I woke up the day before our recent New York City Roundtable event for CISOs, cyber risk professionals and enterprise risk leaders to some exciting headlines: “First Major Snowstorm of the Season Hits the City Tomorrow!”
Of course! It wouldn’t be a cyber and risk event without some last-minute drama!
Luckily, the snow turned out to be a ferocious 1 inch and more than 30 risk leaders braved the cold to make it to the Marriott Marquis, a classic New York city landmark hotel in the center of Times Square. As the cold air blew, the just-right size group settled in for a 3-hour meeting with their peers on how to modernize, optimize and connect their risk strategies in today’s volatile world.
We heard speakers from AWS, Capco, Sumitomo Mitsui Bank, Thomson Reuters, of course MetricStream, and many more, in discussions ranging from best practices for integrating GRC programs to automating compliance in the cloud to how business continuity and resilience must come together. The day ended with networking and hors d’oeuvres and it was terrific to see how many people stayed to chat and interact.
I had the privilege of moderating and being able to chat with most attendees. What an honor! Here are just a few things I learned during the day (besides that “big snow” also means “bring an umbrella”
One of the most active panels was on cyber and enterprise resilience. Two panelists were from Jefferies Group, an investment bank, one a CISO and one on the business side of IT. They had a terrific back and forth on why it’s so important for the business and IT to stay interlocked on resilience and recovery, including many quotable thoughts like:
We also discussed the criticality of resilience in today’s post-modern economy – hyper digital, always on, always unexpected.
“I don’t like the term ‘new normal,’” one of the panelists said. “It’s not the new normal. Business unusual is now the usual.”
I was struck by that sentiment. Today, the unusual really has become standard. At this meeting, Silicon Valley Bank hadn’t yet failed, Credit Suisse hadn’t been taken over, and who knows what will have happened by the time this is published. But in any case, the nugget of wisdom was the same: Anything can happen at any time. We must all collaborate and be prepared.
Static business continuity plans were yesterday’s normal. Of course, business continuity plans are still the foundation for business unusual, but agility and resilience – business and tech working closely together – connected risk: Those are today’s watchwords. Simple but brilliant!
Another key theme that came up was the idea of inevitability of cyber attacks and incidents.
More than 422 million individuals were affected by data breaches in 2022, according to Statista. The average data breach costs $4.4M, the highest in 17 years, according to the Ponemon Institute. ChatGPT, Chick-Fil-A, Google, and T-Mobile are among the high-profile brands who’ve experienced breaches so far in 2023, and that’s not even looking at items like ransomware.
“It’s not if, it’s when it happens,” said a panelist, and I saw lots of nodding heads. The mindset of cyber risk management has moved from complete prevention (although of course that remains the goal) to anticipatory preparation and resilience, especially when it comes to emerging risks.
One example is generative AI. While innovations like ChatGPT have captured the collective imagination with their uncanny ability to seemingly “know” almost everything, they also pose great cyber risks.
ChatGPT can create credible phishing emails to accelerate spoofing, already a top cause of cyber crime. So-called “deep fakes,” images created by AI, could create convincing news stories (although AI reportedly still can’t duplicate hands and fingers well – it’s been focused on faces.) Policies and contracts can be spoofed. The list goes on…
The obvious point is that whatever technologies are developed to protect from risk are also available to, and are being used by hackers and threat actors.
“It’s not if, it’s when” does not mean bowing to the inevitable. It’s being prepared and resilient, and always a step ahead to recover and bounce back.
In fact, the theme of resilience was a clear overlay to the day – and attendees and panelists were not talking about operational resilience products. They were discussing resilience as a mindset. As the Japanese proverb says, “fall down seven times, get up eight.” In today’s times, resilience is our only option.
In addition to resilience and cyber risk, modern compliance – and particularly, automation -- was a major topic of discussion.
Our expert from AWS talked about compliance in the cloud and what it requires to be secure –implementing processes that are automated, continuous, and aligned to across the business and IT. (Sounds familiar to the themes above!) Testing samples for compliance or manually testing at sporadic intervals can’t protect you when risk changes so fast.
In particular, the idea of continuous monitoring is essential when we face more than 200 regulatory changes a day, according to our outstanding speaker from Thomson Reuters, Todd Ehret.
One regulatory change that’s of special interest in cyber risk are the proposed updates to the SEC cyber security rules. They will amplify the need for strong, solid cyber risk management, including the disclosure of cybersecurity governance capabilities, the periodical review and updating of cyber risk management programs, and the evaluation of the organization’s current cybersecurity reporting structure.
Speaking of the cloud, several audience members had excellent observations – namely, that just because most of us are moving to the cloud doesn’t mean the cloud guarantees security or resilience. Of course, it’s better than tons of outdated legacy systems.
But the cloud is still a server at heart and its digital nature opens up new attack surfaces. Even with the rigorous security standards offered by commercial cloud providers, there’s no resting. Constant monitoring, control testing, and vigilance are more essential than ever.
We dive deeper into this topic in our new eBook on securing the cloud.
Finally, in addition to the key advice to be vigilant, monitor and stay resilient – all perhaps obvious but so critically important – another theme rose above the rest: We must stay connected across the business and even the industry to defend against cyber risk. Topics like new technologies, exotic breaches, and future trends capture the imagination, but the basic block and tackle of connect, collaborate, and communicate somehow manage to surface in every discussion of tackling risk and staying resilient.
To throw in another saying, this time an African proverb: “Alone we go fast. Together we go far”--managing cyber risk obviously takes speed and agility, but resilience is a long game.
Thank you for bearing with my sayings and cliches, and most of all thank you to all the terrific speakers and attendees. We look forward to our next roundtable, and as always, if we can help you manage your cyber risk or any governance, risk, and compliance needs, please reach out to us at info@metricstream.com. You could also request a personalized demo.
Register for our upcoming webinar: Cyber Regulations Review: Managing Cyber Risk with the Proposed Cyber SEC Rules and Biden Executive Cyber Orders
For over a decade the MetricStream’s GRC Summit has brought together thousands of GRC professionals from various industries, providing opportunities to learn, connect, and succeed. Registrations are open for the 2023 GRC Summit to be held on June 14 and 15 at the Hyatt Regency in Miami, US. Register now!