Too Much Focus On Revenue, Not Enough On Risk: Is There A Dangerous Parallel Between The Credit Crunch And Cyber Threat?

The last crisis may have been financial, the current one may be health related, but the chances are that the next one will be a cyber crisis. And, warns Cybersecurity expert Bill Mew, we all need to be prepared for this

Posted 23 March 2020 by Gary Flood

Bill Mew is the Founder and CEO of a cyber era crisis management firm, The Crisis Team, set up to help brands mitigate against, prepare for and, if necessary deal with the impact of cyber incidents. (He has posted a very good introductory video explaining some of the ideas behind Crisis Team on his Twitter account, @BillMew).

One of the world’s top campaigners for digital ethics and a former global leader for IBM’s Financial Services Sector as well as strategist for UKCloud, Mew has extensive expertise in fintech to public sector IT and has been profiled as one of the top global influencers on Privacy by Onalytica as well as being listed as one of the top 10 global govtech influencers, and the only one in the top 10 from the UK, by NodeXL (part of the Social Media Research Foundation).

Think Digital Partners recently sat down with Bill to find out more about his concerns about where we are with Cybersecurity right now.

Bill, hi, and thanks for talking to us. Why are you so convinced there are disturbing parallels between the Global Financial Crisis of 2008-9 and the current Cyber threat?

Cyber risk has overtaken financial risk as the greatest threat that we all face (see PwC’s Global Crisis Survey 2019). And just like back in 2008 and 9, the worst effects of the crisis could have been mitigated, had we acted in time. This is true of Cybersecurity risk today. We need to act now to address the risks, before it’s too late.

One big risk is what I call CISO-lation: the isolation of the Chief Information Security Officer, or CISO. Specifically, one of the root causes of the financial crisis was the fact that most bank executives were focused entirely on profit and revenue, and not risk. Sure, the banks had risk managers, and some even served on the board of directors; but while these risk managers focused on Return on Risk (ROR), all the other board members focused on Return on Investment (ROI). The risk managers were outnumbered, and isolated. Their caution was seen as getting in the way of the bank’s ability to make money.

When everyone in the room is focused on ROI measures like profit and revenue and not at risk, it’s like looking at a television feed where only two of the three colours are working. You can kind of see what’s going on, but you’re not getting the whole picture. And if the only person looking at the third colour is the risk manager, and he sees something that the others can’t, but you then don’t listen to him when he seeks to raise the alarm… you’re heading for calamity.

Today, unfortunately, this exact scenario is playing out in boardrooms everywhere. Executive teams are focused on profit and revenue, while the CISO is facing CISOlation, as he alone looks at ROR and cyber risk.

That’s pretty scary, ok. What else do you think we’re not seeing right now?

Another problem is that the tools we have for measuring cyber risk are flawed. During the financial crisis, banks had different ways of measuring risk; companies like Equifax provided credit-risk scores for consumers, while the big ratings agencies looked at the risk profiles of larger, more complex organisations – and also the complex derivative products that they bought and sold.

Similarly, today firms have emerged to provide cyber security risk ratings. To do that, they use tools aimed at a mass market – for example, web crawlers that check externally facing end-points for known vulnerabilities. This is a fairly crude method, but it’s probably still the best way to address the mass market at low cost. The problem is, it’s a bit like evaluating fire-safety risk by looking at a photograph of a building taken from across the street. You can get an idea of the building’s shape and size, but you can’t tell if there’s flammable material inside, or if the building is equipped with fire alarms, or sprinkler systems. 

A snapshot of that kind is better than nothing, but it still provides only a basic, limited idea of the real risk. At the opposite end of the market, where budget is less of an issue, larger organisations hire specialist firms to audit their cyber risk.

But the organisations pay the auditors for their ratings. That creates the same conflict of interest problem we saw in the financial crisis, where supposedly independent agencies gave Triple-A credit ratings to securities that were actually junk. And I think this is a really worrying trend.

Finally, there’s contagion. Few people foresaw that either sub-prime home-loan mortgages in the U.S or a viral outbreak in a little known city in China would each spark chains of events that would result in global calamity, yet that’s exactly what happened with both.

If anything the risk and impact of a cyber attack on critical infrastructure like our power networks or of a malware attack on our vital services, as we saw with Wannacry and the NHS, are risks that are hiding in plain sight. And we have never been so vulnerable to contagion with computer viruses and malware, as, we have never been so reliant on technology or so interconnected. What’s more, governments are not likely to step in and bail out victims of cybercrime as they did for banks in 2009. That’s why we need to increase our overall level of cyber-crisis preparedness.

Right, you’ve convinced me. What do we need to do?

First, we need executive teams to understand the risk, and to appreciate – rather than ignore – the value of the Chief Information Security Officer. Continued focus on revenue and profit at the board level alone will lead to disaster (again).

Second, we need increased adoption of cyber insurance cover, with policies that are appropriate for each organisation and its risk position. In particular, the focus should be on insuring against REAL risk – not the kind of scaremongering or manufactured risks that have been made up as part of a regional trade war as we have seen with Huawei. On top of this, if your cyber insurance policy does not specifically provide specialist incident response cover, then you need to seriously consider getting this as well.

What we tend to find is that those organisations that have incident response cover tend to call in the experts straight away, while those without it often attempt a DIY fix before calling for help. By the time they do call for help, though, it’s often a little too late (the impact and exposure have magnified significantly) and they call in the wrong people (not having time to accurately select the right experts).

Third, companies need to pay more attention to cyber-crisis preparedness. Unfortunately, conventional PR tactics don’t work in a crisis scenario. Normally you’d seek to contain any issue until it becomes public and then once it does you’d switch to showing empathy for your customers in order to gain sympathy from the press and general public for both you and the clients. 

All that tends to work well, but a cyber incident is different:

  • You’re likely to be on the back foot: a cyber incident could well be public before you even become aware yourselves
  • Cyber incidents aren’t instantaneous: the average breach occurs long before it is detected
  • Containment is just not possible any more either due to GDPR disclosure obligations. 
  • And unfortunately, cybercrime is about the only crime where the victim gets the blame. However much you spent on Cybersecurity, the press and public will blame you and not the hackers. You need to be prepared to face the regulators, a hostile press and inevitable hysteria and misinformation. This means that showing empathy won’t gain you any sympathy, it’ll simply put your executives in the firing line.

Scenario planning and realistic simulation exercises are essential for preparedness, and indeed testing and assessment are mandated under GDPR. So if companies don’t do it, and they then have an incident – the regulatory action will be far harsher. Plus, for companies of any size, it’s probably not a matter of *if* they’ll get hit, but when. And since the average breach takes more than six months to detect, it may well already have happened.

If ever there was a time to make a case to the board for the need for crisis preparedness, it is now, with the current COVID-19 lockdown. The last crisis may have been financial, the current one may be health related, but the chances are that the next one will be a cyber crisis. We all need to be prepared for this.

As fears mount about the contagion related to the virus, we should not forget the causes, spread and impact of the financial crisis – nor should we be ignoring the parallels with the current cyber threat. We need to act now, before we have yet another global crisis on our hands.

Makes a lot of sense. Thanks for talking to us today, Bill.