTRIBUTORS

• GregoryAlbertyn, Senior Director, PwC, Boston

• LeeBarney, Head of Information Security, Marks & Spencer, UK

• AviBerliner, Manager, PwC, New York

• ChrisBray, Partner, Heidrick & Struggles, London

• GavinColman, Partner, Heidrick & Struggles, London

• GregDay, Vice President and Regional Chief Security Officer, EMEA, Palo Alto Networks

• JoelHarrison, Partner, Milbank, Tweed, Hadley & McCloy LLP, London

• MarkHughes, President, BT Security, BT Global Services, London

• AlanJenkins, Associate Partner, IBM Security, UK

• RyanKalember, SVP, Cybersecurity Strategy, Proofpoint, Palo Alto, CA

• ElenaKvochko, CIO, Group Security Function, Barclays, London

• GeorgeLittle, Partner, Brunswick Group, Washington, DC

• SirIainLobban, Former Director of GCHQ, UK

• RichardMeredith, Partner, Brunswick Group, London

• TroelsOerting, Group Chief Security Officer, Barclays, London

• GilesOrringe, Partner, Heidrick & Struggles, London

• ConradPrince, Cyber Ambassador, UK Department for International Trade’s Defence and Security Organisation

• SirMichaelRake, Chairman, BT Group and Worldpay Group, London

• EdwardM.Stroz, Executive Chairman, Stroz Friedberg, New York

• MarkWeil, Chief Executive Officer, Marsh UK & Ireland

• IanWest, Chief of Cyber Security, NATO Communications and Information Agency, Brussels

NAVIGATING THE DIGITAL AGE

THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

UNITED KINGDOM

Published by

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – United Kingdom

Printing and Binding: Timesprinters

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – United Kingdom

is published by: Forbes Media499 Washington Blvd.Jersey City, NJ 07310 USA First published: 2016

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – United Kingdom© 2016 Palo Alto Networks Inc. All rights reserved.

Cover illustration by Tim Heraldo

DISCLAIMER

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (the Guide) contains sum-mary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication (December 2016). Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions con-tained herein. It is your responsibility to verify any information contained in the Guide before relying upon it.

iii ■

PrEfAcE: MAsTErING cybEr rIsk IN 10 sTEPs

Preface: Mastering Cyber Risk in 10 StepsSir Iain Lobban — a former chief of the UK’s intelligence and security agency, Government Communications Headquarters, and now a senior adviser to a range of global companies on cybersecurity risk and governance — sets out why cybersecurity matters to executives.

The worldwide phenomenon of the Internet presents wonderful opportunity for commerce and society, con-tributing 10% to the UK’s GDP, ahead of manufacturing

and retail. But at the same time, this growth in our digital dependency is presenting opportunities for a range of ac-tors to exploit networks and data for their own purposes.

Among terrorists, criminals, hacktivists, and amateur hackers, those engaged in industrial espionage, and pro-fessional ‘hackers for hire’, the motivations of cyberattack-ers may vary, but businesses continue to be a digital target for any or all of these as the data they collect for commer-cial purposes becomes an increasingly attractive target. Indeed, the National Crime Agency reported in July of 2016 that cyber-enabled fraud and computer misuse sur-passed all other crime in the UK,1 and the Department for Business, Innovation and Skills 2014 Information Security Breaches Survey2 found that 81% of large organisations had experienced a breach, costing, on average, between £600,000 and £1.5 million.

Traditionally a specifically technical domain, manag-ing the risk from cyber threats is now emerging as a core responsibility for executives at businesses large and small. One recent survey on European boards of directors showed that between 2012 and 2015, attention to cybersecurity jumped nearly 40%.3 Driving this shift is corporations’ growing dependency on digital transformation while fac-ing increased threats.

At stake are three intangible but vital business attributes that are too easy to take for granted: the confidentiality of the knowledge, information, or basic data that represent the foundation of business systems and processes; the integrity

■ iv


of that underpinning data—its resistance to malicious manipulation or alteration; and the availability of that data when it is required to drive those systems and processes.

We now see attacks which don’t just steal intellectual property on an industrial scale, or spy on the commercial details of contrac-tual negotiations, mergers, and acquisitions for mercenary advantage, but which take internal correspondence from a company and publish it on the Internet so as to cause embarrassment and loss of professional credibility; attacks which threaten to distort holdings of reference data and create mis-trust and uncertainty; attacks which disrupt or deny access to the data that is the lifeblood of a business, even destroying data and the infrastructure within which it resides. These are an unseen set of threats against unseen assets but with very real commercial and personal consequences.

From my time working with some of the UK’s top talent tackling very real cyber threats, I am a strong believer in technically proficient experts managing these threats at a specialist level. We need to be recruiting, training, and developing more of these ex-perts to serve both our government and our industry. But this will not be enough on its own: there is now not just an expectation but an imperative for executives to be both com-fortable and capable in this space. And when

I have seen senior executives engaging with the real experts to build their understanding of the risk, to assess and then work together to address the vulnerabilities, the potential impact, the consequences and mitigations, I have seen a meeting of minds that makes a vital difference. Better to be exposed to some of the specific technical details of the prob-lem in advance of a breach rather than in its bruising wake.

That increased dialogue enables executives to give this risk enterprise-level priority; to understand that there are no silver bullets, but that high-quality technical management and corporate cybersecurity governance can drive down risk; to get and stay informed of actual or potential exposure within their organisation and progress to remediate or at least mitigate.

In order to better inform executives not just of the risks from cyber threats, but also on how to protect themselves—be that from external attackers or from the insider threat—GCHQ has published its top 10 Cyber Security Steps, now in use by two-thirds of the FTSE 350.

J Here is a quick wrap-up of these “10 steps to cyber security”:4

1. Information Risk Management RegimeAssess the risks to your organisation’s infor-mation assets with the same vigour as you would for legal, regulatory, financial, or op-erational risk. To achieve this, embed an In-formation Risk Management Regime across your organisation, supported by the board, senior managers, and an empowered infor-mation assurance (IA) structure. Commu-nicate your risk management policy across your organisation to ensure that employees, contractors, and suppliers know your organ-isation’s risk management boundaries.

2. Secure configurationIntroduce corporate policies and processes to develop secure baseline builds, and man-age the configuration and use of your ICT systems. Remove or disable unnecessary functionality from ICT systems, and keep them patched against known vulnerabilities.

We now see attacks which don’t just steal intellectual property on an industrial scale, or spy on the commercial details of contractual negotiations, mergers, and acquisitions for mercenary advantage, but which take internal correspondence from a company and publish it on the Internet so as to cause embarrassment and loss of professional credibility…

v ■

PrEfAcE: MAsTErING cybEr rIsk IN 10 sTEPs

Failing to do this exposes your business to threats and vulnerabilities.

3. Network securityConnecting to untrusted networks (such as the Internet) can expose your organisation to cyberattacks. Follow recognised network design principles when configuring perim-eter and internal network segments, and ensure all network devices are configured to the secure baseline build. Filter all traffic at the network perimeter so that only traffic re-quired to support your business is allowed, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack (or attempted attack).

4. Managing user privilegesAll users of your ICT systems should be pro-vided with only the user privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high-risk or day-to-day user activities. Monitor user activity, par-ticularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords, and deletion of accounts and audit logs).

5. User education and awarenessProduce user security policies that describe acceptable and secure use of your organisa-tion’s ICT systems. These should be formally acknowledged in employment terms and conditions. All users should receive regular training on the cyber risks they face as em-ployees and individuals. Security-related roles (such as system administrators, incident management team members, and forensic in-vestigators) will require specialist training.

6. Incident managementEstablish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All inci-dent management plans (including disaster recovery and business continuity) should be regularly tested. Your incident response

team may need specialist training across a range of technical and non-technical areas. Report online crimes to the relevant law enforcement agency to help the UK build a clear view of the national threat and deliver an appropriate response.

7. Malware preventionProduce policies that directly address the business processes (such as email, web browsing, removable media, and person-ally owned devices) that are vulnerable to malware. Scan for malware across your or-ganisation and protect all host and client machines with antivirus solutions that will actively scan for malware. All information supplied to or from your organisation should be scanned for malicious content.

8. MonitoringEstablish a monitoring strategy and devel-op supporting policies, taking into account previous security incidents and attacks, and your organisation’s incident management policies. Continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate attacks and the compromise of data. Monitor all ICT systems using Network and Host Intrusion Detection Systems (NIDS/HIDS) and Pre-vention Systems (NIPS/HIPS).

9. Removable media controlsProduce removable media policies that control the use of removable media for the import and export of information. Where the use of removable media is unavoidable, limit the types of media that can be used to-gether with the users, systems, and types of information that can be transferred. Scan all media for malware using a standalone me-dia scanner before any data is imported into your organisation’s system.

10. Home and mobile workingAssess the risks to all types of mobile work-ing (including remote working where the de-vice connects to the corporate network infra-structure) and develop appropriate security

■ vi


policies. Train mobile users on the secure use of their mobile devices for locations they will be working from. Apply the secure baseline build to all types of mobile device used. Pro-tect data-at-rest using encryption (if the de-vice supports it) and protect data-in-transit using an appropriately configured Virtual Private Network (VPN).

All that may seem like basic common sense to some, and a bit technical to others. But understanding that these are some of the subject areas that executives should be hear-ing about regularly from their experts, and learning what correct answers should look like, is half the battle. Your technical security team needs your support, and building con-versations and challenge around these head-lines is a great start. You will almost certainly spend more time on market strategy than on malware, at least unless or until you are un-lucky enough to have a catastrophic cyberse-curity failure; but having authentic exposure to technical best practices is critical to defin-ing and managing your own business risks—risks that could be existential.

At the same time and to finish on a more upbeat note, let us remember that this is not

simply a deficit discussion. A chief executive’s role is to balance both the risks and the op-portunities in all situations. Good governance around cybersecurity—essential risk manage-ment—can be a defining factor in organisation-al excellence, building compliance, enterprise-wide awareness, and commitment. It is not a question of fear, but of anticipation and pre-paredness, of purposeful leadership and com-mitment, of curiosity and engagement. This book is an indispensable tool to support indi-vidual leaders and teams that make the choice to master this risk rather than to fall victim to it.

Works Cited

1. http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file

2. https://www.gov.uk/government/publications/information-security-breaches-survey-2014

3. https://www.paloaltonetworks.com/resources/techbriefs/governance-of-cybersecurity.html

4. https://www.cesg.gov.uk/10-steps-cyber-security

http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file



https://www.gov.uk/government/publications/information-security-breaches-survey-2014



https://www.paloaltonetworks.com/resources/techbriefs/governance-of-cybersecurity.html



https://www.cesg.gov.uk/10-steps-cyber-security

https://www.cesg.gov.uk/10-steps-cyber-security

vii ■

INTroDucTIoN

IntroductionPalo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

New EU legislation provides an opportunity for business leaders to step back, possibly re-architect their cybersecu-rity, and achieve the right balance for their organisation.

Society has an addiction: we have become cyber de-pendents. The average person relies significantly on a smartphone, and it seems that even temporary separa-

tion from the device can be painful and provoke anxiety. Our incredibly interconnected world spans both busi-ness and personal lives, from shopping to tracking our health, to working on the move. This modern lifestyle has granted new freedoms and opportunities for the modern citizen, enabled through a cyber mesh of interconnected data, across applications and devices/systems—this is the so-called Internet of Things. What is apparent is that this mass of digital information will continue to increase ex-ponentially, placing the issue of cybersecurity right at the forefront of the debate.

To help address this challenge, the European Union has introduced two of the most far-reaching legislative

JJ The EU has adopted two far-reaching pieces of legislation on data and infrastructure protection from cyber threats

JJ Technology and cyber threats continue to evolve at a rapid pace

JJ It’s important to validate where your business stands today re cyber risk

JJ Businesses need to find the right balance between risk and expense

JJ You should also balance your investment among human capital, technology, and insurance

■ viii


changes related to data protection and cyber-security to date, both of which will come into effect in May 2018. The first is a revision of data privacy and protection requirements to ensure that all personal information belong-ing to EU residents is managed consistently and effectively. More significantly, personal data breaches require notification to authori-ties within an appropriate time frame and, in some cases, to the individuals affected. This is the General Data Protection Regulation and is explained more fully later in this book.

The second piece of legislation recognises that such essential services as energy, trans-portation, healthcare, and water, to name just a few, have significant technological depen-dencies that, if compromised by a cyberat-tacker, have the potential to impact society significantly. The EU’s Network and Infor-mation Security (NIS) Directive recognises the importance of defending this infrastruc-ture and requires each nation to identify such organisations, and that the organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems that they use in their operations, having regard to the state of the art. The organisations are expected to work with their national authorities to ensure critical services are sustained and society can

maintain confidence in these services in the event of a cyber incident.

The question you must ask yourself as a business leader is: if our national governments have come to understand the significance of criti-cal cybersecurity, what does this say about how important it is to your business?

With both technology and cyberattacks continuing to evolve at pace, many find it tough to keep up, and this is little wonder: many feel ill-equipped to ask the right ques-tions and ill-prepared to deal with cyberat-tacks that could impact their business. What makes this worse is that cyber and cyberse-curity use what can seem to be a foreign lan-guage, with new terms and myriad abbrevia-tions and acronyms that evolve as fast as the technology develops.

Unfortunately, as a business leader, this is a discussion you can ill-afford to ignore. I would suggest that the EU legislative chang-es are the most fundamental shift in cyber to date and, for many cybersecurity teams, will have significant impact. Yet this can be the catalyst to overhaul not only your own cy-bersecurity awareness but also your organ-isation’s approach to cybersecurity. There is a genuine opportunity for your business to ‘re-architect’ your critical systems, to build state-of-the-art cybersecurity for today that will be scalable for your future.

With both technology and cyberattacks continuing to evolve at pace, many find it tough to keep up, and this is little wonder: many feel ill-equipped to ask the right questions and ill-prepared to deal with cyberattacks that could impact their business.

ix ■

INTroDucTIoN

Constantly changing technology has be-come our Achilles’ heel. For the cyberde-fender, there’s a need to continue to adapt and respond to the changing threat. Often there is a complex collection of solutions to specific problems. Cybersecurity requires high levels of human intervention. Much like a high-performance sports car, cybersecurity is capable of pushing boundaries but at the same time can be extremely fragile.

For business leaders, your first action must be to validate where your business is today. There are numerous ways to achieve this. You could pull in an external third party to do a gap analysis, you could look at the existing metrics provided by your cybersecu-rity team, or you could simply test the effec-tiveness of your current capacities. We learn through experience. Running cyber drills and exercises is an obvious way to test capabili-ties across the business. This is not just about

the technical capabilities, but also people skills, inter-team skills, right through to the board’s effectiveness in presenting informa-tion to stakeholders and making critical deci-sions when a cyber incident occurs.

With cybersecurity, much as with life it-self, there are no guarantees. Technology is made up of zeros and ones, and too many see cybersecurity as a binary requirement, mean-ing that nothing bad should happen. Yet the reality is that things can and will happen. The first step is living with this and decid-ing what is acceptable when a cyber incident does happen. This will bring you back to the business cyber risk equation, which is: un-derstanding business IT dependencies, the cyber risks against them, and the business impact these would have. That is required to define the right balance between accept-able risk and investment to mitigate these for each business.

THREE CORE ELEMENTS

1. Your business depends on cyber to function, with the technology systems installed on your premises and in the Internet cloud. The data you hold in the form of custom-er records, business processes, and intellectual property are among your key assets. These differ depending on whether you are a service provider, retailer, or financial organisation, for example.

2. There are risks to your cyber dependencies, some easier than others to qualify. These range from the insider threat from human error or a disgruntled employee, to the constantly evolving external threat, for which there is an ever-perplexing array of techniques, attack actors, and motives. Too often we get caught up in the details of ‘what’ and ‘how’, when we should focus on the impact and likelihood of the impact on our business. We can learn from both the military and the insurance industry's experience here, with each viewing cyber risk though a different lens.

3. The final part of the cybersecurity triangle is what you do to become more resilient. ‘Cyber Resilience’ is a continuing battle between ‘good’ and ‘evil’, each looking to outflank the other. We need to plan for the best and prepare for the worst.

J Where do you start? There are three core elements:

■ x


The next decision you must make is where to deploy your investment. For decades, se-curity practitioners have focused on defend-ing their businesses with the goal of prevent-ing a cyber incident from ever happening. In recent years, there has been a shift towards accepting the inevitable—that some attacks will succeed—and therefore, your business must focus on how to respond to this to mi-nimise the business impact.

Coupled with this has been the matur-ing of the cyber insurance industry. Cyber insurance seeks to transfer the risk, specifi-cally the vast capital implications. Managing this risk can help smooth significant impact. Equally, leveraging the skills and knowledge of insurance experts can give you a broader insight on risk than if you were trying to do this on your own.

When considering best practice, you should determine if you are going to run your own internal ‘fire brigade’ or leverage an external service and its expertise. Just like the fire brigade, cyber incident response teams are professionals who typically re-quire expensive tools and knowledge that ideally we call in only occasionally. Under the pending EU legislation, your organisa-tion may need to notify relevant national authorities when defined incidents occur. You must decide what you can afford, and this again raises the question about the appropriate decision making between in-vestment in cybersecurity—to prevent and detect business impact—and the potential costs of a breach.

Finding this balance requires managing the mix of state-of-the-art capabilities with costs. To use a practical example, it’s like mixing audio tape, CD, VHS, DVD, and HD digital media together and expecting a single player to deal with them all. A hu-man is required to convert the different for-mats into a common medium that could be used on one player. Cybersecurity often can be no different, with lots of varying capa-bilities that require human intervention to function as a whole. This is an archaic solu-tion for a digital age.

Human capital is typically the most ex-pensive aspect of cybersecurity, in terms of both operational costs and holding up the implementation of a secure digital capabil-ity. Many businesses will have cybersecurity dashboards that aim to provide an assess-ment of cyber capabilities: these range from simple measurements to in-depth metrics. Many will focus on ‘lagging indicators’, which manually examine the past and pres-ent status of differing security controls. What is often lacking is a proper frame of reference. Time is often the most important aspect. This is the effective differentiator between pre-venting and responding to an incident.

We should be looking to see how we lever-age technology to make cybersecurity more efficient. This requires us to look at how we architect a common platform that allows the different capabilities required today to func-tion together with minimal human input. But more important is building cybersecurity to be as future-proof as possible; i.e., as the next media format is developed, the existing player still needs to be able to accept and play the new format, without requiring a human to translate it into a compatible format.

Cybersecurity must function at the same digital speed as the technology it aims to pro-tect. This technology will only continue to function at ever-increasing speed. You need to keep pace—or you will lose ground.

