Andrew Vesay on the evolving cyber security landscape.
Andrew Vesay, one of Iceberg’s leading Management Consultants, has been interfacing with CISOs across a broad spectrum of industries for years, so we asked him what he’s been hearing from companies about their risk and security programs.
Q: When you’re talking to CISOs, what are they telling you they’re most challenged with?
A: One is cyber security. Boards across the globe are worried about cyber security and that boils down to: what is my control environment, and what do my exposures look like. It starts to get into the weeds that oftentimes boards aren’t really prepared to digest. Our governance programs and our security programs are supposed to be summarizing it and simplifying it: Am I secure or am I not? Am I good enough or am I not? That’s really what they’re worried about and trying to put their arms around.
Cyber security isn’t the traditional risk where I can say: I can have a 10% tolerance; there’s an acceptable level of loss. When one incident can displace a CEO, that’s a pretty scary thing for executive committees and boards. How do we figure out how to treat it in the right way? How do we manage it in the right way so we don’t unseat executives and boards?
Q: It’s clearly a priority for every organization. Why do companies struggle to get to where they need to be?
A: Because it’s a complex web of inter-related things. When we talk about credit risk, there’s a long history of what rates are doing and where are they going and they can be trended over time. Some of the biggest cyber security breaches were a vulnerability sitting out there on a server, or even a partner’s system, that then allowed an attacker to get inside the walls and start running around. It’s so big and complex.
For big organizations that have thousands and thousands of servers sitting out there, who knows what’s there? Many have grown by acquisition so they don’t even know what’s out there, or org changes have shuffled things around. It’s a massive challenge for someone sitting in a board seat who doesn’t really know how technology works to say “I need this for cyber security”.
So it’s an evolving business that many companies are still trying to figure it out. The approach that we have to continue to follow and advocate is to understand what’s important, understand what data we have around what’s important, understand what data we’re missing around what’s important, and then how do we invest in the right places.
Q: We talk a lot about GRC as being a “translation layer” between IT or technology and the business. How would you describe it?
A: It’s where GRC terminology is evolving into Integrated Risk Management. It’s because it’s getting beyond just how do I govern my technology environment to how do all these technical threats affect how a business operates. Besides cyber security, consider audit findings and penalties with things like GDPR or other regulations. They all affect how a business operates.
Businesses now need to be able figure out of the thousand things they have out there, which one of these is going to impact my ability to operate. So it’s very much evolving as a very necessary part of business to have that translation layer between tech, business, and ops. They all have to start to work together.
Q: Any thoughts on where the industry might evolve in the next few years? Where do customers want GRC or IRM to go?
A: I think cyber security in many ways is dragging the industry forwards in terms of maturity. To be good in governance requires a certain level of organizational maturity: Where are your assets? Who owns them? Who’s responsible for maintaining them? Those are all things that are core to managing your shop.
Before cyber security became a real business threat, we could be behind on patches, we could get by without really knowing where all of our assets were. Now, we have to know, we have to be able to respond to an incident very quickly. It’s forcing the organization to say “I need a tool that can help me intake from all of my asset repositories, understand where all of my threats are, understand my risks, understand what I’m doing to control those risks and manage them”, and have that translation layer to the business to say “here’s where we need to invest”.
Q: A lot of organizations may want to reach a higher maturity level, but if you look at any of the industry surveys the data shows they’re struggling to get there. What do companies who have success do differently?
A: The first thing is a strong champion who appreciates not only the value of a governance program to managing things down at the working level, but also how it helps executives make good decisions. That champion is critical to the success of the program.
It also means executives who will listen to what that champion has to say. Because they don’t want to be the executive that’s getting walked out because of an unpatched server or a flaw we didn’t know about. The days of “we didn’t know” are gone. You have to know your environment. You have to have someone who understands the business impact of what good governance means.
This can be business-changing when you really understand where the right places are to apply funds and energy to reducing risk, it’s ground-breaking for businesses.
Q: What is it about Iceberg that makes them well suited to help with Cyber projects?
A: I think there’s a big hole in the industry where people know they need a better cyber program, they know they need data, the view, the application and the processes, but how do you put it all together? And that’s the hard part, and that’s where Iceberg has proven itself to be really good. Even for me as a former Iceberg customer, Iceberg did it for me, and it was a big part of my success.
You can reach Andrew at email@example.com.