Michael Castro serves across Canada and the United States as a cybersecurity expert at both the Board and operational level (see his bio). Michael met with Karen Fryday-Field, CEO, GOVERN for IMPACT on November 27, 2019 for a brief interview on the Board’s role and interest in cybersecurity risk.
Michael is an expert on cybersecurity and the connection between cybersecurity and Board governance of risk. I have asked him to share some of this knowledge and insight today. Thank you Michael for making time for GOVERN for IMPACT. I’m so pleased to welcome you to our hot interview seat today.
Michael could you just share with us a little about your background in cybersecurity?
Absolutely and good morning Karen. I am part of RiskAware which you mentioned is a cybersecurity boutique firm in the Toronto area. We specialize in helping Boards through advisory services and cyber awareness as well as small and medium businesses throughout their cyber journey, to build out a cyber resilient platform. I have 20 plus years cybersecurity experience heading up cyber for organizations such as Loblaw, Suncor Energy, and a few financial and retail organizations throughout my years.
Please share with our readers the major risks facing organizations with regard to cybersecurity? What do we actually face?
So organizations, whether they are large or small really all face very similar threats and when we really look at the impact of cybersecurity on organization you can really break it down into 3 big buckets.
1. What is the financial impact and the financial risk?
There is no doubt that any cyber attack or breach that can fall on an organization will have some financial impact. If you look at the actual numbers over the last couple of years we are seeing that an actual cyber attack costs an organization well over $4M per attack. Those kinds of costs of course involve recuperation, legal fees, penalties all put together. Overall organizations globally are spending well over $90 billion in cyber protection.
The impact to an individual organization is quite large. We look at direct losses through theft, extortion, through business interruption due to cyber disruption and really all of those can amount to a lot of dollars and a lot of hardship for organizations depending on the size of the company. This challenge affects large and small organizations.
2. The other thing that we look at is regulatory impact.
Regulatory impact can be a big piece too. The change in Canada especially, and in other countries, around privacy required (GPDR, PCI for retailers as examples) is significant. All of those really can have an impact as to whether the challenge will be through fines or the capabilities to deal with regulators and everything surrounding the impact that regulators can have on organizations and the way they operate them.
3. The last bucket is reputational impact.
Really reputational impact has to do with how is a cyber breach going to affect the organization in what they do and their customers. Such a breach, could have large impacts toward shareholder value. If it is a publicly traded company, negative impact on the value of their stock is key. Really the customer trust and how the customer is able to continue to do business with an organization that has a cyber breach is critical.
Thanks Michael for sharing with us those 3 big buckets of risk that are connected to cyber risk and the significant challenge that organizations have when they face some kind of cyber attack.
I’d like to take this conversation up now to the Board level. What do you believe are some of the major issues that Boards of Directors need to address with regard to the subject of cyber risk? Where does the Board fit into this?
Traditionally Boards have had a very small piece when it comes to cybersecurity. Even now, I believe that less than 10% of Boards today really have an active role in the cybersecurity or cyber risk profile of their organizations. Boards have to realize that there is risk involved with cyber and that they need to be able to put that into a platform just as they do for other risks that they deal with in their organizations.
Environmental risk, competitors, regulatory risks – all the areas of risk that Boards govern. Cyber is starting to creep up and find its way into the top 3 risks that Boards need to address. For some organizations, it really has become number 2 for them.
So why do Boards need to be involved with cyber risk? We look to some very large organizations that have suffered very large breaches that really then end up in front of the Board. We look at Equifax, the largest a couple of years ago and the impact to them. Marriott hotels and their impact on their acquisition of Starwood Group. And even years ago when Target had their very large consumer breach with credit cards. In all of these, we really shift from an operational model to a Board accountability and the need for governance policy decisions and monitoring.
So how do Boards handle this challenge? Really what is it they need to do? First off, Boards really have to understand the role of where cyber sits within their organization, understand that cyber needs to be a part of their organization, and recognize substantial risk is involved. The Board needs to determine its risk appetite for dealing with the potential of cyber threats. And of course, if there happens to be, or ends up being something like a breach – what is their role in dealing with a reactive situation?