The EU legislative changes coming into effect in 2018 are a rare opportunity. They are moving the cybersecurity discussion into the heart of the boardroom. The changes will also allow different members of the business to become engaged with cyber risk and find a common language in which they can com-municate. This will give your business the opportunity to step back from its myriad activities and look afresh at its security, en-abling you to reassess and re-architect your approach to keep pace with future demands. This is about finding the right balance among detection, protection, and response, aligned to your business’s risk appetite. Make the most of this opportunity—it may well define your business for the future.

xi ■

TAbLE of coNTENTs

TABLE OF CONTENTS

Navigating the Digital Age

iii. PREFACE: MASTERING CYBER RISK IN 10 STEPSSir Iain Lobban – a former chief of the UK’s intelligence and security agency, Government Communications Headquarters, and now a senior adviser to a range of global companies on cybersecurity risk and governance

vii. INTRODUCTIONPalo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

EU Cybersecurity Legislation

3. 1. WHAT IS THE PROCESS FOR ACHIEVING STATE OF THE ART?PwC – Gregory Albertyn, Senior Director, and Avi Berliner, Manager

7. 2. THE LONG ARM OF THE LAW: UNDERSTANDING EU LEGISLATION'S IMPLICATIONS ON CYBERSECURITYMilbank, Tweed, Hadley & McCloy LLP – Joel Harrison, Partner

13. 3. STATE OF THE ART – HOW AND WHY?Palo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

Executive Responsibility

19. 4. VIEW FROM THE FRONT LINE NATO Communications and Information Agency –

Ian West, Chief of Cyber Security

23. 5. THE BOARD'S DUTY: GETTING THE BASICS RIGHT BT and Worldpay – Sir Michael Rake, Chairman

27. 6. ACHIEVING YOUR COMPANY'S FULL POTENTIAL IN THE GLOBAL CYBER ECONOMY

Department for International Trade’s Defence and Security Organisation – Conrad Prince, Cyber Ambassador

31. 7. ENSURING YOUR EXECUTIVES AREN'T THE ATTACK LURE OR VICTIM Proofpoint – Ryan Kalember,

Senior Vice President of Cybersecurity Strategy

■ xii


Enabling Innovation

37. 8. HOW SHOULD BUSINESSES PUT A PRICE ON DIGITAL RISK? BT – Mark Hughes, President, BT Security, BT Global Services

41. 9. HELPING THE BOARD UNDERSTAND CYBER RISK – AND WEIGHT IT AGAINST BUSINESS IMPERATIVES Marks & Spencer – Lee Barney, Head of Information Security

45. 10. BUILDING A HOLISTIC SECURITY FUNCTION IN A GLOBAL ORGANISATION Barclays – Troels Oerting, Group Chief Security Officer, and Elena Kvochko, CIO, Group Security Function

Your Security Leadership Team

51. 11. HIRING THE NEXT GENERATION CISO Heidrick & Struggles – Chris Bray, Gavin Colman, and Giles Orringe, Partners

55. 12. THE VALUE OF YOUR CISO: RESPONSIBILITIES AND METRICS IBM Security – Alan Jenkins, Associate Partner, and Palo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

Responding to Crisis

61. 13. ENSURING YOUR BOARD IS ON THE SAME PAGE REGARDING CYBER RESPONSEStroz Friedberg – Edward M. Stroz, Founder and Executive Chairman

65. 14. CYBER INSURANCE: HOW BUYING IT CAN HELP CONFIRM YOUR RISK IS UNDER CONTROL Marsh Ltd – Mark Weil, CEO, Marsh UK and Ireland

71. 15. PRESERVING YOUR COMPANY'S REPUTATION AFTER A CYBER BREACH Brunswick – Richard Meredith and George Little, Partners

Contributor Profiles

77. Sir Iain Lobban78. Greg Day79. Gregory Albertyn79. Avi Berliner80. Joel Harrison80. Ian West81. Sir Michael Rake

82. Conrad Prince82. Ryan Kalember83. Mark Hughes83. Lee Barney84. Troels Oerting84. Elena Kvochko85. Chris Bray

85. Gavin Colman85. Giles Orringe86. Alan Jenkins86. Edward M. Stroz87. Mark Weil88. Richard Meredith88. George Little

EU Cybersecurity Legislation

3 ■

WHAT Is THE ProcEss for AcHIEVING sTATE of THE ArT?

What Is the Process for Achieving State of the Art?PwC – Gregory Albertyn, Senior Director, and Avi Berliner, Manager

As a chief executive, you should fully understand who takes responsibility for guarding the most critical data inside your business.

Your board regularly makes enterprise decisions and choices based on the judgement of these guardians. However, the board simply can’t be expected to ex-

amine everything in detail, and they need to deploy their time wisely. Yet cybersecurity increasingly requires more of your board’s bandwidth because cyber risk continues to evolve in both regulatory and technical complexity: it is ongoing and iterative.

To meet forthcoming EU legislation (for detail see Chapter 2), you are expected to have relevant regard for ‘state of the art’ cybersecurity. While this might appear a fuzzy description, and it will likely not be defined by EU policymakers, a more solid definition for your own organ-isation is expected to become clearer as your organisation gains greater insight into the nature, scope and location of the cyber threats you face. However, fundamental to ‘state of the art’ is a sustained cybersecurity and privacy gov-ernance structure, accountable to senior leadership and mandated with continued monitoring of cyber and pri-vacy risk and related enterprise response alignment.

JJ ‘State of the art’ is about defending your ‘crown jewels’

JJ Privacy architecture is evolving with new systemsJJ Cyber governance should be enshrined into

company strategyJJ Be clear about who is responsible for data setsJJ If you’re unfamiliar with something, ask

the question

■ 4

Eu cybErsEcurITy LEGIsLATIoN

Data privacy and security has tradition-ally been focused on implementing a set of governance models such as maturing data governance capabilities, performing assess-ments to create a baseline, and creating a target model to prioritise and manage risks. This has resulted in the introduction of mon-itoring and reporting tools that are reactive and responsive to threats. Yet, by its nature, ‘state of the art’ cybersecurity has to be dy-namic, identifying and proactively respond-ing in near real time to any new threat.

Cyber resilient management is about keeping pace with the changing threat land-scape, spotting and thwarting threats on the horizon to keep your critical assets and in-telligence from falling into the wrong hands. What we are now seeing is the evolution of what is known as ‘privacy architecture’, a set of guidelines and principles that are embed-ded into your business and technology pro-cesses from the ground upwards, rather than overlaid upon it. This bakes cyber resilience into your operating DNA, with reduced compliance overhead and resource require-ments. You should be building cyber and privacy risk governance into your strategic plans as well as your day-to-day activities. ‘State of the art’ also leverages the exponen-tial capabilities of Big Data. This includes not only the new storage and analytical tech-niques of constantly improving ecosystems of applications, but also the real-time, batch, and predictive analytical abilities. You will be able to deploy machine learning and oth-er artificial intelligence tools to defend your critical business functions and data from yet unseen attack vectors.

Increasingly, you should adopt ‘Privacy by Design’ to ensure your security and en-terprise architecture incorporates cyber resil-ience and privacy compliance requirements during initial scoping, and ensure review by all appropriate stakeholders.

To gain comfort on the adequacy of your cyber and privacy compliance programme, you should become familiar—although not necessarily an expert—with professional terms related to ‘state of the art’, including:

JJ EncryptionJJ IAM (Identity and Access Management)JJ AnonymisationJJ Data maskingJJ Risk-based activity monitoring controls

with appropriate storage and report distribution channels

If you are unfamiliar with these terms, then engage your CISO to explain their im-portance to operational and regulatory risk.

Furthermore, as a board leader, you should be aware of the risks in:

JJ the decentralisation of your data, particularly as it is used in the cloud;

JJ streaming of data—and where the likely attack points might be;

JJ unstructured data that is not held in safe and protected environments with appropriate controls;

JJ global data transfer and access to your systems from staff, customers, and stakeholders.

Who should be handling your risk? Many organisations have disjointed threat analysis spread across several functions, physical locations, and systems. To close this gap, you should have a robust, central-ly collated threat analysis capability—and an effective, centrally coordinated reactive capability. Based on our experience, the en-terprise cyber and data governance capabil-ity should comprise a combination of three groups organised to carry out these task and responsibilities.

By its nature, ‘state of the art’ cybersecurity has to be dynamic, identifying and proactively responding in near real time to any new threat.

5 ■

WHAT Is THE ProcEss for AcHIEVING sTATE of THE ArT?

Key members of team: chief information security officer (CISO), chief operating officer (COO), chief risk officer (CRO), head of security, chief privacy officer (CPO), chief data officer (CDO), heads of businesses and functional areas, such as business continuity planning, legal, risk, and regulation.

Main responsibilities include:JJ Working with senior leaders to develop cyber risk strategy.JJ Classifiying and prioritising information assets—the ‘crown jewels’.JJ Setting the budget for cyber risk.JJ Monitoring the organisation’s cyber risk position and reporting on it to senior

leaders and the board of directors.JJ Reviewing reports from the cyber risk oversight and operations teams and

helping prioritise emerging cyber threats.JJ Revisiting strategy to adapt the program as the cyber risk landscape evolves.

1. cyber risk governance committee:

Key members of the team: information technology team, business support team, compliance/data governance team, and business teams.

Responsibilities include:JJ Assessing the active risks the organisation faces, the people behind them,

and the assets they threaten.JJ Evaluating the effectiveness of the operations team.JJ Identifying new threats and improving how information assets are protected.JJ Determining how business changes affect the cyber perimeter—including new

service offerings, suppliers, vendors, or business partners.JJ Monitoring change control and ensuring privacy and security by design for

changes to critical systems and data processing activities.JJ Overseeing employee training programmes.JJ Reviewing new regulatory and compliance requirements.

2. cyber risk oversight committee:

Key members of the team: managers and SMEs for networks, information security, fraud, and corporate security. Security operations centre.

Responsibilities include:JJ Acting as first line of defence for detecting and responding to cyber events.JJ Compiling real-time information from all the groups that monitor cyber threats.JJ Producing reports for the cyber risk oversight and governance committees, including

number, type, and duration of cyberattacks.JJ Maintaining mature “DevOps” framework to provide code and application quality

as well as cyber threat scanning and monitoring capabilities.

3. cyber risk operations team:

■ 6


Adopting this structure can help you at-tain ‘state of the art’ cybersecurity, but you should also press your technical people about new, maturing, and expanding capa-bilities. The cyber and data risk programme should be able to identify your most valu-able business assets, know where they are lo-cated at any given time, and who has access to them. Your ‘crown jewels’ are information and processes, which if stolen, compromised, or used inappropriately, could cause sig-nificant hardship and damage to your busi-ness—and harm your board’s reputation for prudence and reliability. Such ‘crown jewels’ might be trade secrets, market-based strate-gies, trading algorithms, product designs, new market plans, market or customer data, or other vital business processes. Just as a crown and regalia worn by a sovereign have different values, so too do your own assets. Your executives will become accountable for protecting each of the crown jewels, in the same manner that you expect the finance di-rector to be accountable for your company’s financial results. You should be clear who in your organisation is personally responsible for each jewel.

Your governing team, with the right level of knowledge, expertise, and involvement at all levels of the organisation, is required to respond to cyber events. But waiting to pre-pare your response until after a cyber event is a recipe for disaster. The team should thoroughly understand the risks, the tools at their disposal, and their options in respond-ing before a cyber event occurs.

The development of prepared and tested responses—‘playbooks’—is a necessary step in adequately planning and preparing re-sponses to cyber events.

Using the intelligence gathered through-out the playbook development process, each playbook details who should take action, what their responsibilities are, and exactly what they should do. ‘State of the art’ also means continually revisiting each playbook at appropriate periods, according to clas-sification and risk prioritisation, to ensure updated cyber intelligence gathering tech-niques, cyber technology, and insurance options. Cyber threats and regulatory man-dates remain fluid and dynamic.

If in any doubt, seek advice and consider a ‘state of the art’ assessment to develop an ap-propriate road map to help ensure you have the highest level of hardened resilience.

© 2016 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

About PwC:At PwC, our purpose is to build trust in society and solve important problems. We're a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

7 ■

THE LoNG ArM of THE LAW: uNDErsTANDING Eu LEGIsLATIoN's IMPLIcATIoNs oN cybErsEcurITy

The Long Arm of the Law: Understanding EU Legislation's Implications on CybersecurityMilbank, Tweed, Hadley & McCloy LLP – Joel Harrison, Partner

British companies that use or process data must be pre-pared for European regulations on cybersecurity—or face the penalties.

European Union law related to cybersecurity has under-gone a period of unprecedented change in 2016. Two major new pieces of EU legislation—the General Data

Protection Regulation1 (GDPR) and the Network and In-formation Security Directive2 (NIS Directive, also known as the Cyber Directive)3—will impose security and breach notification obligations on many organisations. GDPR in-cludes penalties, including fines, for non-compliance, and EU member states are required to set out rules on penalties for non-compliance with the NIS Directive. Both laws are set to apply from May 2018.

The UK’s vote to leave the European Union has created much uncertainty about the impact of both GDPR and the NIS Directive on UK companies. Given the importance of the UK’s having a data protection regime that meets EU adequacy standards, and that the scope of GDPR reaches

JJ Two new laws related to cybersecurity in Europe will apply from May 2018—the Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR)

JJ The rules will apply to businesses in EU member states and, in some cases, to non-EU businesses that provide services to customers in the EU

JJ Firms will face penalties for non-complianceJJ Both laws will introduce breach notification

requirements. Under GDPR, notification of a personal data breach must be made within 72 hours of becoming aware of the breach

■ 8

beyond EU borders in any case, the require-ments of GDPR will most likely apply to many UK companies in one form or another. The impact on the NIS Directive is less clear, although, again, it is unlikely that the UK will abandon its efforts in this area altogether or cease cooperating with its EU partners on combating cybersecurity threats.

J General Data Protection regulation

ScopeGDPR will apply from 25 May 2018. It covers organisations that deal with personal data, broadly defined as any information relating to an identified or identifiable individual.4 As with the Data Protection Directive5 that preceded it, GDPR requires organisations to maintain an appropriate level of security for personal data.

GDPR applies to organisations estab-lished in an EU member state. It also applies to organisations established outside the EU if they offer goods or services to individuals in the EU, or if they monitor the behaviour of individuals within the EU. So, regardless of Brexit, there are implications for many UK companies that do business with the EU.

Security obligationsGDPR imposes minimum security require-ments on both controllers and processors. The direct application of obligations to processors is a significant departure from the current di-rective, which applies only to controllers.

Under GDPR, controllers and processors must implement technical and organisation-al measures to ensure a level of security ap-propriate to the risk that would arise from unauthorised or unlawful processing of per-sonal data. There is a list of examples of what these measures may include, such as encryp-tion and pseudonymisation, and a process for regularly evaluating the security mea-sures. Importantly, the security requirements cover not only the confidentiality of data, but also its integrity and availability.

Where a controller appoints a processor, the contract must require the processor to

implement appropriate security measures, even though the processor has its own obliga-tions under GDPR. The controller must also take steps during the term of the contract to ensure that the processor is complying with those requirements.

It is important to note that GDPR does not set a standard of perfection, or establish a re-gime of strict liability for security incidents. Accordingly, a controller or a processor will not normally be liable for an incident under GDPR if it occurred despite appropriate se-curity measures being in place (as may be the case with a zero-day exploit). So, while GDPR uses the language of a ‘personal data breach’ to describe a security incident, it does not necessarily follow that any party has ac-tually committed a breach of GDPR.

Notification within 72 hours of breachUnder the new rules, a controller must notify the competent data protection authority of a personal data breach without undue delay and, where feasible, within 72 hours after becoming aware of it. Notification is not re-quired if the breach is unlikely to result in any risk to individuals, but all breaches (whether notifiable or not) must be recorded.

A processor must notify the controller with-out undue delay once it becomes aware of a personal data breach.

If it is not possible to provide all the re-quired information about a breach at the same time, GDPR allows for the information to be provided in phases, as long as there is no un-due delay in providing the information.

If a personal data breach is likely to re-sult in a high risk to individuals, the con-troller must notify the data subjects without undue delay.6

Sanctions for non-complianceData protection authorities will have a range of powers for dealing with organisations that fail to comply, as well as giving both affected individuals and representative groups the right to bring claims themselves. Of particu-lar note is the new regime of fines; in the case of a failure to comply with the security or


9 ■


breach notification obligations, these can be as high as €10 million or 2% of the organisa-tion’s total worldwide turnover (whichever is higher). Where a breach reveals a failure to comply with other provisions of GDPR, the fine can be as high as €20 million or 4% of total worldwide turnover.

J NIs Directive

ScopeThe NIS Directive is a key part of the EU’s cybersecurity strategy. It will apply in mem-ber states from 10 May 2018. Its scope is more limited than GDPR, in that it applies only to organisations engaged in particular activi-ties; significantly, though, its requirements are not restricted to systems that process personal data. The NIS Directive also estab-lishes mechanisms for co-operation among EU member states on cybersecurity matters, which are outside the scope of this chapter.

The NIS Directive applies to two types of organisations: operators of essential services (OESs) and digital service providers (DSPs).

(a) Operators of essential services

OESs are organisations—whether public or private—that are of a type listed in Annex II to the directive and that meet certain criteria. Annex II lists operators in seven sectors:

1. Energy—electricity, oil and gas2. Transport—air, rail, water and road3. Credit institutions4. Financial market infrastructure—

trading venue operators and central counterparties

5. Health—healthcare settings (including hospitals and private clinics)

6. Drinking water supply and distribution

7. Digital infrastructure—Internet Exchange Points, DNS service providers, and TLD name registries

However, not every operator in these sec-tors is necessarily an OES. In order to be an

OES, an operator must also meet a number of additional criteria, which address the likely overall impact of an incident affecting the operator’s network and information sys-tems. By November 2018, each member state must identify each OES with an establish-ment in its territory.

There is another important exclusion from the scope of the directive: where sector-spe-cific EU law imposes security or notification obligations on OESs that are at least equiva-lent to the directive, those obligations apply in place of the obligations in the directive.

(b) Digital service providers

The other types of organisations covered by the directive are DSPs. A DSP will be subject to the directive if it is established in an EU member state, or if it offers digital services within the EU. There are three types of DSP:

1. Online marketplaces2. Online search engines3. Cloud computing services

Online marketplaces are defined as digi-tal services that allow online sales or service contracts to be concluded with traders, either on the website of the marketplace itself or on a trader’s website that uses the marketplace’s computing resources. App stores are explic-itly included, while pure price-comparison sites are excluded.

While online search engines may be self-explanatory, not every service marketed as ‘cloud’ will necessarily fall within the defini-tion of ‘cloud computing services’. This lat-ter term is defined as a digital service that enables access to a scalable and elastic pool of shareable computing resources; this will include many IaaS services, but may exclude a number of SaaS offerings.

The exclusion for other sector-specific legislation at EU level applies to DSPs as it does to OESs. In addition, DSPs that are micro or small enterprises7 are not subject to the security and notification obligations in the directive.

■ 10


Security and notification obligationsBoth OESs and DSPs are subject to security and notification obligations under the NIS Directive. While there are some differences between the obligations applicable to the two groups, broadly, both must take appropriate measures to manage the risks to the security of their network and information systems, and to prevent and minimise the impact of security incidents on the network and infor-mation systems used to provide essential ser-vices or digital services.

Similarly, both OESs and DSPs are required under the directive to notify their Computer Security Incident Response Teams (CSIRTs) or competent authority of security incidents. In the case of an OES, an incident must have a ‘significant’ impact on the continuity of essen-tial services in order to be reportable, while a DSP is required to report an incident only if it has a ‘substantial’ impact on its provision of digital services and only once the DSP has ac-cess to the information necessary to assess the impact of the incident. The directive does not set out specific timeframes for incident notifi-cations, but merely requires that notification take place ‘without undue delay’.

In the case of DSPs, the directive prohib-its member states from imposing security or notification obligations beyond those in the directive itself. (OESs enjoy no such protec-tion.) While this may appear attractive, the requirements of the directive are fairly high-level, so it may be difficult in practice to determine whether a member state is ‘gold plating’ the directive or merely implement-ing it. It is also important to bear in mind that the security requirements of GDPR apply alongside the directive, even for DSPs.

EnforcementThe NIS Directive also gives competent au-thorities enforcement powers over both OESs and DSPs, including the power to impose penalties for non-compliance. The powers in respect of DSPs are intended to apply only in cases where the authority has evidence of non-compliance, whereas the authorities will have the power to investigate whether

OESs are compliant—although it remains to be seen whether authorities are prepared to play a purely reactive role in practice.

J overlap between GDPr and the NIs DirectiveWhile GDPR and the NIS Directive were ad-opted around the same time, they are com-pletely separate laws, and their provisions are not always consistent.8 There are also likely to be circumstances in which an inci-dent triggers notification obligations under both GDPR and the NIS Directive.

Take the example of an Irish bank running an application that processes personal data and runs on a cloud computing platform pro-vided by a French service provider. The bank would be an OES and a data controller, while the service provider would be a DSP and a data processor. If the service provider is affect-ed by a security incident that compromises the bank’s personal data, the bank would need to notify its data protection authority, its compe-tent authority or CSIRT, and also data subjects if the breach were high risk. The notification to the data protection authority would need to be made within 72 hours, while the others would need to be made without undue delay. This is in addition to any notification obli-gations under the financial services regula-tory regime. Meanwhile, the service provider would need to notify both the bank itself and also its competent authority or CSIRT, in both cases without undue delay.

Time will tell how far these measures will go towards stemming the ever-increasing wave of cybersecurity incidents. Much will also depend on the approach of the relevant

While UK businesses would be advised to continue their work on becoming compliant with GDPR, regardless of Brexit, how Brexit will impact the UK’s implementation of the NIS Directive remains to be seen.

11 ■


authorities in enforcing these laws, particularly which cases are selected for enforcement action and the penalties that are imposed.

