Securing cyber resilience, SWAT commander-style

It’s just another Monday. Rob has been in his new position as chief information officer for barely a month and is still getting used to the morning lift traffic. Wendy, VP of marketing, turns to him in the lift and comments on a strange email, apparently from IT, which asks employees to click on a link and reset their passwords. Rob is puzzled but does not think too much of it.

As Rob walks down the corridor, he notices a flurry of activity almost escalating into a panic. By the time he gets to his office, he has an overwhelming feeling that something is not right. Waiting in his room is his head of security, with a grim look on his face and a message Rob has been dreading. The company has fallen victim to a wide-scale spear-phishing attack. Administrator passwords to almost every key system have been compromised, and databases have been locked down or encrypted by the attackers. Business has come to a grinding halt.

This scenario is the worst nightmare of every CIO, and indeed every senior executive and board director. In this day and age, such a cyber risk incident is not unthinkable, and numerous recent events are testament to this. Cyber resilience must be the top priority of every company. This means:

• Business resilience: having robust preventative, detective and response plans to handle cyber risks
• Reputational resilience: being well prepared to recover stakeholder confidence
• Financial resilience: access to adequate financial capacity to respond to cyber incidents

Securing cyber resilience requires a multi-disciplinary team effort with the grit and know-how to tackle unconventional business threats.

While the individual roles of departments may be clear, there is a tendency for ‘silos’, resulting in duplicated efforts in some areas, gaps in others, and altogether a failure to address the risk holistically.

Most risk managers traditionally take a somewhat perfunctory approach to cyber risks, more often than not limiting their contribution to a mere mention in the organisation’s risk matrix or featuring some obscure metrics in a risk dashboard.

Instead, risk managers should be playing the strategically critical role of a ‘SWAT commander’ – a key person responsible for co-ordinating assets in responding to a hostile situation, and accountable for the success of the mission at hand.

A risk manager should be a:

STRATEGIST

The Strategist understands the business and its intricacies, scans the environment, evaluates responses and charts out a roadmap to pave the way for a more cyber-resilient organisation. They recognise the expertise and responsibilities of individual functions, yet never fail to orchestrate a coherent response to cyber threats. When it comes to cyber risks, they are informed of the past, aware of the current and look into the future.

WINGMAN

The Wingman is a dependable aide to the board and senior management. More than that, they have their back, and are trusted with the professional courage to provide an objective assessment of the organisation’s cyber resilience.

They create the ecosystem for cyber resilience by organising internal and external expertise. The Wingman is a key point of contact with regulators and law enforcement agencies, and actively maintains mutually beneficial relationships with the authorities.

ADVOCATE

The Advocate is a change agent. They are a fervent believer that cyber resilience comes from shifts in the mindset and behaviour of leaders and the workforce at large. The Advocate understands the cultural barriers and levers and cleverly uses these to drive change, embed accountability and instil discipline.

TECHNICIAN

The Technician understands the risk appetite of the organisation, and is astute at designing and procuring risk transfer solutions to mitigate financial exposures. They are a trusted adviser on process and technology to prevent, detect and respond to cyber threats. They are also a professional sceptic who develops and implements plans to test the robustness of cyber-risk mitigation plans.