The Board needs to look to its own responsibility. Did it have in place appropriate policy to govern and hence mitigate the risk?
Once the Board has a governance of risk cybersecurity policy in place, how can the Board know or monitor that the organization is actually managing the risk around cybersecurity? What kinds of things do you think the Board needs to know about or be advised about in Monitoring Reports from the CEO that would give the Board confidence that its policy on cybersecurity is in fact being complied with?
Excellent question. So again Boards were traditionally often inundated with security reports that would come from the CIO or the CEO and it really laid out a lot of measurements and metrics and technical measurements that were put to the Board to try to explain what cybersecurity was all about. Really those statistics aren’t effective in helping a Board Member understand risk and understand what they need to know and therefore what they need to decide upon. There have come over the last couple of years some new key performance indictors or key risk indicators, KPIs/KRIs. These build out some more measurements or more qualitative or quantifiable pieces to help paint that picture, one that provides the bigger picture evidence.
I am often being asked a very simple question: “Are we at risk?” Really, that is far to qualitative and subjective a type of question. It really is not a question that can help the Board. Instead the questions and information should really be around, compliance and how an organization is being compliant to their cybersecurity policies and their governance measurements.
So when we look at compliance we really want to look at:
- Is the organization holding true to their cybersecurity policy direction from the Boards
- Is there a road map for what the organization wants to do in the security space and does the CEO have a plan to move forward to be able to keep up with the ongoing threats and the ever changing threats that might happen to an organization?
- Is the CEO demonstrating compliance on the ability of the people within the organization to not get stale and to not be blind or lack awareness to make sure that systems are being held to their most secured position?
When we look to the operational value and instead of showing the statistics on how many systems might be patched within an organization or how many attacks happened it really becomes more useful for the Board to learning about the impact of those operational breaches.
So for instance,
- What is the true threat environment for the organization?
- Is the Board clear about the risk boundaries its places on the CEO?
- Do they have unique applications that pose a threat or increased risk to the organization by having a web application or a mobile application for instance, or e-commerce, or other areas that generate more risk or attract more attention to them than other traditional models might do?
- The Board should look as to whether there are independent reviews being done on the threat model. That is, do third parties come in and test the security measures that the organization is using internally to make sure they are actually achieving the cybersecurity goals and that they are as secure as they are saying that they should be (external monitoring).
- And finally, Boards need to be provided with true quantifiable measurements against their policy – one example is “the time to live” – when they talk about breaches; its about the length of time that a threat is within an organization and how long it has taken for the threat to become found within an organization. For instance, a virus or malware can enter an organization and it could be months before an organization finds it.
- Another example is the “time to react” – that is if a virus is found, if malware happens, if there has been an exfiltration for instance of data from the organization – how long did it take for the company to react? What was their reaction position and how quickly were they able to mitigate or deal with the threat that was found and then removed from that organization?
These are the type of measurements I think Boards need to hear.
You are speaking to the fact that Boards need to understand a little bit more about the nature of the risk in order to be able to effectively articulate what kind of risk boundary or executive boundary they want to create around the whole cyber space within their organization. I hear in what you are saying that there is an element of education for Boards, not the details of operations, but the nature of the kind of risk so that they can then be articulate enough or specific enough in their policy that the true risks can be governed. It is also then important to have metrics that speak to those elements of risk.
As we close, if you could give Boards one piece of advice, what would that be about cybersecurity?
Absolutely. I think its very important for Boards to realize that data is the new gold when it comes to what is valuable within an organization. All organizations big or small, whether their primary product is data or not – every organization has data and that data has value to someone to infiltrate or steal.
Either it’s the loss of that data that can impact your organization or it’s the loss of access to that data that really can put an organization at risk. And because of that Boards really need to get more involved. Today less than 10% of Boards/Directors for organizations are truly speaking to cybersecurity. Many truly believe that it is just an operational piece but really it isn’t and more attention really needs to be paid by Boards.
Thank you Michael!
We look forward to working with you at the GOVERN for IMPACT Advanced Practice Webinar on March 10, 2020 from 11:00-2:00 p.m. EST.
Click here for more information or to register.