While UK businesses would be advised to continue their work on becoming compliant with GDPR, regardless of Brexit, how Brexit will impact the UK’s implementation of the NIS Directive remains to be seen. Given that the UK already is a leader in cybersecurity policy in the EU, it is doubtful that the UK will cease its efforts to improve cybersecurity. In any event, for the UK, cybersecurity is no longer the concern of the technical engineer, but now also the boardroom. Measuring your cyber investments against the GDPR and (possibly) the NIS Directive will take more than a check-the-box exercise. Instead it will require senior leaders to fully understand their business risks and have done their due diligence to ensure their defences are appro-priate for the threats their organisations face.

Works Cited 1. Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

3. Regulations are directly effective in the legal systems of EU Member States, while directives must be transposed by the Member States into their domestic laws. As such, regulations are intended to secure a greater level of harmonisation across the EU, while directives often give Member States a degree of flexibility in how their provisions are transposed. Where this chapter refers to an organisation being subject to a requirement under the NIS Directive,

this is shorthand for a requirement under the relevant Member State’s domestic law implementing the NIS Directive.

4. GDPR maintains the distinction in the current Data Protection Directive between “controllers” and “processors”. A controller determines the purposes and means of processing personal data (either by itself, or jointly with others). A processor processes personal data on behalf of a controller. Service providers are often, but not always, processors; the key issue is not how the parties describe themselves in their contract, but the level of discretion exercised by the service provider on how personal data is processed.

5. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

6. There are three exceptions, although two of them (that the data was rendered unintelligible, such as through encryption, and that the controller has taken measures to ensure that the high risk is unlikely to materialise) essentially mean that the breach is not, in fact, likely to result in a high risk. The third exception is for cases where notifying the data subjects would result in disproportionate effort, but in those cases the controller must still publicise the breach so that data subjects are informed of it.

7. A micro enterprise employs fewer than 10 people and has an annual turnover and/or balance sheet total not exceeding EUR 2 million. A small enterprise employs fewer than 50 people and has an annual turnover and/or balance sheet total not exceeding EUR 10 million.

8. For example, the concept of where a DSP has its ‘main establishment’, and which authorities therefore have jurisdiction over the DSP, is not exactly the same under GDPR and the NIS Directive. This may lead to confusion in practice.

13 ■

sTATE of THE ArT – HoW AND WHy?

State of the Art – How and Why?Palo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

‘State of the art’ is now a key term in new EU cybersecurity legislation—and outdated cyber capabilities could leave your business unnecessarily exposed to risk.

As our dependencies on technology grow, new EU leg-islation has introduced the term ‘state of the art’ into our vocabulary, as a part of the security by design and

default concept in the General Data Protection Regulation. The term is also used in the Network and Information Se-curity Directive, which is focused on the cybersecurity of essential services and digital services provision. Such a simple term will have significant impact on your business in the future, so it’s worth considering now what it means to your business and others (such as auditors, customers, and partners).

On first glance, this may seem both easy and confusing, depending on your background. Those in financial servic-es have been used to more prescriptive requirements from their own regulators, while others may look at this term as exactly what they, as security teams, do every single day: to continue to monitor the risk and adapt their cyber-security capabilities to manage their risk. In many ways,

JJ Intelligence on cyber threats is keyJJ Be sure your cybersecurity is built on a solid

foundationJJ Multiple legacy technologies create inefficiencies—

clear out the deadwoodJJ Cybersecurity should enable the business, not

inhibit itJJ Aim for more systemic success

■ 14


the latter is why it is now the time to step back and consider what ‘state of the art' re-ally means.

You may consider this as detail, but here is why you should care and ask questions of your cybersecurity team: outdated cyber capabilities will leave your business unnec-essarily exposed to risk, may cost you more to manage, and could lead to significant, un-necessary commercial impact.

In today’s technology-driven world, the pace of change is relentless; as such, cyber-security must continue to adapt to changing technology, new threats, and evolving busi-ness practices. In the 30 years I have spent working in the cybersecurity industry, the pace has never eased. Every year we have new problems to solve while we simultane-ously try to consolidate existing capabilities. This creates a fundamental challenge: as we keep evolving, we never step back to look at the big picture. Are the cybersecurity funda-mentals we started with so many years ago still sound today? For centuries we believed the world was flat, until science proved oth-erwise. Are our cybersecurity capabilities limited by similar, outdated beliefs?

J so what are some of the principles that need to change?

1. Just as in every other aspect of business, intelligence is key. There is an ever-in-creasing number of cyber ‘things’ that could happen—the crucial questions are, “Which are most likely?” and “Which would have the most significant impact?” Validating this means not only leverag-ing commercial sources but also connect-ing to the right industry knowledge and sharing groups and effectively leveraging your own organic intelligence. The new legislation talks about ‘having regard to’ or ‘taking into account’ the state of the art, which could mean that you should be able to show you have current insight on what the threats are and how they could impact your business and your customers. You need to challenge your team to confirm

not the problem but how they have quali-fied it and—more importantly—their con-fidence in its mitigation, whether that’s the acceptance of the risk or prevention of it.

2. Cyberattacks have evolved from the equivalent of a single-celled organism into a complex life-form. Why is this im-portant? It’s important because cyberse-curity has solved problem after problem, meaning that all too often we look for in-dividual cells, to use the analogy, and in the modern world, this leaves us with lots of analysis (requiring expensive and slow human input) and often poor results. A house is built on solid foundations, yet in many ways, cybersecurity never had such foundations. Now is the time to step back and ask, “What foundations will allow your cybersecurity to work cohesively and effectively, both today and in the fu-ture?” Remember that technology is here to automate human processes, not the other way round!

3. Just how much overlap has evolved through the natural evolution? In the physical world, we complain every week that someone else is digging up the road for a different purpose, yet in cybersecuri-ty, the same also occurs. Multiple technolo-gies are repeating core processes (such as decoding network traffic) just so they can do their piece of the security analysis. In an ever more digital world, technical inef-ficiency is inexcusable. A big part of this is clearing out the deadwood. When something has worked for years, we are always reluctant to let it go, but as the effectiveness decreases, that’s exactly what we should do. Chal-lenge the security team on their effective-ness and clear out the deadwood.

4. At the heart of technology are zeros and ones (binary switches that make deci-sions). However, people use technology, and they are definitely not binary! Too much of cybersecurity is based on how

15 ■

sTATE of THE ArT – HoW AND WHy?

people should use technology, rather than how they do use it. It may be a hackneyed expression, but cybersecurity should en-able, rather than inhibit, the business. If it’s not doing that, then it’s likely to be based on the principles of how technol-ogy should be used, rather than how it is being used.

5. One of the biggest challenges in cyberse-curity today is validating what success actually is. Historically, some may have suggested this would be that nothing bad is happening, but the reality is that online, just as in the physical world, bad stuff happens every day. The question then is, “What is the goal of cybersecurity?” We can continue to respond to each instance, or we can aim for a more systemic solu-tion. While new attacks take only minutes to produce, the underlying architecture they use typically remains constant. As such, rather than simply looking to stop the crime, we need to focus more on iden-tifying the criminal methods being used, before they ever reach us. Compromised public systems and money flows all take time for the criminals to develop and should be considered part of the complex life-form we are looking to identify.

With the new legislation incoming, we have a rare chance to step back from being caught in the whirlwind of daily activities and evaluate just what ‘good’ looks like in cy-bersecurity. State-of-the-art cybersecurity is a

dynamic requirement that requires regular review of what is possible, balanced against the real and relevant risks. Mixing modern capabilities with legacy ones is the equiva-lent of Usain Bolt running a three-legged race with you: he can go only as fast as you can, much in the way that your cybersecurity is limited by its legacy.

If I could give you one piece of guidance as we move into this era of ‘state of the art’, it would be to validate what success looks like in your business and what the state of the art should deliver to you in terms of protecting your business. Then test the real-ity, run what the industry calls ‘red team-ing’ exercises (simulated attacks), including different functions of the business to see how well your state of the art stands up to scrutiny. Remember that the state of the art is dynamic, so this should be a regular exer-cise to ensure you remain current with the requirement and the best practices avail-able. Lastly, discuss and compare with your industry peers to ensure you are getting a valid benchmark and drawing on the wis-dom of crowds.

In today’s technology-driven world, the pace of change is relentless; as such, cybersecurity must continue to adapt to changing technology, new threats, and evolving business practices.

Executive Responsibility

19 ■

VIEW froM THE froNT LINE

View From the Front LineNATO Communications and Information Agency – Ian West, Chief of Cyber Security

Something will happen this year that we never predicted —and your business has to expect the ‘known unknown’.

We are in the frontline trenches in the battle against cy-berattacks. Every minute of every hour of every day, we are seeing various levels of threat, and we have to

be vigilant and nimble to resist attacks that are increasing in sophistication and intensity. At NATO, cyber defence is a core capability because of the alliance’s dependence on its ICT infrastructure, and also because the cyber dimension is part of current conflicts and will inevitably be an increasing component in future conflicts.

The positive news is that cybersecurity is at the front of mind for almost every business in operation today. We all depend on our networks, use similar technology and face similar threats, so NATO has been very forward-leaning in collaborating, particularly with industry, to defend from those who seek to undermine and destroy our way of life. NATO, as a transatlantic alliance of 28 (soon to be 29) na-tions, shares the values of strong collective defence and the protection of its members’ territories and populations against attack. This includes cybersecurity. In our core trea-ty, the alliance stands ready to act together and decisively to defend freedom, and the shared values of individual liberty, human rights, democracy, and the rule of law.

JJ NATO collaborates with private industry on cybersecurity – part of our collective defence

JJ Identify the crown jewels of your businessJJ Your network needs more than a crunchy exterior:

it must detect attacks from withinJJ Address the skills shortageJJ Collaboration is key

■ 20

EXEcuTIVE rEsPoNsIbILITy

Increasingly, the ‘dark’ web is where the bad folks collaborate, hone their skills, and organise themselves. This is where they con-gregate to commit cybercrime.

In terms of threats, we have to categorise the types and levels of attack. There are non-specific threats such as malware that can infect our systems and specific threats, which are attacks targeted specifically against NATO, where we focus most of our attention. Here an adversary might be a hostile nation or or-ganised criminals who are crafting attacks to entice users to click on a link and open a cor-rupted document to gain access to our sys-tems and sensitive information.

In recent years, these specific attacks have grown in frequency and sophistication. With a laptop and a modicum of knowledge, a malicious attacker can get right into your organisation and do significant damage. There are also ‘hacktivists’, often with an extreme political or social agenda, who hack into an organisation’s website and post ille-gal messages, deny service to your website, or steal sensitive information. Increasingly, they are attacking commercial companies, non-governmental organisations, or gov-ernments, seeking to embarrass, ridicule, or destroy reputations. Then there is the insider threat—from us, the users, who can cause serious security incidents, either deliberately or accidentally.

All of these diverse threats mean that you can’t just have a crunchy exterior to your net-work. You need the ability to detect attacks from inside your own networks as well.

Within NATO, our job is to try to prevent these incidents, of course, but we will never be 100% successful, so we need the capabil-ity to detect, respond, and recover from inci-dents. It is also important for us to try to find out who is behind these targeted attacks, and their motivation. We investigate, looking at each piece of the jigsaw, to find out who is behind the attack and what they want to gain. Following are some common strategies that are proven and necessary to mitigate the risks from cyberattacks.

J Identify the crown jewels of your businessIt is impossible to protect yourself 100% from cyberattack. Our NATO commanders under-stand this very well. Cybersecurity tends to be expensive and, like commercial organisa-tions, we cannot afford to protect everything to the same level. Nevertheless, we need to deploy scarce and expensive cyber resources based upon our assessment of the risks to the entire enterprise.

In order to identify our crown jewels, our military commanders ask:

JJ What is the most important information we hold?

JJ What are the most significant services we offer to customers—and what are the inherent cyber risks?

JJ Where do we hold secure information about our processes and our business? How safe is it?

JJ How can we continue to assess and monitor the risks?

JJ Do we have a cyber-risk register?JJ How do we respond to each type of risk?

It requires a sense of clarity about the depth of risk that the business is willing to take. Once we are clear about our command-ers’ appetite for risk, we need to put in place the planning, implementation, and an assess-ment of the security controls and procedures.

J How good is your protection?Strong cyber defence is not about perfec-tion. We expect our cyber perimeter to be breached from time to time. Rather it is about how quickly we identify the intruders and any potential damage they caused, and how quickly we sort it out. There are also ways to mitigate the risk by working with conscien-tious partners to prevent threats by looking at potential flaws, exploits or ‘zero-days’ that have come to light. This is why it’s necessary to have strong connections and undertake re-search to keep up to speed with these profes-sional challenges.

21 ■

VIEW froM THE froNT LINE

Within NATO, we place a lot of emphasis and effort into preventative security. As the say-ing goes, this is frequently better than a pound of cure. We work towards system and secu-rity ‘hardening’, reducing the attack surface of many of the threats. The aim of Attack Surface Reduction (ASR) is to close all the non-essential doors to your technical infrastructure and limit access to the open doors through monitoring, assessment of risk, and access control.

Our methodology is: prevent, detect, respond, and recover. It’s a loop.

However, ‘zero-day’ attacks—which ex-ploit a previously unknown vulnerability in a piece of software, and there are a lot of them—can and will occur. So there is an el-ement of risk regardless of how strong your defences are.

What you need to do to mitigate ‘zero-days’ is:

JJ Undertake as much research into current threats as you feel necessary. There is plenty of information about ‘system hard-ening’ that is out there and does not cost anything to implement.

JJ You need to verify your coding and tech-nology as much as you can. Here, many companies don’t have the skill sets to fully undertake this on their own.

JJ If you don’t have the capacity or resourc-es, to do deep-dive analysis on all the software you are loading, you need to undertake an audit or sample of key stress points.

JJ Do as much standard verification, vulner-ability assessment, and penetration testing when the software is running as you can.

JJ Set in training protocols for how employ-ees use their technology and personal mobile devices in the workplace.

JJ Create a plan for the eventuality that some-thing might go wrong. You need to have in place measures to detect when something has gone wrong and is exploited.

J The ability to respondIf you have been the victim of a successful breach or attack, then stay calm and focus clearly. What matters most is how you re-spond to an incident. Your business requires strong resilience and good backup. At NATO, we have our incident teams, who have the ability to respond immediately and across our systems to mitigate the effects of an at-tack. These teams can be sent out to frontline sites or work online to recover the services that have been attacked.

J The ability to recoverYou also need the ability to recover your ser-vices quickly. This is supremely important. You need to swiftly reassure your customers you are both secure and open for business. Sharing attack information aids recovery, as there is commonality between organisations and businesses around the globe that use similar systems and software and are being subjected to the same types of attack. Divulg-ing and sharing your experience with repu-table third parties and with law enforcement agencies is also good business practice. Let’s share this knowledge so we can know more than the attackers.

J Addressing the skills shortageGlobally, there is a shortage of qualified peo-ple who can defend our freedoms and civic society from cyberattacks. Company execu-tives need to appreciate and value that it is a highly specialised skill, and those experts who understand vulnerabilities are highly in demand. This demand reaches across the commercial, military, public, and govern-mental sectors.

In my 30 years in the security business, I have seen the position of the security man-ager move from the uncooperative techie who said, ‘The answer is no, now what’s the question?’ to a new breed of committed indi-viduals who are far more attuned to business needs. In truth, the old-guard security people weren’t particularly helpful to the rest of the business and were referred to as ‘the sleeping

■ 22


policeman on the information superhigh-way’. Some of the stereotypes were true, and some of this attitude does still persist.

Many of our most skilled cyber defenders are younger people who have been brought up on computer gaming, legal hacking, and code creation. What is important is to build a team from a variety of different experiences and backgrounds to provide strength and depth of experience. This includes the grey-haired veterans alongside the millennial generation raised with IT connectivity.

The increasingly strategic importance of digital infrastructure has led to a seismic change that has placed the information secu-rity experts right into the heart of the deci-sion-making process. This, in turn, requires the security guys to talk in a language that other C-level executives understand.

J The need to collaborate with good businessFor many years, NATO has understood that no matter how good you think or believe you are, you never have the whole picture. Collaboration is the absolute key. We work across the alliance with our 28 national allies and member states, and since the Wales Sum-mit Declaration in September 2014, a Defence Planning Package was agreed, which placed cyber defence as one of a number of priorities to enhance the alliance’s capabilities. It recog-nised that cyberattacks can reach a threshold that threatens national prosperity, security,

and stability. Their impact could be as harm-ful to modern societies as a conventional at-tack. Cyber defence then became NATO's core task of collective defence.

At NATO, we are committed to develop-ing national cyber defence capabilities and enhancing the cybersecurity of national net-works upon which NATO depends for its core tasks. Close bilateral and multinational cooperation plays a key role in enhancing the cyber defence capabilities of the alliance. Strong partnerships play a key role, and NATO continues to engage actively on cyber issues with relevant partner nations.

Technological innovations and expertise from the private sector are crucial to enabling NATO and allies to achieve the Enhanced Cyber Defence Policy's objectives. Industry, quite often, understands the technology bet-ter than we do, and understands where these threats come from. That is why we have established and strengthened our relations with business over the last few years, in-cluding information-sharing agreements. We are actively talking and working together to share threat information about vulnerabili-ties. It is a force multiplier and what we call ‘smart defence’.

NATO has signed a Memorandum of Un-derstanding with a number of private-sector companies, and this experience has proved invaluable as we develop the partnership. Coupled with this, NATO has increased its cyber defence education, training, and exer-cise activities, at our own NATO CIS School and working with other training and educa-tion bodies.

If one thing is for sure in this digital age, something will happen this year that we never predicted. And your business has to expect what is the ‘known unknown’. De-fending your business from cyberattack is a ‘top-down’ issue that includes everyone. Let’s work together on this.

The increasingly strategic importance of digital infrastructure has led to a seismic change that has placed the information security experts right into the heart of the decision-making process.

23 ■

THE boArD’s DuTy: GETTING THE bAsIcs rIGHT

The Board’s Duty: Getting the Basics RightBT and Worldpay – Sir Michael Rake, Chairman

Your cybersecurity starts with the board making sure that the simple things are done well.

It is well understood that the chairman of a stock mar-ket–listed public company has certain fundamental du-ties and responsibilities. For me, this is about ensuring

the proper and effective workings of the board; advising on the strategic issues facing the company; overseeing the ap-pointment of the chief executive officer; and being account-able for the company’s good name and reputation. This, in a nutshell, is what we seek to do.

Increasingly, in this uncertain and complex world, chairs of boards must realise that one of the enduring threats we now face is from a range of cyber ‘bad guys’. Such threats are increasingly well known and well docu-mented, from cyber vandals recklessly trying to damage an institution to organised criminals getting access to data, to state-sponsored operations seizing intellectual property and know-how through illegal means, or malicious organ-isations trying to destabilise and damage national infra-structure. These have become the myriad unseen enemies that require a board’s attention.

At BT, we see all types of cyberattacks increasing expo-nentially. For major public companies, you need to deal not only with the financial aspects of an attack, in terms of loss of intellectual property or data, but you must also deal with the reputational damage that can undermine total

JJ Board leaders must step up to the plateJJ Boards in the UK have been slow to understand

cyber riskJJ There’s no need to get lost in jargonJJ Excellent communication is the keyJJ Collaborate, collaborate, collaborate

■ 24


confidence in your organisation by custom-ers, investors, or regulators. We are now all fully aware of the reputational consequences of allowing a cyberattack to succeed.

Boards in the UK have been rather slow to gain a fuller understanding of this cyber risk. Historically, there has been complacency among the IT community, who have failed to recognise the increasing complexity and so-phistication of determined attackers. Boards were not particularly well informed, and lines of communication were poor. Thank-fully, this has changed, and there is now an alertness and acute awareness.

The primary way a board handles cyber risk is by ensuring it has in place the people, the procedures, and excellent internal com-munications. We now have a new generation of senior business executives who are digi-tally savvy. The coming of age of the CISO (chief information security officer), or his or her equivalent, in most businesses is to be welcomed. It is a given that CISOs have excellent technological knowledge. But they must have much more. The job requires an individual who understands the macro-eco-nomic environment and who can communi-cate effectively with the board. Moreover, it requires someone who can manage complex-ity yet still keep an eye on the left-field issues facing the business. Then it is about prioritis-ing these major issues to deal with the most important issues first.

