Martijn Verbree examines the state of organisational cybersecurity and poses the question: why do we do cyber?
How much risk is your company willing to take with its investments? Martijn Verbree, Partner – Technology Risk & Cyber Security at KPMG, believes cyber is one of the biggest operational risks for any organisation. So what’s your risk appetite?
What are your thoughts on the cyber industry as it currently stands?
It’s one of those things I keep asking myself. Cyber has grown so much as an industry and also we’ve seen all the different cyber threats evolve massively compared to what they were 10 years ago. All the stuff that was part of the movies is now happening left, right and centre.
When I come home, usually I ask myself: “Crikey, what’s going on here and what are we trying to solve?” Increasingly, I get the same questions from my clients, whether they are executives or board members. They keep asking me, “Can this stuff happen to us?” and “When will we be done with cyber?”
It puts things into perspective for me because there’s no easy answer. There’s a lot of detail required and it’s such a fast-moving environment. It’s one of the reasons why I’m quite passionate about this topic.
In terms of putting together cyber strategies, do you think we’re losing sight of what we’re trying to achieve?
Yes, 100%. It’s quite interesting because we’ve made huge strides in this space compared to where we were 10 years ago. But at the same time, we are getting very stuck in some of the details. The details are super-important, of course, because that’s usually how bad things happen – a lack of focus on the details. But that end-to-end view on “Why are we doing this thing again?” is just so important to ask ourselves and challenge ourselves on.
As an industry, we’ve evolved with identity and access management. The space that Daltrey is operating in was newish as a concept 10 years ago, but now we’ve got all these businesses doing authentication, access governance and more. We call it all cyber, one way or the other, and we’re trying to present ourselves as the ultimate solution for cybersecurity.
I’ve been in this space for over 20 years and I sometimes get confused about what tools or controls or threats are hitting us. So I can only imagine what the executives and their boards actually understand – or how much they need to understand.
We need to take a step back and not just deploy cyber tools for cyber’s sake. We need to really put it in the context of what the risk is, what the controls are and what tools and processes people need to implement. That’s always been my pattern. We need to challenge ourselves more on that. I’m not saying we’re doing the wrong things, but I think we’re getting overwhelmed with the amount of actions we need to take and we need to stop the prioritisation of that.
The question you posed before from one of your clients: “When will we be done with cyber?” How do organisations answer that?
It varies, but most companies work off some kind of maturity or compliance scale. They pick their favourite InfoSec standard – whether it’s NIST or ISO 27001 or something else – and they start measuring how well they do against those standards, possibly getting some kind of maturity rating to help the executives understand.
Very few companies are making it part of their enterprise risk management framework. There are some organisations I’ve been working with myself, and they would have cybersecurity in this beautiful risk diagram for cyber incidents: ‘impact’ on one axis, ‘likelihood of an attack’ on the other. They’re investing millions of dollars to bring down the risks, but the risks never move. They stay up there in the top right. Then, of course, executives start to ask the question, “When are we done with this? Is it always going to stay up there?”
So the trick is to explore those cyber risks. There might be anywhere from four to 10 risks that actually sit in different places on that matrix. So what do we need to do in terms of controls – as in people, processes and tools – to bring down those risks one by one? And where do we draw the line? At some point, you’re going to stop managing it further down, especially if it’s costing you more than it actually will deliver in results.
At the end of the day, we probably have four cybersecurity sub-risks. One is the loss of a critical service that you provide as a company, which is super relevant if you are a bank or a utility provider. The second is the loss of your enterprise IT network. That basically means you can’t do email, invoicing or HR. The third one is loss of data, so you might lose a whole bunch of data that you care about, whether it’s personal data or intellectual property. But what is the data you want to protect and how do you want to do it? The fourth and final one is loss of funds – so people steal money and run off with it.
Most cyber risks can be aggregated into those four levels, depending on whether it’s a nation state, a group of hacktivists, an insider threat or just a criminal cyber gang that’s after it. That’s the discussion we need to have.
By splitting out cyber into more concrete risks, you can then decide what to do to prevent, detect, respond or recover from those risks when they materialise.
What advice would you give organisations who are looking to better manage their cyber and their risks?
It comes down to principles. What are we trying to protect here? What is the real risk to the company? What is our risk appetite? How much do we want to spend and how much are we okay to live with? If the answer is that we are okay to be without all of our IT for a month, that would be a good guide for your CISO team or your security team to start working on a plan that meets that objective.
The most uncomfortable discussion to have is that most boards will say they’re not okay with things being out for a month. But they’re also not okay with spending a billion dollars on cybersecurity. So it’s having that uncomfortable discussion and then planning out a roadmap that will put the most important things in place needed to meet every appetite. That will protect you from the risks you’re most worried about.
It’s not a one-off exercise as a CISO – you have to continuously have that debate based on what’s happening. The world we live in right now is very different from what it was a month ago. So what impact does everything we are seeing in the news right now have on your cybersecurity toolset, your strategy and your risk appetite?
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.