By Gordon Song, group risk and internal audit head, Lazada Group
It’s just another Monday. Rob has been in his new position as chief information officer for barely a month and is still getting used to the morning lift traffic. Wendy, VP of marketing, turns to him in the lift and comments on a strange email, apparently from IT, which asks employees to click on a link and reset their passwords. Rob is puzzled but does not think too much of it.
As Rob walks down the corridor, he notices a flurry of activity almost escalating into a panic. By the time he gets to his office, he has an overwhelming feeling that something is not right. Waiting in his room is his head of security, with a grim look on his face and a message Rob has been dreading. The company has fallen victim to a wide-scale spear-phishing attack. Administrator passwords to almost every key system have been compromised, and databases have been locked down or encrypted by the attackers. Business has come to a grinding halt.
This scenario is the worst nightmare of every CIO, and indeed every senior executive and board director. In this day and age, such a cyber risk incident is not unthinkable, and numerous recent events are testament to this. Cyber resilience must be the top priority of every company. This means:
- Business resilience: having robust preventative, detective and response plans to handle cyber risks
- Reputational resilience: being well prepared to recover stakeholder confidence
- Financial resilience: access to adequate financial capacity to respond to cyber incidents
Securing cyber resilience requires a multi-disciplinary team effort with the grit and know-how to tackle unconventional business threats.
While the individual roles of departments may be clear, there is a tendency for ‘silos’, resulting in duplicated efforts in some areas, gaps in others, and altogether a failure to address the risk holistically.
Most risk managers traditionally take a somewhat perfunctory approach to cyber risks, more often than not limiting their contribution to a mere mention in the organisation’s risk matrix or featuring some obscure metrics in a risk dashboard.
Instead, risk managers should be playing the strategically critical role of a ‘SWAT commander’ – a key person responsible for co-ordinating assets in responding to a hostile situation, and accountable for the success of the mission at hand.
A risk manager should be a:
The Strategist understands the business and its intricacies, scans the environment, evaluates responses and charts out a roadmap to pave the way for a more cyber-resilient organisation. They recognise the expertise and responsibilities of individual functions, yet never fail to orchestrate a coherent response to cyber threats. When it comes to cyber risks, they are informed of the past, aware of the current and look into the future.
The Wingman is a dependable aide to the board and senior management. More than that, they have their back, and are trusted with the professional courage to provide an objective assessment of the organisation’s cyber resilience.
They create the ecosystem for cyber resilience by organising internal and external expertise. The Wingman is a key point of contact with regulators and law enforcement agencies, and actively maintains mutually beneficial relationships with the authorities.
The Advocate is a change agent. They are a fervent believer that cyber resilience comes from shifts in the mindset and behaviour of leaders and the workforce at large. The Advocate understands the cultural barriers and levers and cleverly uses these to drive change, embed accountability and instil discipline.
The Technician understands the risk appetite of the organisation, and is astute at designing and procuring risk transfer solutions to mitigate financial exposures. They are a trusted adviser on process and technology to prevent, detect and respond to cyber threats. They are also a professional sceptic who develops and implements plans to test the robustness of cyber-risk mitigation plans.
TOP TIPS IN RELATION TO A CYBER SWAT PLAN
- Identifies and evaluates cyber risk in the overall context of the organisation’s business model and strategies
- Ensures the existence of a cyber-risk response plan and appropriate structure to mitigate and respond to cyber risks
- Evaluates the robustness (strengths and weaknesses) of the organisation’s existing cyber- risk response plan and structure
- Provides objective assessment of the organisation’s cyber-resilience strategy and plans to enable the board to discharge its duciary duties for corporate governance
- Creates an ecosystem to design and execute cyber-resilience strategy and plans. Partners with internal functional experts (security, crisis management, PR/communications, finance, legal/compliance) and engages external capabilities (e.g. consultants) to fill gaps
- Maintain mutually beneficial relationships with regulators and law enforcement agencies
- Leads the change management effort to ensure that the management and workforce: know, understands and believes in, and embeds cyber risk management in their day-to-day work
- Ensures that there is adequate financial capacity to respond to cyber incidents. Sources, procures and implements cost-effective risk transfer solutions (e.g. cyber-risk insurance)
- Advises the business on process and technology to prevent, detect and respond to cyber threats
- Develops and executes plans to test the robustness of cyber-resiliency plans (e.g. crisis plans, DRP, BCP, red-teaming)