Today’s information systems are evolv-ing very fast, and IT leaders face multiple simultaneous pressures. They have to deal with improving customer services, intro-ducing new technologies and development

programmes, and reducing costs at the same time as increasing the level of security. Many companies are now concerned about being ‘disintermediated’ because they have old legacy systems that have been leapfrogged by newer, leaner players with none of the legacy issues. Today’s IT leaders face a fast and furious landscape that they must handle. In essence, the CISO must move from being a technocrat to a leader. When I talk about leadership, I mean communicating in a sim-ple way that boards can understand. We still have too much gobbledygook dressed up as techno-speak.

J Do the basicsYou don’t need deep technical knowledge to do the right things in business. While much of this revolves around the common sense of the individuals employed in your organisation, there are basic controls and disciplines that can be expected. Too often it is something basic that causes a serious problem. It is a laxness over password pro-tection, encryption, access to machines, close-down periods, and the discipline with data. Right across your organisation, you must instil an ethos that strives at all times to get the basics right.

J Defend your perimeter, and build a citadelWe end up using a lot of military metaphors in fighting cyber risks. But they do make sense. Increasingly, as the chairman of a technology service company such as BT, the number one issue of interest when I talk to other chairpeople and chief executives is cy-bersecurity. They are seeking to understand how firms such as BT can help them, because they want to cross-check their own technol-ogy capability with independent verification and advice in helping with their systems..

When I was chairman of EasyJet, the first item on the agenda of every board meeting was the report on airline safety. It was front of our mind and the number one issue for the board. Now, at Worldpay, a publicly quoted payment system, the first item on the agenda of every board meeting is cybersecurity. We

Today’s IT leaders face a fast and furious landscape that they must handle. In essence, the CISO must move from being a technocrat to a leader.

25 ■

THE boArD’s DuTy: GETTING THE bAsIcs rIGHT

treat cybersecurity the same way that EasyJet treats the safety of the passengers, aircrew, and aircraft.

As part of the UK’s critical national infra-structure, at BT we have a virtual ‘perimeter’ fence around our business. But this is incred-ibly difficult to risk-assess, and those with malicious intent can cut through the wire and become sleepers, lying dormant for 18 months, then attempting to pick up and ac-cess data. In the first instance, it is important that you defend your own perimeter, con-stantly scouring for any breaches.

Then there are the truly crucial elements to the business—and they need to be held in a very secure place, which we refer to as the ‘citadel’. Here you need double the strength and triple the security.

J Don’t work on your ownThere is plenty of help out there. In the UK, there is increasing collaboration—both for-mal and informal—between government agencies and companies that supply and maintain the critical technological infrastruc-ture for the nation. It has helped that GCHQ and MI5, normally reticent security agencies, have spoken openly about the threats when cyberattacks have occurred. In the past, it was thought better not to publicise attacks; now there is a climate of sharing information that is helpful and imperative. Increasingly, boards are legally expected to make a public response to high-level attacks where custom-ers’ information has been compromised.

J The next generation of leadersThere are plenty of managers but never enough leaders. Management is easy: lead-ership is difficult. As we’ve seen, the CISO needs a technological background. But the CISO needs to be a bigger, broader leader and communicator who prioritises. It re-quires an individual who can deal with com-plex areas with multiple pressures. In the past we’ve tended to think of the Techie Uber Alles, whereas now we need people with a broader focus.

What is encouraging is that the IoT (In-ternet of Things) means more people will be looking at technology as a future path to lead-ership. So technology departments need to develop general management programmes, the way they have evolved in other func-tions, such as marketing and finance. Lead-ership development programmes should include the very best from IT to give them experience of general management. You sel-dom see an IT director become the chief ex-ecutive, unless it is a tech-based business.

Many years ago we reached the tipping point where no one could seriously be con-sidered for a chief executive’s position un-less they had sound financial awareness. You can’t do the job without that. We are now moving to a stage where future chief executives will need sound technology awareness. The next generation of leaders, who understand technology, will be the but-tress we create to maintain secure systems, data, and information.

27 ■

AcHIEVING your coMPANy's fuLL PoTENTIAL IN THE GLobAL cybEr EcoNoMy

Achieving Your Company's Full Potential in the Global Cyber EconomyDepartment for International Trade’s Defence and Security Organisation – Conrad Prince, Cyber Ambassador

CEOs should aim to view cyber as an economic oppor-tunity for the UK, with government, industry and aca-demia working together to further develop a powerful cyber sector.

The UK is a world leader in cybersecurity. Our digital sector is the largest in Europe, employs over 1.5 mil-lion people, and is growing faster than the rest of the

economy by a range of measures. Within that, our cyberse-curity industry employs over 100,000 people and is worth over £17 billion. We are on track to achieve £2 billion of cyber exports in 2016. The UK cybersecurity offer is built on a fantastic heritage in computing and information tech-nology, from Charles Babbage to Tim Berners-Lee. We are home to some extraordinary innovation in cyber, whether in industry, academia, or other research institutions. And in GCHQ we have a world-leading cybersecurity centre of excellence. Cyber represents a significant economic oppor-tunity for the UK.

But if the story for the UK’s cyber industry is a positive and exciting one, all too often in boardrooms it still feels like cybersecurity is a subject that’s overly complex, largely impenetrable, and mostly bad news: a dragging anchor of risk and cost that only weakens the bottom line. There has been a significant increase in board engagement on cyber

JJ The UK is a world leader in cybersecurityJJ Boards need to appreciate and manage the risksJJ Companies need to engage fully with

cybersecurityJJ Building a strong cyber economy is collaborativeJJ The UK’s firms have potential to grow cyber

business globally

■ 28


over the last few years. A recent survey of FTSE 350 companies1 showed that around half now placed cyber risk as a top risk, up from less than a third a year previously. But the same survey also showed there’s still a fair way to go. Two-thirds of boards have not clearly set and understood their appetite for cyber risk, only half describe themselves as

having a clear understanding of the potential impact of loss or disruption of key informa-tion and data assets, and less than a quarter received comprehensive and informative management information relating to their cyber risk. There is still a need to demystify cybersecurity at board level. It needs to be understood and treated as simply another risk judgement a board has to make, balanc-ing cost and benefit, as in so many other ar-eas. Boards need to understand what they really care about when it comes to cyber risk, what really needs protecting and what is less significant, what the impact of cyberattack on different parts of the business may (and may not) involve, and what their appetite for risk is in this space. But in order to do so, boards not only need to apply the right priority to cybersecurity, and be prepared to engage with it as a subject, but they also need to have the subject presented in a way the business can understand and relate to.

This puts a big responsibility on CISOs and other cybersecurity professionals. They need to have the confidence to engage at board level, the communications skills to convey cyber risk clearly and succinctly—in

a way boards can relate to and which enables them to make decisions—and the networks and connections across their sector, includ-ing with government and with the cyber in-dustry, to be able to provide the best possible advice. Crucially, they need to be able to put themselves in the shoes of board members and see the world from their point of view. This may represent something of a different skill set from the traditional one.

And we need to ensure cyber risk is con-veyed in measured and balanced terms. This is not to underplay the very real and serious threat. But the cyber world has not done itself any favours when it has sometimes described the threat in extreme terms. There is a risk of C-suite executives feeling as if there has been a bit of crying wolf on cyber, which in turn makes it harder to lodge some important messages. Again, it is about the cyber experts presenting the picture in a measured, bal-anced, and accessible way.

Implementation of effective and pragmatic cybersecurity should be seen as an opportuni-ty to achieve competitive advantage. Even so, a recent survey revealed 21% of respondents—mostly professionals in the ICT sector—saw cy-bersecurity as a blocker to business value and innovation.2 But good cybersecurity (which does not need to mean gold-plated solutions to everything) is a critical enabler to business and innovation. Digital capabilities are fun-damental to modern business, and having the confidence that they are being employed with a sufficient level of security is essential. And businesses that can demonstrate that their sys-tems and data—critically including customer personal data—are secure can use this as a competitive differentiator. So boards should be asking how cybersecurity can work for them.

Building a strong cyber economy is not just something for the private sector. The UK Gov-ernment is committed to building a nation that is secure and resilient to cyber threats, and prosperous and confident in the digital world. We produced our first comprehensive national cyber strategy in 2011, which since then has formed a model for similar strategies

Building a strong cyber economy is not just something for the private sector. The UK Government is committed to building a nation that is secure and resilient to cyber threats, and prosperous and confident in the digital world.

29 ■

AcHIEVING your coMPANy's fuLL PoTENTIAL IN THE GLobAL cybEr EcoNoMy

elsewhere in the world. Our first National Cyber Security Programme invested £860 million in a major programme of work across the UK Government, industry, and academia, significantly building our capabilities to un-derstand and respond to the cyber threats the UK faces, while building a world-class cyber-security ecosystem that provides us with the skills, capabilities, and innovation we need to thrive in the digital age.

The first new national cyber strategy since 2011 is being published, with the UK Govern-ment allocating £1.9 billion to cyber over the coming five years. A centrepiece is the creation of a new National Cyber Security Centre. This will be a world-class centre to coordinate the national cyber effort and provide a single point of contact for advice for the public and private sectors. The NCSC will draw together a number of government bodies operating in the cyber arena. It will have a focus on engag-ing closely with the UK’s key critical national infrastructure sectors to work in partnership to achieve the right cybersecurity.

A key element of the new government ap-proach is the growth and innovation agenda. This is aimed at helping to develop further the UK’s powerful and innovative cyber-security industry sector. The UK has an im-pressively broad-based cyber industry, from big primes such as BAE and BT, through to innovative enterprises including the likes of Darktrace, Glasswall, Garrison Technology, Digital Shadows, and Titania. I could men-tion many others. We need to take this sector further forward, with a cyber ecosystem that translates innovative ideas into products, products into start-ups, start-ups into suc-cessful UK companies, and successful com-panies into world-class enterprises.

Two new innovation centres will be set up, one in Cheltenham, the other in London, to give direct support to innovators as well as small and medium-size enterprises, provid-ing a space where innovators can work, ac-cess to technical experts and business men-tors, along with testing and demonstration facilities. The innovation centres will focus on

a list of cyber challenges developed jointly by government, industry, and academia.

Alongside the innovation centres, the UK Government will provide support to enable the best cyber ideas developed in UK aca-demia to be turned into concept demonstra-tors, and to facilitate connections between cyber innovators in academia and the private sector to help turn these ideas into viable commercial products.

Established SMEs often say that they could have grown faster if they had had ac-cess to some key pieces of business informa-tion in their first few years of operation. A se-ries of SME boot camps will look to provide essential business knowledge to participants across the country, drawing on the experienc-es of entrepreneurs and business advisors.

A key area of development for the UK cy-ber industry is turning more of our innova-tive SMEs into larger-scale world-class com-panies. The government’s future cyber 20 programme will take a select group of SMEs who have this aspiration and the potential to achieve it and provide access to dedicat-ed expert support, including on marketing, branding, investment, and exports. Access to investment is a critical issue for developing SMEs. A new government cyber innovation fund is being created to help innovative firms get better access to investment capital. More venture capital and other sources of invest-ment funding are needed to help enable our SMEs to achieve their full potential.

Alongside this work, the dedicated cyber exports team in the new Department for In-ternational Trade will build its support to global UK cyber exports, including through cyber trade advisors based in key markets such as the USA and Gulf. These experts, drawn themselves from the cyber industry, complement the department’s existing net-work of export specialists in providing spe-cific support and market intelligence, partic-ularly to UK cyber SMEs.

These initiatives are underpinned by significant new investment in skills. There is a global shortage in cyber skills, and the

■ 30


government is implementing a range of mea-sures to help. There is a particular focus on students aged 14 to 17, identifying young people with an aptitude for cyber and help-ing them develop it through after-school clubs, special projects, and access to skilled mentors. At the same time, more cyber ap-prenticeships will be created, and there will also be funding to help retrain people later in their careers who are not currently working in cyber but have the aptitude to do so.

This is a major agenda to help develop the UK cyber ecosystem and boost growth and innovation. But government interventions are only part of the story. They complement all kinds of activity in the private sector and

academia. The government/industry/aca-demia Cyber Growth Partnership provides a strategic forum for key players from across the cyber ecosystem to engage with and shape the growth and innovation strategy. We need everyone across the community to play their part to help the UK achieve its full potential as a major player in the global cyber economy.

Works Cited1. FTSE 350 Cyber Governance Health

Check Report 2015, May 20162. TechUK Whitepaper: From cyber risk to

cyber resilience, May 2016

31 ■

ENsurING your EXEcuTIVEs ArEN'T THE ATTAck LurE or VIcTIM

Ensuring Your Executives Aren't the Attack Lure or VictimProofpoint – Ryan Kalember, Senior Vice President of Cybersecurity Strategy

It looked like an innocent but urgent email request, sent directly from the CEO, asking the finance team to wire significant funds to a vendor. Instinctively, the team com-plied. Unfortunately, the request wasn’t from the CEO—and the money wasn’t sent to a vendor. And that’s how cybercriminals worldwide are netting billions with simple email spoofing tricks.

CEOs worldwide are the top target for cybercriminals, but there are a number of ways organisations can ensure executives aren’t victims or used as effective attack lures.

Chief executive officers hold the keys to the kingdom—and have a persona that, when impersonated, can au-tomatically supersede security processes and policies

designed to protect an organisation. Luckily, there are a number of ways security teams can protect top executives from cyber threats and, by extension, corporate data, rev-enue, and brand reputation.

Senior executives have been prime targets since the dawn of the transactional economy, but illegal cybercrimi-nal activities continue to successfully extract money and

JJ CEOs are often the number one cyberattack targetJJ Attackers frequently pretend to be the CEO

to trick employees into sending money and information to criminal entities

JJ Simple and plausible cyberattacks are stealing billions by preying on human error, coupled with mass personalisation phishing attacks

JJ Beware of email, social media, and mobile communication channels

JJ A common-sense approach, and user education, can make a major difference

■ 32


company secrets through both sophisticated and simple cyberattacks. Increasingly attack-ers are moving away from technical exploits and are exploiting human curiosity and trust.

Attackers usually target email, social media, and mobile channels to research ex-ecutives; send intended victims malicious messages that extract passwords and cre-dentials—and ultimately steal confidential information and money; or assume execu-tive personas to convince users to willingly participate in criminal activities. Our re-search also indicates that cybercriminals are progressively employing mass email person-alisation to further convince victims to click, backed by an egregious volume of informa-tion available on the dark web.

While Windows Office 365, the cloud, social media, and mobile devices allow employees to work anywhere and connect, these technologies also extend the attack sur-face for many organisations.

J Watch for business email compromise (bEc) spoofing

Email spoofing has very real financial impli-cations for organisations worldwide. While email spoofing has been around as long as the Internet, and there are all kinds of le-gitimate reasons for using it, attackers have amplified their use of this technique through business email compromise (BEC) to im-personate executives over email. According to the FBI, BEC incidents have spiked by 1,300%, with losses totalling upwards of $3.5 billion, since January of 2015.

When it comes to BEC, the CEO is not the primary target but the lure. Criminals have realised that if they create an email and send it as the CEO to the finance department ask-ing for a wire transfer payment to be made, or

asking a chief engineer for sensitive company information, they might just manage to extract money or get the sensitive information they want. With BEC, criminals exploit the essential glue that binds business: trust. Cybercriminals are taking aim at the trust between people and organisations that allows the modern Internet-connected world to function.

We mostly take it for granted that the purported sender of an email is who he or she says they are; that a website that asks for your credentials really belongs to your service provider; and that a tweet from your bank about resetting your PIN code really came from your bank. There needs to be heightened urgency to educate executives about the BEC issue—even more than the need to expand cybersecurity general aware-ness internally, enforce stiffer penalties, and roll out better security programmes.

Cybercriminals are very adept at exploit-ing precisely the trust on which modern busi-ness essentially rests and taking advantage of the human element. Many people in the corporate chain will respond quickly and ef-ficiently to what they perceive as a message from the CEO or their boss and might be too afraid to question the authority.

By simply impersonating the CEO, and then asking someone to send confidential informa-tion, criminals can extract valuable company secrets. This becomes a personal slight for the CEO because they are often offended that they are being impersonated. There is a deep sense of violation, with many upset by how easily their employees have been duped.

Many experts in the cybersecurity world, who spend time working on highly com-plex technical defences, are astonished by the ease with which BEC theft is occurring. It all sounds too simple. What is alarming is the success rate in attempting this kind of at-tack—and it shows no sign of trailing off. In reality, there are only a few ways to properly defend against this. It involves protocols and behaviour within your organisation that stem from good solid common sense and technol-ogy that can identify BEC emails despite the fact that they don’t feature malware.

According to the FBI, BEC incidents have spiked by 1,300%, with losses totalling upwards of $3.5 billion, since January of 2015.

33 ■

ENsurING your EXEcuTIVEs ArEN'T THE ATTAck LurE or VIcTIM

J Mass personalisation: coming to an email near you

Today’s threat landscape continues to shift, and in addition to BEC threats, security teams need to be aware that cybercriminals appear to be incorporating more mass-per-sonalisation attacks versus low-volume tar-geted attacks via email.

Due to the volume of information avail-able on the web (from social media to the dark web), cybercriminals now have a scalable way to personalise an email phishing campaign to millions with a veneer of plausible company information. The unsuspecting person clicks it open without a second thought. On the sur-face, it is not much different from customised marketing emails, but these emails can have possibly devastating consequences.

J social media safety—it might not be your network, but it’s a vulnerability

In addition to email communication, social media provides an excellent channel for em-ployees to connect with customers, partners, and prospects, but it also amplifies risk. Con-necting over LinkedIn, Facebook, Twitter, and Instagram allows key audiences to actively engage with executives; however, for many organisations, security teams do not consider social media networks as part of their remit. It’s time for a change, because unfortunately, cybercriminals are actively working to take advantage of the large audience on social me-dia and to extract information to help them target attacks on your executives.

Think about it like reconnaissance be-fore a crime. Criminals use social media information to build profiles both on your executives and on the people within your organisation who are linked to your CEO. Through social media research they can de-termine if a CEO is traveling, who serves as the administrative assistant, identify key financial executives, and even attempt to connect with your executives for direct 1:1 communication.

Armed with social media research, attack-ers can create custom emails with lures that are personalised. For example, if a CEO posts

about a specific sports team, an attacker can craft an email offering free tickets with a link to a malicious website that steals username/password credentials. And because all of the CEO’s connections are on social media, the cybercriminal can even spoof the email so that it appears to come from a CEO’s social media contact. All it takes is one click and your CEO is compromised.

Once inside the network, attackers often look to conduct a lateral movement assault to steal confidential information. Because most CEOs have unlimited access across the net-work, pretending to operate as the CEO with-in the network offers unlimited attack poten-tial. In most cases, the attackers are hunting for a specific piece of information or intel-lectual property, which can include patents, trademarks, copyrights, and trade secrets.

J Take a proactive approach, investigate the dark web

In order to best assess security threats to your organisation, it’s time to consider going outside your network and determining what information is out there. You’d be astonished just how much information on C-suite lead-ers is available for sale on the dark web, in-cluding the private phone numbers of high-profile CEOs and senior executives of large organisations. When undertaking a dark web assessment, it’s critical that an employ-ee with a fair amount of technical specialist expertise oversees the project, as it requires navigating the dark web. It’s important to use a Tor Hidden Service Protocol, which hides your location, along with an encrypted anonymised network.

J creating a cEo-centric cybersecurity planUser awareness and education will have a very positive impact on stopping advanced and simple cyberattacks. Ensure that users—including your executives—understand the value of the information they process. You don’t leave the house without locking the door: it’s the same kind of discipline you need to instil across your executive team and when selecting security technologies.

■ 34


It’s critical to educate users on phishing attack tactics and dangers, business email compromise tactics, mobile device best prac-tices, and how to properly leverage the social

web. And while this will help, someone in every organisation will always click, so you must also augment these approaches with security technologies.

JJ Educate your employees to use common sense before clicking an email, sharing information on social media, and downloading mobile apps. Encourage them to ask themselves when they receive an email: do I know this person? Why are they asking me for something? Is this the usual and accepted channel? If in doubt, pick up the phone and ask the person personally.

JJ Make all staff aware that an email from any source within the company, including the CEO, could indeed be fraudulent—and to always examine the content before automati-cally trusting the source. Staff need to question the veracity, especially if that employee is highly unlikely to receive an email from the person at the top.

JJ Make sure the business understands the way the CEO actually works. Does he/she normally use an administrative assistant to send requests? Email remains the number one attack vector and the way most breaches start—so staff need to be vigilant and suspi-cious when they see an email from the CEO in their mailbox.

JJ Be proactive about looking at sources of risk for the CEO. This is about digital threat surveillance and may involve keeping track of what is being said about the business on the dark web, or on the general web on websites like Pastebin—where someone with a grudge is untraceable and can leak sensitive company information—and WikiLeaks.

JJ Protect the CEO’s social media activities and educate him/her on best practices. Safe-guard the CEO’s social media accounts, scrub the content for personal information that could be fodder for cybercriminals, and ensure your organisation has an added layer of security that stops malicious links before the executive can click.

JJ Think of mobile devices as a roaming way cybercriminals can break in. Audit all devices your CEO is using—and map that use to your security plan. Encourage tablet use rather than a PC when on the move to help reduce the attack surface. Ensure that he/she is using the most secure device possible, isn’t downloading malicious data-stealing applications and can’t connect to unsafe Wi-Fi hotspots—and that all data can be remotely wiped in the event the device is lost.

JJ Be careful not to allow others to use the CEO’s computer, mobile devices, or social networks. Children of CEOs who have been given permission to use their parent’s ‘cool’ device have inadvertently allowed malware to be downloaded.

BELOW ARE TIPS FOR HOW TO CREATE A CEO-CENTRIC CYBERSECURITY PLAN:

Enabling Innovation

37 ■

How Should Businesses Put a Price on Digital Risk? BT – Mark Hughes, President, BT Security, BT Global Services

HoW sHouLD busINEssEs PuT A PrIcE oN DIGITAL rIsk?

Cybersecurity comes at an increasing cost to your busi-ness. So how do you balance cost versus reward?

Right now, CIOs have a lot on their plate. The board wants to press ahead with digital transformation, and customers want to do business through multiple digi-

tal channels. Every company must consider the risks as-sociated with cybersecurity when developing its business strategy. But this is a significant challenge for many chief executives and finance directors because of how difficult it is to put a price on digital protection.

We know that cybersecurity will make or break the digital business. It is the number one enabler, allowing a business to run at speed and to build customer trust and investor confidence. Conversely, poor security is a disabler and will undermine all efforts at digital transformation.

BT is in a fortunate position. As the oldest telecom-munications company in the world, protecting customer data has been an ingrained part of our business from the outset. For BT, security is a competitive advantage. Security is behind our service and our brand, and it's a massive differentiator for us. We can promote services such as BT Sport with confidence because we have as-sessed the risks and designed appropriate controls. But too many organisations are still working with a fragile, insecure IT environment, which cannot support their digital ambition.

JJ Companies must consider how to ‘cost’ cyber riskJJ Understand what you need to protectJJ Gather all of your factual information JJ There will be trade-offs on securityJJ Be clear about your priorities

■ 38

ENAbLING INNoVATIoN

So how exactly do you attribute a value to digital risk? How do you set about find-ing out how much cybersecurity should cost your business?

It's certainly difficult to quantify using traditional methods, and we found that cy-ber risk was practically impossible to build into business cases. We took a step back and looked at risk evaluation methods more common in the insurance industry—in par-ticular focussing on downside risk. BT has its own insurance company and also has one of the largest pension funds in Europe—so we could draw on our existing experience at assessing unknown and unpredictable risk.

In costing risk you’ve got to look at your assets holistically. With over 6,500 proper-ties and 100,000 people worldwide, as well as a large global network and confidential personal data, we needed to consider and attribute a ‘risk’ value to a significant num-ber of areas.

Once you have evaluated each element of risk, you can then make the decisions about how and where you are going to invest. We followed some general rules:

Rule 1: Understand what you need to protect and whyIn order to determine how to build and invest in your security architecture, you first need to ensure that you have complete understanding of what needs protecting. This is often easier said than done, as many corporate networks have been built over time and often through acquisition. This is not just about creating a list of assets—corporations need to also un-derstand which aspects of their network will,

if attacked, cause the most damage—either reputational or economic. For example, BT has a major task because we underpin the UK’s telecoms infrastructure. Our customers expect that classic 99.999% reliability when it comes to communication. They also have a reasonable expectation that any data they give us so that we can manage their bills and accounts is secure. Furthermore, BT’s net-work is a core economic asset upon which all of our business customers rely. Any compro-mise to our network can have a massive eco-nomic impact and therefore attracts the lion’s share of our security investment.

Another way to do this is try to think about how embarrassed your company would be to see its name associated with a cyberattack on the front page of a national newspaper. What would this headline look like? Quite often it is not about technology or systems but about the impact on your customers when their data is exploited. Start from impact and keep-ing on asking ‘why’.

Rule 2: Do not underestimate reputational riskWhile the justification for security invest-ment largely revolves around protecting tan-gible equipment (servers, networks, build-ings) and the data that resides on or in them, one of the most powerful motivations needs to be an understanding of the impact a cyber-attack can have on one’s brand and reputa-tion. This is especially critical for BT because of the central role we play in protecting the UK’s critical national infrastructure. But all companies could also risk the loss of trust of their customers if they are found to have been negligent in protecting their critical assets.

Up until now, most companies could take comfort in knowing that most cyberattacks were not made public except in very high profile cases. Many countries do not force companies to report breaches. However, this is changing. For example, the upcoming EU General Data Protection Regulation will re-quire most companies to report any loss of customer data to government authorities, and they will potentially face major fines (up to 4% of global turnover) if they are found not

In order to determine how to build and invest in your security architecture, you first need to ensure that you have complete understanding of what needs protecting.

39 ■

HoW sHouLD busINEssEs PuT A PrIcE oN DIGITAL rIsk?

to have had adequate protections in place. As more of these regulations come into place, the potential for a cyberattack to damage a com-pany’s brand becomes almost a certainty.

Do not think only of the potential harm to your customers, but think what impact this could have on your suppliers. It they lose trust in you, your costs will go up, options and leverage go down. Reputational risk is a genuine end-to-end issue.

Rule 3: Establish there are going to be trade-offsA good security architecture must strike a balance between providing robust protection for critical assets whilst not being a barrier to productivity. In fact, a state of the art ar-chitecture can be viewed as a key enabler for doing business, as it gives the employees the confidence of knowing that their day-to-day activities will be secured without worrying that they may take an action that could put the company at risk. Therefore, companies need to make sure that they are putting in the most appropriate security controls and pro-cess for the asset or activity. Making security too tight can have its own negative side effect in preventing your employees from getting their work done efficiently.

Taking advantage of the cloud is forc-ing companies to take a new look at these trade-offs. There are massive economic and productivity advantages for businesses and organisations that adopt cloud services, es-pecially those with large mobile workforces. Often innovation has been held back by cau-tious security chiefs who are nervous about the inability to control the security of these third-party cloud services. However, new security capabilities are being developed to enable CISOs to get more comfortable with the balance between potentially massive in-creases in productivity and a need to ensure the integrity of any corporate data being sent to and stored on third-party clouds.

In fact, these third-party cloud services can often be more secure than your own data centres. For these services, providing reli-able cloud capability is core to their business. Therefore, it is in their own self-interest to

invest heavily in security in order to earn your trust and loyalty and defend their reputation.

Rule 4: It’s about people and process, as well as technologyMost conversation about investing in securi-ty revolves around purchasing of appliances and technology. However, almost as impor-tant is to invest in your people and processes I’m not talking about your security opera-tions—managed service providers such as BT can do that work for you, so that your busi-ness can focus on what it is really good at. However, it is conventional wisdom that the biggest vulnerability in any company’s busi-ness comes from the ‘insider threat’. This is often not (in fact, usually isn’t) malicious. The insider threat comes from people who make simple mistakes such as using overly simple passwords, or clicking on links in emails that they shouldn’t be trusting. To complete your security architecture, you must invest in a programme to develop a robust set of secu-rity policies and processes and ensure that your employees are trained to understand that following these policies and processes are an essential part of their day-to-day job.

In addition, companies should ensure that they have plans in place in the event to deal with the potential fallout of that inevitable breach caused by their people or processes. Too many companies have been caught flat-footed and mishandled the aftermath of a cyberattack, particularly when it comes to managing public relations.

Rule 5: Boil it down to the essentialsIt all comes down to one thing: it is about looking after information. Bill Clinton’s fa-mous election aphorism was: ‘It’s the econo-my, stupid’. For us, ‘It’s all about the informa-tion, stupid’. When it comes down to it, some of the most valuable assets companies hold is either intellectual property or customer data. A good analogy is to think of your data as gold bars. If you had gold bars, you’d want to keep them secure and make some money from them. But you wouldn’t just choose the closest person or organisation who offered

■ 40

ENAbLING INNoVATIoN

you a huge return, and you wouldn’t just throw them in a box and forget about them. You’d want to research the organisation and ask what they would do to look after your gold bars as well as make you money. You’d ask who would have access to them and how you would be able to access them. And you’d want to make sure that the bars got to the organisation safely in the first place. This is why we normally use banks to store gold bars. These are the types of questions people should be asking about their data.

Infrastructure can be ‘fixed’, laptops and phones can be easily replaced—it’s the data that resides on those devices that are the real assets cybercriminals are looking for. The growth of mobile workers and cloud ser-vices means that this valuable data is often kept ‘offsite’. However, too often endpoint

security and network security are managed completely separately, leaving open potential gaps that cybercriminals will be quick to find. So make sure that your security architecture takes a holistic approach and not only covers the infrastructure in your HQ and branch of-fices, but also all of the end-user devices and cloud services that your employees use and how that data gets from A to B.

J The price is rightToo few companies are talking about the real cost of cybersecurity. They are not even able to calculate how much it costs their firm—and how a breach will damage their reputation. Yet without pricing in the cost of their security, they face an unknown—and potentially cata-strophic—bill in the event of a major incursion by sophisticated and malicious invaders.

41 ■

HELPING THE boArD uNDErsTAND cybEr rIsk – AND WEIGHT IT AGAINsT busINEss IMPErATIVEs

Helping the Board Understand Cyber Risk – and Weight It Against Business ImperativesMarks & Spencer – Lee Barney, Head of Information Security

Now retail is all about cyber detail too. Ensuring the cus-tomer experience and expectation does not suffer at the hands of cyber risk is a fine balancing act.

Modern multi-channel retailers face an intense paradox. They must keep their online sales channels open 24 hours a day, seven days a week, making it easier for

customers to shop and purchase their goods. Yet, in turn, they make themselves the front line against cyberattack from criminals.

Marks & Spencer, a FTSE 100 company with a market capital of around £5 billion and over 850 stores in the UK, is in every major urban centre and most rural areas across the country. As a food and clothing retailer, we also fan out across the globe, with a mixture of wholly owned business-es, subsidiaries, franchises, and joint ventures. We have another 450 stores outside the UK, where our bricks-and-mortar estate is growing. Even with this presence, we need a transactional website. Around 10% of business is done through our online M&S.com platform. We also have M&S Bank, a wholly owned subsidiary of HSBC, while we also run the M&S credit card.

We are not alone in our fight against cyberattacks. Con-sumer behaviour has changed, and increasingly customers are shopping online. The issue for retail is: how do you deliver

JJ You’re open for business so you can serve customers and make profit

JJ Yet attackers are sophisticated and determinedJJ Resilient cybersecurity will keep your

business safeJJ You still need to keep it simple for your customersJJ Get everyone to calm down

■ 42

ENAbLING INNoVATIoN

security in a way that can be measured for its effec-tiveness and still keep customers happy? The goal is to create a better customer journey that is more secure and still allows us to make money.

First, there needs to be continual educa-tion and regular updates for your board col-leagues about cyber risk. There have always been criminal elements, but now they have become more sophisticated. Once it was High Street smash-and-grab with masked gangs driving through store windows, grab-bing tills filled cash and then trying to escape. Now that everything is digital, they don’t get much success with this route.

Today’s attackers are, however, just as ag-gressive. There is constant probing by attack-ers, and when they find a weakness, they are in. It is like a malicious stranger continually trying the doors and windows of your house to break in. Multiply this exponentially with a million people checking every digital brick and piece of mortar, shaking and tapping, to see if something falls out. When it does, they all plough in. It’s an army of nefarious activ-ity. This increasing professionalism and so-phistication allows criminals to find new vul-nerabilities in older digital infrastructures, including the ‘open’ source codes that were never designed to be secure.

J so how do you defend?It is not all doom and gloom. Cybersecurity can keep your business safe, but it is a matter of looking at the weakest spots. In the pur-est sense, your board must be dispassionate about this, because the first people who can cause great harm—whether intentional or otherwise—are your software developers. Unintentionally, software engineers create the weaknesses that are then exploited by the criminals who are looking to extract money, credit cards, and personally identifiable data. However, your engineers are not the biggest ‘threat actor’; those remain organised crimi-nals with expert cyber knowledge.

J Adopt great systemsAt M&S, we have adopted Agile development for software development methodology, with

the black belt and green belt of Six Sigma Lean processes. Our retail mind-set is about turning things around quickly to make prof-its. Our online platform is multi-channel and needs dynamic updating. It needs to keep working, otherwise we lose revenue. Yet our cadences—or iterations - can be five releases per hour. We need to assure ourselves that the developers are doing their job correctly. This means the ‘scrum-masters’ are taking into consideration the relevant risks and have escalation paths into security so we can stop things if we think there is going to be a prob-lem. Most important: we help them deliver secure code.

J Employ the best people you can affordAt M&S, we have built a solid wall of exper-tise that is among the best in the cybersecurity industry. We have six teams with over 40 peo-ple working in the cybersecurity department.

The teams are:JJ Cyber operations, who are the first line of

defence and are supported by third par-ties to provide out-of-hours expertise for all of our systems.

JJ Cyber governance, responsible for train-ing, policies, standards, and procedures, and disaster recovery.

JJ Cyber assurance, who protect the capital agenda and assets within IT. They are able to assess the risk of any changes that we make. They can then put forward any technical controls that are required to deal with the risk.

JJ Cybersecurity architecture, who are look-ing at the way the IT system works and operates and can be adapted.

JJ Cyber compliance. When you operate as a major international organisation (at M&S, we work in countries around the globe), it is important to work across borders. Our compliance team spends a third of its time working alongside corporate compliance.

43 ■

HELPING THE boArD uNDErsTAND cybEr rIsk – AND WEIGHT IT AGAINsT busINEss IMPErATIVEs

JJ The Red Team. A key element of Agile security is the ability to legitimately hack into any point of the business, at any time. The Red Team is defending against simu-lated attacks and the real thing. Everyone across the business needs to know who your Red Team is—and what they can do. They also work with the systems software developers.

Add to this some further capability. Be-cause we are a retailer, we have an anti-fraud team, which works very closely with us, as does the legal team, corporate compliance, and internal audit. All these pieces need to be working together to ensure we are more agile than the attackers.

J setting up a cybersecurity strategyEvery board needs to have a strategy that is customised for the requirements of that busi-ness. Here it is about clearly understanding your business strengths and weak spots. It is about knowing what you want to achieve in cybersecurity and plotting how to get there. For example, a decision on whether to use the cloud is a strategic one. Most retailers still use mainframes because there is not always a suitable system on the cloud, which is not al-ways the cheapest way of doing transactions. However, it might be suitable for your estate management or human resources. We work extremely hard to protect this data, because we are under no illusion: our customer’s cred-it cards are a high-value target for criminals.

J Dealing with confirmation biasThe board is often concerned with things that are not going to happen. So keep calm. Hu-man beings are susceptible to ‘confirmation bias’. This plays a part in the psychology of cybersecurity. The more information you receive that reinforces your original belief, the more likely you are to notice this. This is happening in the sphere of cybersecurity. Everyone in the industry thinks that a re-tailer’s cybersecurity is going to be compro-mised. Whenever board members hear about

a DDOS [distributed denial of service] attack elsewhere, in which millions of computers are used to hit a single device that buckles under the pressure of the volume, the conclusion is that surely there must be an increase in DDOS attacks. If you ask about DDOS attacks and get a reply that you have not been attacked, then you might believe that everything is fine. Your CISO has to be very careful about how he or she positions the reality. The response you need is: we remain concerned about crimi-nals because if they’ve been unsuccessful, they will be switching to some other kind of attack. When your board members understand the wider implications, they are quicker to respond.

J using the ‘genuine miss’ as a markerGoalkeepers are not always remembered for the saves they make. It’s the same with cy-bersecurity. So it is important for the board to understand when an attack has been averted and become a ‘genuine miss’, and the possible outcomes if the ‘miss’ had been a ‘direct hit’. This allows an active cybersecurity culture to become embedded within the business. We have a cyber-risk register, which is discussed at board level. However, first and foremost, we are a retailer, selling clothing and food, and our board has to juggle other priorities.

J Don’t be lulled into a false sense of securityEcommerce is now an intrinsic aspect of re-tail. It is dynamic and exciting too, as it brings us contactless payment, such as ApplePay, and smarter devices with all kinds of new means of purchasing services and products. It means you also hold customer details that you must protect. So the security battle looks never-ending. Applying a patch to some

Goalkeepers are not always remembered for the saves they make. It’s the same with cybersecurity.

■ 44

ENAbLING INNoVATIoN

corrupted software is never an answer. In-creasingly, the criminals are able to reverse engineer any patches to find a gap. As soon as the IT team manages to secure the system, there will be a temporary lull as the attackers reel from the change in tactics. But, following the five-year IT cycle, they will adapt. They will find fresh ways of attacking. It will be an ebb and flow of defence and attack. So never be lulled into a false sense that everything is working well.

If you have multiple suppliers, your sup-ply chain is a potential weak spot that is in-creasingly targeted by attackers. We under-take cybersecurity audits on every one of

our suppliers. This can be laborious, and it is not foolproof, but it offers a great deal of cover and certainty about who works with our business.

As new opportunities arise for innova-tion, we must be ready to bring them into our business while also mitigating the risks they pose. Building out strong oversight from the board to balance risk with business needs is critical, but without a technical team that also understands these business priorities and can implement them, you might as well pack up and head home. Fashion retail is often talked about as ‘detail’. Certainly in the sphere of cybersecurity, retail is all about the detail.

45 ■

Building a Holistic Security Function in a Global OrganisationBarclays – Troels Oerting, Group Chief Security Officer, and Elena Kvochko, CIO, Group Security Function

buILDING A HoLIsTIc sEcurITy fuNcTIoN IN A GLobAL orGANIsATIoN

By integrating duplicative functions, building security operations centres, and taking a holistic approach, com-panies can optimise their resource allocation, drive down costs, maximise results, and create increased security.

As more and more services, assets, and operations be-come digital and delivered online, cyberattacks have become the way to access institutions’ ‘crown jewels’.

Cybercrime is a fast-growing business that is continuously evolving and has become high profit and low risk; in ad-dition, it does not have geographical boundaries. Losses of assets from cyber heists are clearly a current danger fi-nancial institutions face. Despite institutions’ efforts and investments to fight cybercrime, the rate at which threats

JJ Security models that are currently prevalent in global companies haven’t been adapted to the current realities

JJ Global companies should consider a whole new approach to security that relies on bringing together different security-related units and sharing of intelligence

JJ Most global institutions don’t have an ability to connect crime, trends, patterns, or suspects across business units

JJ Cybersecurity should be integrated with physical security and, in case of financial institutions, work much closer together with financial crime divisions, anti–money laundering investigations, and intelligence divisions

JJ Coordinated 24/7 intelligence, investigation, and rapid reaction security teams should work side by side

■ 46

ENAbLING INNoVATIoN

evolve exceeds the organisational capabili-ties in most institutions. Security models that are currently prevalent in global companies have grown organically over many years and haven’t been adapted to the current realities. The increasing sophistication of the threat, prioritisation of openness and functional-ity over security, and a lack of relevant tools on premises are many of the reasons institu-tions can be exposed to cyber heists. There are a variety of adversaries who are a threat to financial institutions, such as organised criminal groups, nation states, hacktivists, or terrorists. Insider threats are a growing chal-lenge. The ability to prevent, detect, protect, respond, and recover fast becomes a priority, as attacks have no borders. For this reason it is important for global companies to consider a whole new approach to security that relies on bringing together different security-relat-ed units and sharing of intelligence. A holistic management of security will provide better understanding of threats and a coordinated response that will protect all business chan-nels and products.

In the hyperconnected world, all the roads to a successful digital future rely on security. Trust is at the core of the business for a grow-ing number of industries. The biggest risk to an institution’s competitive future is to lose trust from customers, investors, stakehold-ers, shareholders, or regulators by being a victim of large-scale breaches, large monetary losses, wiping of digital assets, manipulation of data, or disruption of services.

The environment surrounding an insti-tution is composed, among other elements, of employees and all stakeholders, physi-cal locations, on-premise and cloud infra-structure, and third-party providers. All of

these components work in parallel towards a common goal, but are rather independent from one another. In addition, many busi-ness units are also structurally isolated from one another. Security models of institutions should account for the often disjointed na-ture of the technology infrastructure and business units, and have a holistic approach to better detect, react, and recover from so-phisticated security threats. These models should be able to coordinate with reporting lines, enable real-time sharing of informa-tion, and deploy ‘corporate memory’ with the ability to recognise patterns and anoma-lies across channels, products, entities, and lines of business.

Currently, most global institutions don’t have an ability to connect crime, trends, patterns, or suspects across business units. Technology and physical crime teams have limited strategies that do not take into consid-eration the capabilities of other teams. Insti-tutions don't have true group-wide strategies for how collectively they can minimise crime, increase detection risk, or improve trust with customers and regulators. Intelligence is lim-ited and segregated—it is not used to predict and prevent incidents. There isn’t intelligence to debrief on important know-how, what to do and what not to do next time. In addition, there is scarce contact with local, regional, national, and international law enforcement, except for case-to-case incidents.

In order to prepare, prevent, protect, pre-dict, detect, and recover from cybercrime, organisations should consider refining their security models. Cybersecurity should be integrated with physical security and, in case of financial institutions, work much closer together with financial crime divi-sions, anti–money laundering investiga-tions, and intelligence divisions, in order to have a holistic visibility into security. The strategy is to establish an intelligence-led defence resting on adequate cyber hygiene, physical security and cybersecurity con-trols, with the ability to detect and react to the right 'signals'. The objective is to elimi-nate the mentioned inefficiencies through

Currently, most global institutions don’t have an ability to connect crime, trends, patterns, or suspects across business units.

47 ■

buILDING A HoLIsTIc sEcurITy fuNcTIoN IN A GLobAL orGANIsATIoN

clearly identifying security goals aligned with the business goals, and organizing var-ious functions towards these goals, which will result in removing duplication, deliv-ering savings, improved performance, in-creased visibility and coordination through better management, and unified/integrated security platforms for the bank. We also be-lieve that companies should focus not on notions—such as ‘Information’, ‘cyber’, or ‘physical’—describing security, but simply focus on the core: to deliver Security.

In order to deliver Security, there is a need for group-wide minimum security standards accepted by business lines. Cybersecurity programs should be run on common data sets and work together with law enforce-ment entities. Security methods and proce-dures should be based on global acceptable standards with respect for data protection and privacy. Given that products will be de-livered online, security, safety, privacy, and trust should be enhanced, ensuring that all available information/intelligence is anal-ysed. Security teams should support preven-tion and mitigation of attacks and breaches regardless of their nature—cyber, physical, information leaks, and internal threats—or their detection methods. This ‘one-stop-shop’ could gather intelligence and forensic evidence, as well as help investigate and re-cover financial losses. It should also make sure that any new modus operandi—any new tools and techniques—are exchanged with the appropriate partners to enhance cy-ber hygiene and resilience. Internal policies to face the new threats and risks should be updated accordingly.

In addition, coordinated 24/7 intelli-gence, investigation, and rapid reaction se-curity teams should work side by side. This would lead to reduction in losses and costs and improve security. Initial steps should be oriented towards:

JJ enabling holistic pattern recognition to distinguish between ‘normal behaviour’ and ‘abnormal behaviour’ to accurately detect suspicious behaviour

JJ allowing cross-channel visibility to detect complex patterns of behaviour that may involve multiple layers across channels, products, and accounts

JJ establishing an alert management sys-tem to automate decisions and score risk before the investigation process and establishment of a central case manage-ment is initiated

JJ creating the ability to link complex cases, in which threats are detected locally within a business line but are part of a global threat that targets several busi-ness lines

To reiterate, when developing innovative security models, global organisations, in our view, should:

1. consider a global security strategy on how to minimise risk, improve trust, and align with business goals by removing duplication, delivering savings, and improving performance;

2. focus on the core mission—to deliver Security;

3. define security based on business needs and acceptable standards with respect for privacy;

4. enable the ability to connect various security incidents regardless of their nature;

5. analyse past events and perform analysis not only of what has hit organisations already, but of what is likely to hit in the future;

6. enable a coordinated 24/7 rapid reaction team.

By integrating the duplicative functions, building security operations centres, and fo-cusing on all aspects of Security, companies can direct, monitor, and control the imple-mentation of security and trust as a whole. This way they can uphold maximum secu-rity for fewer investments. Institutions need to optimise their resource allocation, drive down costs, maximise results, and create increased security.

Your Security Leadership Team

Hiring the Next Generation CISOHeidrick & Struggles – Chris Bray, Gavin Colman, and Giles Orringe, Partners

51 ■

HIrING THE NEXT GENErATIoN cIso

A key figure in your top leadership team is the CISO. How do you find the right CISO for your business?

You are the chairman or chief executive officer, and you’re about to conduct an interview to find the best person to protect your business. You’ve been per-

suaded that you must add a CISO to your leadership ma-trix. Yet how do you evaluate the position and the best person for the post?

As corporate businesses have evolved to embrace digi-tal transformation, we’ve witnessed the C-suite integration of the chief technology officer (CTO), the chief information officer (CIO), the chief operational risk officer (CORO). Now you’re told you need a CISO.

J What kind of cIso do you need?

JJ You are looking for someone capable of handling a wider commission across your organisation. A vigilant CISO wields a great deal of power and can close down strategic business processes that have been compro-mised, without recourse to the chief executive. So you need to be able to trust their judgement implicitly.

JJ The CISO (chief information security officer) is an increasingly important board-level role

JJ The CISO must speak the language of the boardJJ Reporting structures vary—depending on the type

and sector of businessJJ The CISO needs to fully understand the wider

company cultureJJ Great all-round CISOs remain in short supply

■ 52

your sEcurITy LEADErsHIP TEAM

JJ Your CISO must operate in different spheres, depending on the structure of your business. In whatever way the struc-tures are set up, the CISO needs to have an authoritative voice, with his views and recommendations heard and discussed at board level.

JJ Your CISO will be an individual who understands the conceptual, practical, and actual challenges of cyber risk, and can switch seamlessly from a deeply tech-nical discussion to a more business orien-tated one.

JJ Your CISO must be sensitive to your organisation’s unique culture. Many insti-tutions believe that resolving security issues is about building the highest walls of a cyber citadel, yet the threats often come from underneath and within. Here your CISO must be diplomatic and cre-ate the culture and processes within an organisation that fundamentally address the security issues. Stolen log-ins, user accounts hacked, credit card fraud, inter-nal emails about contracts, have all shown that security can be easily breached. If staff are behaving in a contradictory and inappropriate way, then increasingly tech-nological barriers will flag up such pat-terns. Internal processes need to be sen-sitively and delicately handled to ensure that employees don’t feel they are being spied upon.

JJ Your CISO’s job is to communicate regu-larly and determinedly with the board. His role—and there are still far too few women candidates—is about ensuring the board is asking the right questions and then helping them process the answers. While it is the board’s job to set the busi-ness strategy, they will need the CISO’s guidance when it comes to cyber risk.

JJ Your CISO needs to make strong friends outside the business. The job extends beyond the board by contributing to a

broader, non-competitive community, which will involve government, trade bodies, regulatory authorities, intelligence agencies, and might well involve working alongside commercial competitors. Your CISO should become part of this collab-orative defensive community, including Interpol, Scotland Yard, the Ministry of Defence, GCHQ, and specialist industry bodies that can share information and protect business and other entities against sophisticated attacks.

JJ Your CISO needs the emotional intelli-gence to be a skilled influencer and a per-suader. It is unlikely to be a position for an introvert technology geek, no matter how smart he might be.

JJ The CISO needs to know what manage-ment is thinking. A board’s fiduciary duty is to do everything it can to protect itself from attack. Anything that is going to jeopardise the business is going to harm shareholder value and stakeholder interest. Every major FTSE board is regu-larly examining its position on cyber-security and physical security, with the CISO expected to define and report on the principal challenges.

JJ Your CISO needs to show that he has raised the risks with you and that you have understood them. The recurring questions to ask your CISO are: ‘Are we secure? And how do we know we are secure?’

J Where is the talent?This exponential rise in security challenges has taken many boards by surprise. The pace of this change means that leadership talent is struggling to keep up. In the CISO space, candidates will have grown their careers with one component part of a wider picture. So finding talent with the requisite five or six component parts is extremely difficult.

While the new breed is emerging from the intelligence, security, and law enforcement service community, including high-level

53 ■

HIrING THE NEXT GENErATIoN cIso

candidates in the Ministry of Defence, MI5, MI6, or GCHQ, it should be understood that there is also a cohort from the global mobile and telecom infrastructure sector and network security in hardware and software firms.

However, many potential CISOs fall short on strategic commercial business experience, and have a lack of knowledge in working collaboratively with external bodies. As a specialist, your preferred CISO will have moved across sectors gaining different busi-ness experiences.

Your CISO is likely to be unassuming, highly attuned to people’s behaviour pat-terns and values, and well connected. The ideal, well-rounded CISO has been emerging from the United States, particularly from Sili-con Valley. They are highly educated, discreet and capable of influencing, and commercially astute. Here the difficulty for European or-ganisations is prising these prime Americans to move to London, Paris, Amsterdam, or Berlin. There is a tiny pool of qualified peo-ple, and they are in big demand.

If you can’t find one who fits, specialist consultants are increasingly being deployed to undertake strategic projects, which in-volve putting the right metrics and processes in place, so that, when completed, they can be handed over to an operational, in-house team. You need to decide if this is the board’s preferred option.

Pay scales are reflecting the scarcity in California, where a CISO in a top Silicon Val-ley outfit can command up to $2 million a year, plus benefits and bonuses. While remu-neration for the CISO is high on the agenda, it is not necessarily the main reason. Typi-cally, what drives your CISO is the challenge, and the ability to make a significant mark,

perhaps by setting standards in a new indus-try. They need to be resilient, so they are not deterred by being rebuffed. What differenti-ates the best CISOs is the motivation and pas-sion for their work.

J The cIso must have business interests at heart

The CISO position is now widely recog-nised—but they must understand the objec-tives of making a return for investors. An effective CISO is not expected to apply more controls and barriers across an organisa-tion. They need to be acutely commercially focused and able to assess where security spending on controls is unnecessary. Many companies have shied away from publicly commenting or reporting about security breaches. Stupid things do happen: a man-ager walking out with a laptop with sensi-tive files and leaving it in a taxi shouldn’t happen, but it does. Legislation is changing too. For example, when it comes to critical national infrastructure, there is a pool of or-ganisations, such as the government, utili-ties, mobile phone companies, airports, and air traffic control, that would prefer not to talk openly about risks. They don’t want to put off stakeholders or scare the wider com-munity, but increasingly they will be legally expected to disclose cyberattacks. It requires a CISO who is calm and measured in the heat of demands for a response. It requires proper procedures that the board have not-ed and approved.

J In conclusionThis is not a technology discussion, it is a business one. The effective CISO needs to be business-centric—he or she is a polished and sophisticated communicator able to influence both internal and external stakeholders. But there should be no illusions about this new breed. A robust and fully fledged CISO is still difficult to find.

Typically, what drives your CISO is the challenge, and the ability to make a significant mark, perhaps by setting standards in a new industry.

55 ■

THE VALuE of your cIso: rEsPoNsIbILITIEs AND METrIcs

The Value of Your CISO: Responsibilities and MetricsIBM Security – Alan Jenkins, Associate Partner, and Palo Alto Networks – Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa

How do you measure cybersecurity effectively and ensure your CISO is up to the job?

Your chairman is in advanced negotiations about mak-ing a significant acquisition. The target is a high-growth social media darling with what appears to be

smart new technology. It’s a massive step up. Your finance director and the head of legal have done their due dili-gence. They like the numbers and the intellectual assets. The director of marketing is certain it will help sales rocket. Then the CISO comes out of the deal data room and says: ‘Hold it, folks! Don’t touch this company with a bargepole, it’s a cybersecurity nightmare!’

This is a litmus test for today’s companies. How much store do you place on your technology chief’s assessment of a strategic commercial decision? Furthermore, is a (prob-ably not technically savvy) board able to measure the suc-cess of the cybersecurity your CISO has put in place? In the above case, the CISO has found that the ownership of the customer data is dubious; the software system is riddled

JJ Technology leaders can be deal-makers or deal-breakers

JJ Companies are at different stages of cyber maturity

JJ It can be daunting to find the right CISO for your business

JJ Leading indicators are a better measure than lagging ones

JJ Cyber drills and testing help build leading indicators

■ 56


with flaws, and the cost of fixing the target’s legacy infrastructure might be more than the cost of purchasing the firm.

Do you take his/her advice—or press on? And then expect the CIO/CISO and their teams to fix it after the purchase? In today’s reality, your CISO is right to flag the issues. But having been in a similar situation work-ing with a FTSE 100 board, the solution was to flag the underlying risks without stopping the acquisition, thus allowing the board to make the purchase. And then insisting on operating the new business at arm’s length until the technology team could move in and clean up the new business unit’s IT in-frastructure. Only then would we consider making any kind of integration. This in-creased the acquisition price substantially, but the board accepted it as a necessary cost. This is highly unusual. Does your own board have this kind of discussion?

J When considering your metrics, decide on the level of cyber leadership you require

Companies are all at different stages on their journey. Some are more mature in their cyber understanding than others—and require-ments vary dramatically. This leads you to ask two fundamental questions:

JJ What level of CISO will be acceptable and good enough for our business and to our stakeholders?

JJ Do we require someone who can help with M&As and other strategic business issues— or do you simply want a technical expert?

Your board must decide on the level of se-curity that it needs. This will depend on the technology you use and the regulatory envi-ronment you are operating in. This will deter-mine the level of the CISO you engage. When you appoint your first board-level CISO, ex-pect him or her to unearth cyber risks within the business of which your board was previ-ously unaware. At this stage, doing nothing is not an option. Your board must act.

How can you be sure that your CISO is good enough to sit on your board? One measure of

success has been how effectively they have been able to respond to a crisis. Yet your board will need comfort about this vital appointment long before the firestorm of a crisis—and you don’t want to find them wanting during the first critical stages of the crisis.

J key indicators to measure your cybersecurityThere are a series of key indicators to mea-sure your cybersecurity, but they don’t all sit comfortably with the cycle of the business. Commonly, these are ‘lagging indicators’, showing events after the fact through the ‘rear-view’ mirror. Typically, such indicators are captured on a security dashboard with a red, amber, green traffic-light display on how many systems are antivirus protected, num-bers of patches deployed, and malware dis-rupted. Most of these volume-based statistics are in the past tense, with indicators measur-ing the ‘what happened’ rather than the ‘how it/they affected the business’. For example, your systems have all been patched within an agreed timescale: this might be a posi-tive. However, you must also ask how this is aligned with the risks to the business. Too many report on the number of antivirus sys-tems in place or secure passwords checked rather than the likelihood and impact of an attack on the business.

It is more helpful to have ‘leading indica-tors’. Here, this may be a struggle for your board, which strives to see life in a predictable manner based on past performance; it will need to embrace the unpredictability of cyber-security and (often) the pure randomness of whether you were hit by a ‘bad’ attack or man-aged to avoid it. Leading indicators are infuri-atingly difficult for the board to quantify. This has much to do with the cyber threat timescale being remarkably short. With traditional busi-ness activity, devising a new product, ramping up production, and taking it to market is nor-mally a 12-month cycle at least. Yet it does not take six months for a malicious attacker to find your weaknesses and try to get into your sys-tem. This is a different dynamic for the board to appreciate because they are not used to this rapid timescale of change.

57 ■

THE VALuE of your cIso: rEsPoNsIbILITIEs AND METrIcs

The business-orientated CISO will ap-preciate that they do not seek to make major changes on a financial system at the end of the month, and they don’t ask for more fund-ing for technology projects in the third and/or final quarter. However, this is the time to be requesting budget for the following fiscal year. Correspondingly, the IT security team need to understand when they can undertake routine change windows within the business dynamic and when the business risk justifies an exceptional change request.

An effective, modern CISO will articulate to the board why he is regularly requesting investment to manage risk and to keep pace with the changing threat-scape, to build and maintain resilience in your system—but no one can ever give a 100% cast-iron guaran-tee of security. Here, the leading indicators will focus on how the cyber team responds to events and minimises the disruption to the business by getting systems up and running after a reasonable outage period. It will also be about how your defences have been mod-elled and the gaming that has gone on across the business.

The mantra ‘when the going gets tough, the tough get going’ applies, meaning that the re-sponders are not going away from the prob-lem but heading right into it. If a fire breaks out, most people run away. With a cyberse-curity attack, you need the team running to-wards the ‘fire’ and sticking with it until the danger is contained, controlled, and eventu-ally closed down. Here, leadership plays its part because you see who comes into their own: and they are not always the people you might expect!

One of the leading indicators here is the time it takes to resolve a crisis or an attack. You might have a breach into a critical sys-tem, but if you stop it in a timely manner, then the damage to the business is limited and manageable. Alternately, there might be a low-risk attack in the business that has gone undetected for years: then the long-term com-mercial impact can be very high. After such incidents, a lagging indicator is about vali-dating whether detection and clean-up was

done within the timescales and risk agreed within the business. However, to make it a leading indicator, you can now use this to run proactive drills and exercises, whether internally or, as in the UK, using a third party to run a CBEST test, as set up by the Bank of England to test cyber threat vulnerability to known attack vectors.

Here the importance of ‘fire’ drills—whether company-wide or restricted to cer-tain key domains—can be a critical part of measuring your cybersecurity readiness. This kind of cyber drill or gaming should in-clude the board-level public spokesperson in the event of a breach, supported by your le-gal and HR teams. Such ‘mock’ exercises can do much to ensure the business is capable of responding to a full-scale crisis. It helps re-move the jargon and replace it with language that the business understands. It is the equiv-alent of actually using a fire extinguisher to put out a fire, rather than ticking the box that it is on a wall bracket. Undertaking actual cy-ber drills is more visceral and helps people at all levels of the business understand that they all have a part to play. This gives a lead-ing indicator to the board about how effec-tive the cybersecurity measures are. This can then be used to assess the commercial value of doing it better next time.

With this information, the board can then ask: ‘Are we getting better? Is the time from breach to detection getting shorter? Are we getting better at rolling out patches? Are we more secure?’

You are also able to measure your cri-sis management capability more clearly through gaming it. Has everyone involved rehearsed their public response and shown they understand the broader issues? And have you exercised your crisis management

Undertaking actual cyber drills is more visceral and helps people at all levels of the business understand that they all have a part to play.

■ 58


plan within your business continuity strat-egy, or is it still gathering dust on the shelf? You need to ensure the details, such as con-tact information, are up to date in case of a cyber breach.

J There is no guarantee of successYou can throw money at the best technology and be undone by someone inside your firm clicking on a Trojan link within an email. This is not an excuse for failure, merely a statement of reality: there is no guarantee of success with security. Your board is looking for surety from its security leadership. Yet often, the first head to roll in the event of a breach is that of the CISO or head of IT security because there was an (unrealistic) expectation that they would stop all breaches. This is counter-intuitive. A

board that has been through one breach and come out the other side is often better placed because it realises it did not do enough as a board. There is never a ‘bad’ example of a response to a cyberattack because we are all learning lessons from this. From a governance perspective, cybersecurity should be not the sole responsibility of the CISO but that of the whole of your organisation; that is what underpins the concept of ‘Three Lines of De-fence’. He or she is the executive leader and project owner, spanning the whole of the business. We learn from our mistakes—and it is almost sacrilegious to kick out your CISO, unless they have been shown to be truly negligent or criminal. Use that experience to improve your defences for the next time—be-cause there surely will be a ‘next time’!

Responding to Crisis

61 ■

ENsurING your boArD Is oN THE sAME PAGE rEGArDING cybEr rEsPoNsE

Ensuring Your Board Is on the Same Page Regarding Cyber ResponseStroz Friedberg – Edward M. Stroz, Founder and Executive Chairman

The words you use really matter to achieve understanding. So make sure you have a compatible lexicon when your board talks about cybersecurity.

Our civic society in Europe has woken up and is start-ing to tell us something fundamentally important. As a chief executive, you might not like to hear this, but

it’s your duty to listen carefully to what is being said—and what is expected of you.

Your business collects and stores a wealth of valuable information about customers and clients. You’ve been able to use this to build smarter products and services. It has taken a while for society to catch up with you. Now peo-ple understand and appreciate exactly how much private knowledge you have accumulated about them. However, recent revelations about the depth of this knowledge have shocked and stunned the public. Now society is telling the corporate world that if there are specific events that oc-cur involving a breach in the security of your computer system and information, then they want to be notified by you. You are being told that it is unacceptable that you, as a company executive, can make a decision on who needs to know. People resent being left in the dark, and society

JJ The public is fed up with and stunned by cyber breaches

JJ We need to be respectful and listen to society’s demands

JJ European regulations will be both carrot and stickJJ Find out what impact a breach will have on

your businessJJ Ensure your board validates its cybersecurity

posture

■ 62

rEsPoNDING To crIsIs

has demanded that your business be obliged to notify the relevant authorities and custom-ers in the event of a cyber breach where data is lost or stolen (usually having been copied).

The European Union is now also mus-cling in here on the side of the citizen with new legislative action. More than 90% of Europeans want the same data protection rights across the EU as in the United States, and you should view this as an opportuni-ty for you to review your digital resilience and incident response capabilities. Across Europe—and this includes the post-Brexit UK—the recently introduced General Data Protection Regulation (GDPR) legislation applies to all 28 EU member states, and it is designed to give citizens more transpar-ency and strengthen their rights around their digital information. This is a noble aspiration enshrined in a single European law for data protection, replacing a patchwork of national laws. The GDPR requires companies and or-ganisations to report a cyber breach or inci-dent within 72 hours, and notify individuals and data protection authorities. Also, some companies will be expected to carry out Data Protection Impact Assessments (DPIA), while larger firms might need to appoint a Data Protection Officer. ‘Data protection by design’ and ‘data protection by default’ will be the guiding principles.

The approach is both carrot and stick. Businesses are being encouraged to respond, but there will be penalties—even the possi-bility of prison—if you don’t report breaches.

We need to be respectful and listen to what society is demanding. Your board needs to be educated about GDPR and understand its

impact on your business. Up until now, many CEOs and their C-suite colleagues have en-gaged in what might be termed a ‘reasonable approach’ to information security.

However, this is an outdated and inad-equate framework. I say this because, too often, cybersecurity is thought of only by its value in protecting the amount of financial investment technology on the balance sheet. For example, you might have £50 million of IT assets, including hardware and software, on your balance sheet. Previously, the board’s question would have been, how much do I need to spend to protect that £50 million? The original answer might have been ‘much less than £50 million’. After all, that’s all you’ve invested. Right?

Incorrect. While that type of reasoning is logical for evaluating the risk to other balance sheet assets, it is dangerously wrong when it comes to cyber risk measurements. What if the damage done by a breach was far great-er than £50 million? It’s the equivalent of a cruise ship crashing and causing far greater destruction than the cost of a damaged ves-sel, through the payment of medical compen-sation for victims. In information technology, you are not just protecting the technology on the balance sheet but the value of the infor-mation that it holds and the dependability of its functionality. Obviously, this is much more difficult to quantify and will require in-formed judgement. Your IT assets also give any malicious adversary a platform to launch attacks from your company at someone else—someone who might well be the true target. Your technology is empowering as a weapon that can be deployed by others with criminal intent. Your board must appreciate that they could become unwitting allies of cybercriminals intent on wreaking harm on other organisations.

J key questions to askOn this score, you, as chief executive, must be able to answer three questions to validate your business’ cybersecurity capabilities. This gives you a clear and simple framework for a three-part analysis.

In information technology, you are not just protecting the technology on the balance sheet but the value of the information that it holds and the dependability of its functionality.

63 ■

ENsurING your boArD Is oN THE sAME PAGE rEGArDING cybEr rEsPoNsE

1. How likely is an attack that will victimise your operations?

2. How vulnerable is your business if that threat is aimed at your company?

3. What is the true impact on your business if that vulnerability is fully exploited?

3 KEY QUESTIONS

From this, you now need an individual-ised assessment of every single participant in the business and each component in the company to ask questions based on this three-part analysis. Also, you should note that the answers to these three questions will change over time. If you are not framing your discussion around these key strategic elements, you are in danger of developing a flaw in your system.

J How do you test the reality?Your board discussions must be reconciled right down to the reality of what is happen-ing in your company. It cannot be assumed that because you’ve received a PowerPoint presentation, this is how it works. You have to ask what has been tested and validate that the actions support what you have been told.

J Incident response: In-house or outsource?If you don’t have an incident response capa-bility ready today, then you should be looking at your options. You can either build an in-house team within your organisation—or you can outsource the requirement. In some organ-isations, we see an internal response team aug-mented by an outsourced relationship.

Making this decision depends on the vulnerabilities and risk you have now de-termined, and also on how much you are prepared to spend on protection. It is okay if you don’t have fully fledged cyber expertise on the board, but make sure you are getting

advice. It is very difficult for your board to explore this correctly if they are not getting an expert’s input. Let’s also be clear: someone who is top-class with technology is not nec-essarily an expert on security. So don’t make this mistake. You might be someone who can make a football—it doesn’t make you a good football player.

If you don’t have this lined up in advance with a firm you know and trust, you will have to defend two things in the event of an incident: first, you need to defend tech-nically what occurred and explain what has happened, and second, you need to answer questions about whether you were negligent in the way you failed to prepare for this in-cident. Did you and the board discuss this in advance, and can you prove that it was on the board’s agenda? To protect yourself le-gally, you should be able to show you had a prioritised list of actions, based on likeli-hood, vulnerability, and impact.

J your board has a lot of wisdomEvery board has a different way of thinking: a particular slant that reflects your busi-ness. Make sure that the expert advice is de-signed to make the issues clear for the way your board members think—not the other way around. Your board does not need to go down the ladder to the tactical level in order to figure this out. Your board members have judgement and wisdom. That’s why they were each nominated and approved as di-rectors. They bring judgement under their fiduciary obligations. Importantly, there needs to be a compatible lexicon in the dis-cussion of cyber risk using clear and unam-biguous terminology with which the board can comfortably engage. Make the issues accessible to their brilliance. If cyber risk is not being explained in clear language that makes sense to you and your colleagues, then you are probably not being served properly. You don’t need to understand the workings of an internal combustion engine to drive a car. It’s the same with cyber-de-fence technology; that is, too often, cyber risk is explained at this technological level.

■ 64


Keep the language free of acronyms and jar-gon. Keep it clear and reconciled with the concepts mentioned above of likelihood, vulnerability, and impact.

While cyber threats may seem to be in vogue today, they are real and very per-sistent. Our digital dependence is another business challenge with both risks and op-portunities. We should not underestimate its breadth of impact, but we should also not burden boards of directors with overly

technological conversation. As a chief execu-tive, you sit at the beginning of your journey to fully understand the risks in managerial terms, and to capture the opportunities as well. While there is no one right answer for how to properly navigate these waters, you are not alone. And as you learn from trusted advisors and your own efforts, make sure to engage your peers and share your findings, because your customers have woken up, and they expect nothing less.

65 ■

cybEr INsurANcE: HoW buyING IT cAN HELP coNfIrM your rIsk Is uNDEr coNTroL

Cyber Insurance: How Buying It Can Help Confirm Your Risk Is Under ControlMarsh Ltd – Mark Weil, CEO, Marsh UK and Ireland

Pro-active insurance can help your board shape its policy and procedure when facing cyber risk.

More firms are learning to live with the risk of cyberat-tack. We are seeing a rapid evolution in how firms are managing these risks, moving from a purely techno-

logical approach towards a more holistic one based on con-tainment and resilience, predicated on the understanding that some attacks will get through.

Despite the growing threat of cyberattacks getting through, good preparation can minimise the impact. One part of this preparation is a calculation of how much harm could be done, and therefore what cash and capital might be needed to weather a worst-case cyber event. That, in turn, leads to the question of whether external financing in the form of insurance will help.

There are many ways cyber can affect a firm, with vari-ous forms of insurance to cover this. The use of insurance to transfer some of the risk of cyber loss is growing rap-idly, particular in the United States, where mandatory dis-closure, large sanctions for data breaches, and high-profile attacks have raised corporate consciousness.

However, cyber insurance remains at relatively low penetration, and there is confusion over what is available and what it covers. This chapter provides a

JJ The insurance market for cyber risk is evolvingJJ Cyber insurance risk is still hard to priceJJ Insurers are helping shape the process for

protectionJJ Underwriters are gathering great insight about

cyber riskJJ Premiums depend on your company’s

preparation

■ 66


board-level guide to cyber insurance—in-cluding why one should bother with it, what it is, and how to do it right.

J Why insure?Insurance is a financing tool. It allows a firm to get access to third-party capital in the event of damage to the business. The insurance indus-try refers to this as ‘risk transfer’. Risk transfer is just one reason to insure, and arguably the least important, particularly for a cyber risk.

More significantly, insurance can also pro-vide an affirmation that you are aware of your risk, giving insight into how to improve its management and learning lessons from other firms who have suffered cyber losses. Most firms will want to do everything they can to prevent cyber losses rather than simply cover some part of the costs.

So insurance provides:

Affirmation. Insurance ‘marks to market’ how on top of the risk you are. The insurance market pro-vides a signal to leadership of how their ex-posure and preparations benchmark against peers. Firms who have been successfully at-tacked often did not realise they were vul-nerable. Their security team will tend to have ‘manager bias’, that is, to believe that they are effectively managing their risk. That will by definition refer only to their known risks, not the unknown risks. If a chairman is being told that the team has the risk in hand, yet insurance is either unavailable or avail-able at a high price relative to peers, then something is wrong.

Insight. An insurer is putting money down on your not having material cyber losses. That means that you can expect to go through a disciplined process to establish what could go wrong, how much it might cost, and how credible your preparations are. The insurer will have seen more cases and hold more data on this than any individual firm, and so the process of insuring should shine a light on your risk management.

Learning. There are a growing volume of claims relat-ing to cyber cover, principally from US firms, where cyber insurance is most established, but increasingly in the UK. That creates a pool of experience from firms where attacks have got through. Buying insurance connects a firm to the learnings from that information flow.

An implicit part of this is helping decide how much to spend and on what. There are huge numbers of firms promoting products and services to help manage the risk. A proper-ly conducted insurance assessment should put a value on different remedies, in effect helping shape investment choices on cybersecurity.

There are tools available that bring this to life. For example, we make use of a bench-marking tool used by insurance underwriters that gathers large amounts of independent data on firms to establish their attractiveness to hackers and their vulnerability to attack.

J Nature of insurance availableCyber is not in itself an event, but simply a conduit by which events can happen. Ac-cordingly, there is a wide range of harm that can come under a cyber label and that is cap-tured in different insurance covers, many not specifically labelled as cyber. A lot of cyber attention focuses on data breach, encour-aged by the regulatory agenda, such as the new EU General Data Protection Regulation. Many businesses have wider concerns, in-cluding the impact of a cyberattack on their ability to run the business, on damage to property and people, and on reputation.

Insurance can also provide an affirmation that you are aware of your risk, giving insight into how to improve its management and learning lessons from other firms who have suffered cyber losses.

67 ■


INSURANCE UNDERWRITING TOOL BENCHMARKS FIRMS ON ATTRACTIVENESS AND SUSCEPTIBILITY TO CYBERATTACK

Insurance is evolving rapidly, and there is often uncertainty over how policies would respond in the event of a cyber incident and scope for confusion over what is covered. Cy-ber risk can be explicitly included or exclud-ed from existing policies. In recent Marsh surveys, we have found that around 50% of CEOs believe they are covered against cyber, whereas bottom-up policy reviews suggest that the figure is closer to 10%. There is a dan-ger firms will discover only after an event that their loss is not, or is only partly, covered.

Insurance covers consequences but is lim-ited by an event. In the context of ‘cyber’ this can be more complex than for most tradition-al threats.

Effectively, insurance payout is determined by the function of:

JJ Who did it?JJ How did they do it?JJ What was lost?JJ What was the impact of the loss?

Any insurance programme needs to be put in place against scenarios that are devel-oped along these dimensions.

There are two ways to introduce cyber cover into your insurance programme:

1. As a stand-alone gap fill that stands alongside other policies to patch any gap with respect to a cyber incident.

2. As a blanket cover that sits behind all existing policies providing cover for cyber incidents that are otherwise excluded from your policies.

The amount of cover available is increas-ing as the cyber insurance market is growing rapidly. As indicative levels, firms are now obtaining limits for individual losses of up to $500 million, and there are emerging struc-tures that can go beyond this limit.

Historically, the cost of cyber insurance has been high as measured by ‘rate on line’ (the amount paid for a given level of cover)

Scatter plot of third-party scores enables quick identif ication of outliers.

■ 68

POTENTIAL CYBER INSURANCE OPTIONS WITHIN A TYPICAL INSURANCE PROGRAMME


relative to more established lines of insurance. Increasingly though, we are seeing a wider dispersion in pricing according to a particu-lar firms’ exposure and actions. This is driven by more discriminatory underwriting tools, a growing body of evidence, and more sophis-ticated management. Equally, a decision to absorb lower-level losses, passing on just the tail risk to a third party, will significantly re-duce cost.

It is worth briefly looking at the types of stand-alone cyber cover available. These can be categorised by who is insured—you or a third party.

First party covers your costs to:

JJ rectify a problem (e.g., crisis management, legal costs),

JJ restore your data, andJJ compensate you for your business

interruption and increased cost of working.

Third party covers any liability for damages arising from:

JJ privacy breach (PII or corporate confidential data release),

JJ network security liability (malware transmission),

JJ electronic content liability,JJ cyber extortion,JJ regulatory actions, fines and defence, andJJ payment card industry fines and defence.

As with any insurance policy, there are also some exclusions that are typical to most cyber policies available today.

These include:

JJ non-physical damage/bodily injury peril (fire, theft, flood, explosion),

JJ electronic funds transfer—(theft of money),JJ power grid/national critical

infrastructure, andJJ betterment.

0

5

10

15

20

25

30

GL CRIME AUTO EL WC PDBI Other cyber risks

Loss

Lim

its ($

m)

Insurance Line

Cyber Cat

Cyber Wrap

Insurance

Deductible

69 ■


J Process to go throughIt is possible simply to buy cyber insurance. For experienced buyers with well-defined exposure and confidence in what they need, that may be fine. For firms where their situ-ation is more complex, we advocate a more structured step-wise approach.

Identification involves working through the risk scenarios facing a firm. In our expe-rience, these are often not the most obvious. For example, firms may be very focused on data loss given its emphasis by regulators, but underplay the risk of business interrup-tion from parts of their supply chain or from less prominent parts of their business.

Quantification involves sizing the finan-cial impact of each scenario. That should be

in terms of absolute loss and in cash flow, giv-en the likely short-term disruption to income and costs that cyberattacks bring.

Management involves establishing what actions to take to help avoid and contain each scenario. While technology will be a significant element, a lot of cyber breaches are caused by basic human error and by em-ployees. That means that process change—for example, quality-assuring suppliers for cybersecurity—will be helpful. There are many guides to sensible management action that provide a checklist to defence, prepara-tion, and recovery.

We have a set of ten points for boards to put to their executive team on risk manage-ment (see chart below).

INSURANCE BUYING PROCESS

Insurance Management Quantification Identification

1. The main cyber threats for the firm have been identified and sized.

2. There is an action plan to improve defence and response to these threats.

3. Data assets are mapped and actions to secure them are clear.

4. Supplier, customer, employee, and infrastructure cyber risks are being managed.

5. The plan includes independent tests against a recognised framework.

6. The risk appetite statement provides control of cyber concentration risk.

7. Insurance has been tested for its cyber coverage and counter-party risk.

8. Preparations have been made to respond to a successful attack.

9. Cyber insights are being shared and gained from peers.

10. Regular board review material is provided to confirm status of the above.

10 POINTS FOR BOARDS

■ 70


With scenarios identified and quantified and management plans in place, insurance design can then follow. With insurance, the issues to resolve are: first, the extent to which existing insurance provides you with what you need in terms of what it covers and how much it covers; second, how best to plug any gap.

In summary, cyber insurance is grow-ing rapidly. Most firms are using it as a risk transfer tool that follows from their recognition that large losses are possible.

Unfortunately, that misses the opportunity for insurance to inform the management of cyber risk by providing market information and pricing of exposure. Firms seeking to transfer some of their risk through insur-ance should use this time to establish a pro-cess for assessing and managing their cyber risk around an insurance evaluation. The fi-nancial discipline of the insurance decision is an excellent way to confirm that the risk is under control and that firms are not just planning for failure.

71 ■

Preserving Your Company's Reputation After a Cyber BreachBrunswick – Richard Meredith and George Little, Partners

PrEsErVING your coMPANy's rEPuTATIoN AfTEr A cybEr brEAcH

Your response to—and preparation for—a cyber breach can make all the difference for your company and your career.

All chief executives who face the media storm after a cy-ber breach will have their leadership severely tested. It is a taxing time and requires calm and measured re-

sponses. While prevention is always the better policy, how you prepare for this eventuality can determine the outcome for your business—and your career.

We all understand that protecting data is a critical busi-ness requirement. The public still believes privacy is an ab-solute—or a matter of choice. Regulators, politicians, and companies find it difficult to communicate with a public (and media) that is frequently inconsistent, frightened, and often uninformed about this new world.

The reputational consequences of a cyber breach can be hard to predict. A company that has not established public trust will find this a more difficult journey than a company that is already trusted for competency, professionalism, and stewardship.

J first line of defence: strengthen your internal cultureCyber is about people. People are your protection and your weakness. Your people make you vulnerable—because you have not trained them, enthused them, or vetted them. Knowing your people is your best defence, as well as build-ing a culture where risks are spotted and reported—where

JJ Strengthen your internal security cultureJJ Make sure you and your team are fully preparedJJ Assure your stakeholders with competence,

authority, and transparencyJJ Show a confident response with discipline,

coordination, timing, and leadership

■ 72


behavioural abnormalities and discontent are noted and acted on. Building a security culture is about good management. Culture is not the responsibility of compliance or security, but of your leadership. A security culture is not built by accident, but through sustained communication and commitment.

JJ Have you defined your critical staff, those with access and the capability to do you harm? What about third-party staff with access to your systems?

JJ What vetting processes do you have in place? Are you able to spot 'bad apples' or 'unhappy apples'?

JJ Is data security still seen only as a compli-ance issue? How are compliance require-ments communicated? Do they change behaviours? How do you know? Do your people understand the why of security, as well as the what? Is data security hard-wired into the DNA of your company, its sense of professionalism, and the obliga-tions it has to your customers?

JJ Do your staff know where the dangers are and what to be suspicious of? Your attackers are working hard to find out about these people, to spot their vulnera-bilities, to build online relationships, and to employ deception to tease access codes out of them. Are you protecting them?

JJ Is IT security led from the top?

J second line of defence: be fully preparedPreparedness is an attitude of mind, rather than a crisis manual. A cyber crisis is best managed by a leadership that is confident and knowledgeable, and projects authority and discipline. A crisis management process can help shape that discipline and confidence.

Poor management of the public reaction to a cyber incident can easily turn an incident into a reputational crisis. The actual scale of the cyber incident or attack may be small, but the public reaction to it may be uninformed, criti-cal, and emotionally charged. Managing your response requires authority and discipline.

And whatever the scale, crisis com-munications requires agility, confidence,

leadership, quick decisions, and a clear un-derstanding of the core messages you wish to project. Building a robust regime of re-hearsal and review, at operational and ex-ecutive levels, is a vital step in building an authoritative and disciplined communica-tions response.

JJ Do you have a crisis team? Who is on it? Do you distinguish between an opera-tional crisis team and an executive man-agement team?

JJ Does your senior management team under-stand cyber? Do they understand the range of risks and systems that you own?

JJ Do you know what data you collect, buy, or hold? Do your customers understand your data practices? Do you know how your company’s data security practices match up to industry standards?

JJ Are you confident that you will be alerted in the event of a cyber incident? Who needs to be told?

JJ Is someone tasked with assessing the potential reputational impact of an inci-dent as it evolves?

JJ Do you have a communications toolkit—a set of messages around the company’s data privacy policies, a company factsheet, and draft communications to each stake-holder audience?

JJ Do you know who the spokespeople should be and what responsibilities they have? Have they been media trained for a crisis situation?

JJ Have you identified the range of your key stakeholders and their needs, and are you clear who is responsible for managing this range of relationships?

JJ Have you thought through your media strategy?

JJ Are you confident about your engage-ment with regulators and law enforcers, and know the chain of communication at the moment of a crisis?

JJ Are you comfortable about how you will respond to criticism online, and how you engage with a crisis that is likely to play out through social media?

73 ■

PrEsErVING your coMPANy's rEPuTATIoN AfTEr A cybEr brEAcH

The best way of ensuring preparedness is to test it, so that your leaders understand the scope of the challenges, and can endorse the company’s approach.

J Third line of defence: Assure your stakeholders

Increased scrutiny from the media and all stakeholders on the strength of a company’s data security stems from the increase in pub-lic attacks and increasing regulation. A com-pany seen to be competent, authoritative, and transparent will be better disposed in the eyes of the public and the regulator. Regulators are also seeking assurance that companies are prepared for breaches. Companies need to reassure all audiences that customer data is safeguarded and that this stewardship ex-tends beyond simple adherence to the law.

J fourth line of defence: A confident responseThe guiding principles for any crisis are the same:

JJ Discipline and coordination is critical. A crisis response needs to deliver a coor-dinated approach, with clear and disci-plined messaging.

JJ Timing is critical. The media operates continuously, and social media gives the public an imme-diate voice and platform. Decisions need to be made quickly, particularly around media communications.

JJ Leadership is critical. Managing public sentiment in crisis depends on projecting an authoritative and commanding narrative, and leading the story. Leadership, both externally and internally, is required to project authority and competence.

JJ Transparency is critical. Your reputation depends on being regarded as honest and forthright in your public responses.

Reacting to a cyber breach demands a clear process and responsibilities for action and decisions. A company needs to ask itself:

JJ Is the breach public? What judgements can be made on whether it will go public? Can you control the timing?

JJ Are you monitoring the media and digital discussion forums for public disclosure?

JJ Have you convened your crisis team?JJ Have you notified external counsel and

other advisors?JJ Is it clear how sensitive the data is that

has been breached?JJ Who else needs to be notified or warned?JJ What should you tell your people?

Once it is public, there is an essential checklist.

JJ Have you activated media monitoring? Do you know what is being reported?

JJ Are you clear who is leading the response?

JJ Are you keeping track of events and developing a clearer record of facts to adjust the public response?

JJ Have you communicated with employees and management around media protocols and lines to take?

JJ Do you have a social media response plan and one for ongoing customer service?

JJ Have you agreed lines-to take and statements for each audience?

JJ Have you confirmed disclosure requirements?

JJ Do your senior management know who they need to contact? Has the board been properly briefed?

Facing a cyber breach is a critical mo-ment for a chief executive. News of the breach could come from the IT team or ex-ternally, including social media, traditional media, the hacker, or a key customer. But it is unlikely that the company can be sure of many of the details—what has been lost, how much data has gone, who might have

■ 74


been responsible. The story could escalate quickly, with you being in the frontline of media questions. There is a temptation to lay the blame somewhere, which doesn’t always help. The chief executive will want to reas-sure customers, but may not have the facts that allow him or her to do this.

Social media can be used to indicate whether the public crisis is getting better or worse. But it can also be used to reach your customers directly, to provide reassurance and information. Be careful—anything the company does to engage on social media will increase the volume around the inci-dent. This may be what you want, but it may not be. You may not have a choice. If social media activity is only a spike, then company engagement might re-energise the debate.

The best approach is having a clear set of messages and a strong track record of data stewardship and security. You will need to be able to say immediate steps have been taken to manage the breach and ensure the most sensitive data is protected. Customer communication has to be at the heart of your approach.

J The aftermath: rebuilding your reputationWhile resolving these incidents is always a critical focus of management, shaping the future reputation and external engagement is also of central importance. Some crises are quickly forgotten. Others have a long-term impact on the company and the lead-ership. Once the headlines subside, it is al-ways tempting to believe that a company’s reputation has been restored. Understand-ing the impact on perceptions of your com-pany and leadership—among your custom-ers, your employees, your investors, and the media—is a critical tool in shaping your public engagement. A clear sense of how your reputation has changed allows you to respond. A crisis presents opportunities for change that can be difficult to achieve in other circumstances.

Understanding the impact on perceptions of your company and leadership—among your customers, your employees, your investors, and the media—is a critical tool in shaping your public engagement.

75 ■

coNTrIbuTor ProfILEs



77 ■


GcHQ

SIR IAIN LOBBAN Former Director

Sir Iain is one of the most respected and senior figures in the sphere of UK Government Communications. He joined GCHQ in 1983, progressing through a variety of roles before joining the board in 2001. He was responsible for mov-ing the operations of GCHQ into its present base at Benhall, Gloucestershire. He was Director of GCHQ from 2008 until 2014.

■ 78


Palo Alto Networks

GREG DAYVice President and Regional Chief Security Officer, Europe, Middle East and Africa

Greg Day is vice president and regional chief security officer, EMEA, at Palo Alto Networks. In this role he oversees Palo Alto Networks’ regional security operations and is responsible for regional cybersecurity strategy and the devel-opment of threat intelligence, security best practices, and thought leadership for Palo Alto Networks in EMEA.

With 25 years’ experience in the area of digital security, Greg has helped organisations, large and small and across the public and private sectors, to un-derstand risk posture and put in place strategies to manage it. He is widely acknowledged as an industry thought leader and experienced practitioner, ca-pable of translating technology challenges into actionable business solutions.

Greg began his career with Dr Solomon’s, later part of McAfee (now Intel Security) as a technical support analyst, and in a career that spanned 20 years he held a number of positions including information security consultant, global best practices team leader, security analyst, and director of security strategy. During this time, he led a range of initiatives to support customers, partners, and sales teams, authored a number of papers on topics across the security landscape, directed key cybersecurity initiatives, and provided guid-ance to governments and malware forensics training to law enforcement au-thorities. At Symantec he held the post of Security CTO for EMEA, managing a team of security strategists and driving Symantec’s regional cybersecurity strategy. Most recently, as VP and CTO EMEA at FireEye, he was responsible for technology strategy and thought leadership.

Greg currently sits on the UK National Crime Agency steering committee, the UK-CERT/CISP advisory team, and the VFORUM research community, having formerly held the position of vice chair of the tech UK cyber secu-rity group. He has been part of the Council of Europe Convention on Cyber-crime and has participated in a number of industry and advisory groups. He is widely acknowledged as an industry thought leader and is a familiar face at many cybersecurity events, as a regular on the speaker circuit, and has also been an active media spokesperson across much of the EMEA region.

Greg holds a BSc (Hons) in Business Information Systems from the Univer-sity of Portsmouth.

79 ■


Pwc

GREGORY ALBERTYN Senior Director

Gregory is part of PwC's Data Governance and Security practice, advising complex organisations on all aspects of global data security, privacy and gov-ernance. Prior to joining PwC, Greg served as Global Privacy Officer for a For-tune 500 biotechnology company, where he built a multi-functional privacy organisation, based on leading risk and compliance frameworks such as NIST and ISO programmes.

AVI BERLINERManager, Financial Services Technology Consulting

Avi Berliner is a Manager within PwC's Financial Services Technology Con-sulting practice, with a focus on architecture, information management and data privacy, and cybersecurity issues.

■ 80


Milbank, Tweed, Hadley & Mccloy LLP

JOEL HARRISONPartner

Joel Harrison is a Partner in the London office of Milbank, Tweed, Hadley & McCloy LLP. Joel advises clients on a wide range of data privacy and infor-mation security matters, including security incident preparation and breach response, development of global privacy strategies and compliance pro-grammes, international data transfers, and data privacy issues in outsourcing and cloud computing projects. He has also represented clients on a number of disputes and regulatory investigations in the data privacy and cybersecurity area. Joel is ranked as a leading individual in Chambers & Partners.

NATo communications and Information Agency

IAN WESTChief of Cyber Security

Ian West is the Chief of Cyber Security within the NATO Communications and Information Agency—the primary provider of ICT solutions and services for the Alliance. From 2004 until his current appointment in January 2014, he was the Director of the NATO Computer Incident Response Capability (NCIRC) Technical Centre. He was formerly a law enforcement and security officer in the Royal Air Force and later responsible for INFOSEC policy, inspections, and security accreditation for NATO’s Allied Command Operations.

In the SC Magazine awards for 2016, the NCI Agency cyber security team was awarded a Highly Commended in the Best Security Team of the Year cat-egory. Ian was named Chief Information Security Officer of the Year, the cyber security industry’s highest award.

81 ■


bT Group plc and Worldpay Group

SIR MICHAEL RAKEChairman

Sir Michael Rake is Chairman of BT Group plc and Chairman of Worldpay Group. He is a director of McGraw Hill Financial and Chairman of Majid Al Futtaim Holdings LLC. He was President of the CBI from 2013 to 2015; a mem-ber of the Prime Minister's Business Advisory Group from 2010-2015; non-ex-ecutive director of Barclays plc from 2008, becoming Deputy Chairman from 2012-2015; Chairman of the Guidelines Monitoring Committee from 2008 to 2013; Chairman of EasyJet plc from 2010-2013; and the first chairman of the UK Commission for Employment and Skills from 2007 to 2010.

Sir Michael was a member of the National Security Forum for 2009/2010. From 2002 to 2007 Sir Michael was International Chairman of KPMG. He joined KPMG in 1974 and worked in Europe before transferring to the Middle East to run the practice for three years in 1986. He transferred to London in 1989, became a member of the UK board in 1991, and was elected UK senior partner in 1998.

Knighted in 2007, Sir Michael received the British American Business UK Transatlantic Business award in 2011 in recognition of outstanding business leadership. In 2013 Sir Michael received the Channing Award for Corporate Citizenship and voted the FTSE 100 non-executive director of the year.

■ 82


uk Department for International Trade’s Defence and security organisation

CONRAD PRINCECyber Ambassador

Conrad Prince, formerly the deputy head of GCHQ, is the Cyber Ambassador in the Department for International Trade and the UK’s Defence and Security Organisation. He also works with the Department of Culture Media and Sport to help lead the UK Government’s cyber growth and innovation agenda.

Proofpoint

RYAN KALEMBERSVP Cybersecurity Strategy

Ryan Kalember is Senior Vice President with Proofpoint, the cybersecurity strategy group. As CPO at WatchDox, he built and ran the product and market-ing teams through to the company’s acquisition by BlackBerry. Previously, he ran solutions across HP’s portfolio of security products. Before its acquisition by HP, he was director of product marketing at ArcSight, and held a number of positions with VeriSign. He studied fault tolerance, cryptography, and authen-tication algorithms at Stanford University in California.

83 ■


bT

MARK HUGHESPresident, BT Security, BT Global Services

Mark is President of BT Security, BT Global Services. He was appointed in January 2013 and reports to the Global Services Chief Executive Officer. BT Security brings together expertise from several areas of BT. As its President, Mark is responsible for all of BT’s security activity around the world. Mark also leads on our security market offer, the BT Assure portfolio. When he joined BT in 2002, Mark managed various projects, including a partnership with the UK Government for the Criminal Records Bureau in Scotland. Before joining BT, Mark was commercial director of MWB Business Exchange.

Marks & spencer

LEE BARNEYHead of Information Security

Lee Barney is Head of Information Security with Marks & Spencer. He was former Head of Information Security at the Home Retail Group plc. He has worked for a number of leading UK retailers in cybersecurity and information management, including Alliance Boots and Tesco, energy companies such as Centrica, as a risk manager with Deloitte, and as a consultant with the London Stock Exchange. He is a former officer in the British Army, where he worked as a systems engineer.

■ 84


barclays

TROELS OERTINGGroup Chief Security Officer

Troels Oerting is Group Chief Security Officer at Barclays Bank, in London. He started in the Danish Police in 1980 and went through the ranks, serving as Director of the Danish NCIS, Director of National Crime Squad, and later as Director of the Danish Serious Organised Crime Agency (SOCA). He held positions as head of NCB Copenhagen, head of Europol National Unit group (HENU), member of DK Europol management board delegation, and head of DK Schengen / Sirene. Later he became director of operations in the Danish Security Intelligence Service and was promoted to Assistant Director in Europol in 2009. He has had various responsibilities in Europol’s Operational Depart-ment and serves as head of the European Cybercrime Centre (EC3).

ELENA KVOCHKOCIO, Group Security Function

Elena Kvochko is CIO for the Group Security Function at Barclays. Previously, she was Head of Global Information Security Strategy and Implementation at Barclays. Prior to that, she was Manager in Information Technology Industry at World Economic Forum and ICT Specialist at the World Bank headquarters in Washington, DC. Elena has co-authored industry books on cybersecurity and contributed to Forbes, The New York Times, Harvard Business Review, and other media outlets.

85 ■


Heidrick & struggles

CHRIS BRAYPartner

Chris joined Heidrick & Struggles in 2010 and is a Partner in London. He leads the firm's Software & Systems Practices for EMEA. Chris’s practice fo-cuses on recruiting leaders for leading NASDAQ-listed technology compa-nies, high-growth venture-backed and private companies in the technology sector, including enterprise software, cloud services, security, storage, embed-ded technology, and hardware companies. Chris specialises in CEOs, EMEA and UK regional presidents, sales directors, CTOs, heads of engineering, and CMOs. Chris holds a BA Hons degree from the University of Reading. He also leads the H&S Mobility Practice in EMEA and is a member of the firm’s Sales Officer Practice.

GAVIN COLMANPartner

Gavin Colman is a Partner in Heidrick & Struggles’ London office and is a member of the global Technology & Services Practice. With over ten years’ experience in executive search, Gavin works with companies across various sectors to fill their senior IT roles (e.g., CIO, CTO) and with technology com-panies to fill executive roles. Prior to joining Heidrick & Struggles, Gavin was a partner at a boutique executive search firm as the head of their technol-ogy and CIO division. He began his career at Accenture, working on systems integration, business process reengineering, programme management, and change management projects. He has an MA in economics and accountancy from Aberdeen University.

GILES ORRINGEPartner

Giles Orringe is a Partner in Heidrick & Struggles’ global Financial Services Practice. He is head of the Fin Tech Practice for EMEA. He joined Heidrick & Struggles after having served as a Partner and head of the global infrastructure practice at a boutique international executive search firm. He previously spent eight years at another leading executive search firm, where he was a Partner and head of the global technology practice. During this time, he moved to New York in 2005, where he set up and ran the office. He has a Business History de-gree from the University of Manchester. He is based in the London office.

■ 86


IbM security

ALAN JENKINS Associate Partner

Alan Jenkins is an Associate Partner with IBM Security in the UK. He has worked for the biggest system integrators. He runs his own consultancy and been a Chief Information Security Officer (CISO) for a number of different enti-ties. He was CISO at Babcock International, a FTSE 100 company, and worked at Cheltenham. He works in the financial services division of IBM. He was a squadron leader in the RAF, and worked in security for the UK MoD.

stroz friedberg

EDWARD M. STROZFounder and Executive Chairman

Edward M. Stroz is the founder and Executive Chairman of Stroz Friedberg, a global leader in investigations, intelligence, and risk management. Edward was a Special Agent with the FBI, where he formed the bureau’s computer crime squad in New York. Trained as a Certified Public Accountant, he has extensive experience in investigations of white-collar crime in the United States, includ-ing bank fraud and securities fraud, and has been an expert witness in numer-ous court cases. Edward is a trustee of Fordham University, his alma mater, and serves as an advisor to the Center on Law and Information Policy (CLIP) at Fordham Law School. Edward sits on the board of directors of the Crime Commission of New York City, and is a member of the Association of Former Intelligence Officers.

87 ■


Marsh Ltd

MARK WEILCEO, Marsh UK and Ireland

Mark Weil is Chief Executive Officer of Marsh’s UK and Ireland region. Before taking up this position in September 2012, he was Head of Financial Services for EMEA at management consultancy Oliver Wyman, also part of Marsh & McLennan Companies.

Mark, an engineering graduate from the University of Cambridge, has 20 years of worldwide consulting experience in financial services. In the UK, he was heavily involved in crisis response, including for issues such as bank ring-fencing, supervisory reform, and reviews of LIBOR.

At Oliver Wyman, Mark helped to establish and build the global Retail Banking Practice, with particular focus on distribution, performance manage-ment, and productivity, and also established their Public Policy Practice. He has been heavily involved in issues such as conduct risk, competition policy, deposit insurance, and cyber risk.

■ 88


brunswick

RICHARD MEREDITHPartner

Richard is a Partner with Brunswick in London and co-head of Brunswick’s Crisis Advisory Group. Drawing on his political experience, he has worked with a number of senior corporate clients on preparing them to manage crises better. He also leads the Brunswick private client and family business group, along with being a partner in Brunswick’s corporate data group, advising cli-ents on data and cyber issues. Before joining Brunswick in 2012, Richard was communications director for national security issues in the UK government. Richard’s career in the HM Diplomatic Service took him to many parts of the world. He lived and worked in Africa, Germany, the US, and the Middle East.

GEORGE LITTLEPartner

George is a Partner with Brunswick in the Washington, DC, office, specialis-ing in crisis communications, cybersecurity, and reputational and public affairs matters. Prior to joining Brunswick, George was head of marketing and com-munications at Booz Allen Hamilton, a leading provider of management con-sulting services. He served as assistant to the US Secretary of Defense for Public Affairs and Pentagon press secretary, and as Director of Public Affairs and Chief of Media Relations for the Central Intelligence Agency (CIA). George is on the board of advisers for the University of Chicago’s project on security and terror-ism, and on the board of advisers for the master’s of science in Foreign Service programme at Georgetown University.

T H E D E F I N I T I V E C Y B E R S E C U R I T Y G U I D E F O R D I R E C TO R S A N D O F F I C E R S

U N I T E D K I N G D O M

NAVIGATING THE DIGITAL AGE | UNITED KINGDOMSecurityR

oundtable.orgSecurityRoundtable.org

CONTRIBUTORS

• GregoryAlbertyn, Senior Director, PwC, Boston

• LeeBarney, Head of Information Security, Marks & Spencer, UK

• AviBerliner, Manager, PwC, New York

• ChrisBray, Partner, Heidrick & Struggles, London

• GavinColman, Partner, Heidrick & Struggles, London

• GregDay, Vice President and Regional Chief Security Officer, EMEA, Palo Alto Networks

• JoelHarrison, Partner, Milbank, Tweed, Hadley & McCloy LLP, London

• MarkHughes, President, BT Security, BT Global Services, London

• AlanJenkins, Associate Partner, IBM Security, UK

• RyanKalember, SVP, Cybersecurity Strategy, Proofpoint, Palo Alto, CA

• ElenaKvochko, CIO, Group Security Function, Barclays, London

• GeorgeLittle, Partner, Brunswick Group, Washington, DC

• SirIainLobban, Former Director of GCHQ, UK

• RichardMeredith, Partner, Brunswick Group, London

• TroelsOerting, Group Chief Security Officer, Barclays, London

• GilesOrringe, Partner, Heidrick & Struggles, London

• ConradPrince, Cyber Ambassador, UK Department for International Trade’s Defence and Security Organisation

• SirMichaelRake, Chairman, BT Group and Worldpay Group, London

• EdwardM.Stroz, Executive Chairman, Stroz Friedberg, New York

• MarkWeil, Chief Executive Officer, Marsh UK & Ireland

• IanWest, Chief of Cyber Security, NATO Communications and Information Agency, Brussels

Documents

THE DEFINITIVE CYBERSECURITY GUIDE FOR ......Indeed, the National Crime Agency reported in July of 2016 that cyber-enabled fraud and computer misuse sur-passed all other crime in the