The new world of cyber risk

New world of cyber risk


Published on September 26, 2019

We keep hearing about cyber attacks and cyber incidents in the media. But what do these mean and how can effective cyber security be used to combat them? Cyber risk means something different to everyone. For me it encompasses not just IT security, but also information security, privacy, and even physical security. For example, I can use physical security weaknesses (access to facilities) to breach IT security (such as servers), or IT security weaknesses to breach physical security. Keeping each in discrete silos can therefore result in variable levels of security maturity in an organization, allowing an attacker to find the weakest link in the chain to exploit. Having a single individual accountable for security holistically, with a single team and single budget typically allows for all areas of security to be maintained at a broadly consistent level, reducing the risk of exploit to the organization. Consequently, a converged security approach that combines all types of security into one typically makes sense to reduce risk and provide business efficiencies. Organizations that are more sophisticated are gaining further benefits by creating a fusion centre: a single capability to collate, analyze and respond to cyber security and related organizational information, providing consolidated insight that offers more than the sum of its parts.

In my experience, most organizations are beginning to wake up to the fact that effective security is a cost of doing business. I’m often asked about how to practically help reduce cyber risk. While there are many facets to cyber security, I recommend starting with understanding the specific cyber risks applicable to an organization. These could be identified by an independent assessment against industry good security practice or by using an organization’s in-house team to complete an assessment. In addition, it is critical to identify where the important/sensitive data is located in an organization, as well as the specific legal/regulatory obligations. Without this, an organization won’t be able to work out what they should be protecting or the implications of not protecting it sufficiently. This is particularly true for those organizations that operate globally where obligations can vary quite significantly. Deploying a business-driven, risk-based approach to cyber-security assessments is a core recommendation.

I also believe that good cyber security can require a mindset shift as to how cyber security operates in an organization. Previously it may have been acceptable to delay a security remediation project for a number of months or even years. However, automation has made attacks by hacking tools incredibly quick and easy for a perpetrator to complete. As a result, cyber agility is key, and cyber weaknesses and vulnerabilities should be remediated as close to real time as possible. The recent fines associated with breaches of GDPR and other penalties demonstrate that delaying cyber-remediation activities is increasingly ill advised.

I’m also asked whether cyber improvements always cost money. The answer is no, not always. An email message sent from a senior staff member reminding employees why security is important costs nothing, but can be highly impactful if written correctly. That said, it is likely that some expenses related to cyber-security protection will still be required.

In terms of expenses related to cyber security, some organizations seek a budget amount that they should use on cyber-security controls, such as being defined as a percentage of IT expenses. I think that this approach is outdated and the real value comes in determining what level of security capability/maturity an organization wants to achieve. Having a cyber-security breach as a result of a brand new cyber exploit that had not been identified publically is typically seen as somewhat forgivable. However, a cyber breach as a result of not getting the basics right (such as implementing a security patch that has been available for some time) is simply not excusable, and customers, regulators and the media are likely to treat you harshly. Therefore, I believe that all organizations should proactively define their cyber-risk tolerance, taking an informed approach for deciding what is acceptable. This defines an organization’s cyber-defensible position, which should be determined and agreed upon by those in a senior oversight role with input from the security team.

I’m often asked about oversight for cyber risk, including the role of the CFO. It is now no longer acceptable for executives to not be involved in cyber security in their organization. To have an effective cyber-defensible positon, executives need to prove that they regularly discuss cyber security and take it seriously. Equally, they need to be able to demonstrate that although they may accept cyber risk in certain areas of their business, they need to be able to demonstrate that they’ve taken a considered and risk-based approach for addressing key cyber risks. This can include validating progress on risk reduction, or providing appropriate funding for remediation activities. CFOs and other executives should recognize that cyber security is a whole business issue. Executives and Board members will now be held accountable and the personal impact of getting it wrong can be severe. I would also suggest that CFOs and other executives understand the basics of cyber security, as well as support but challenge their teams: are they doing enough to reduce exposure to cyber risk? Are they prioritizing the right cyber-remediation activities? Do they know they have your support? Ask what help and support they need. Do not let cyber security inhibit your business plans, but be aware of the risks up front and either risk accept or risk mitigate.

In terms of how internal audit plays a role in cyber security, I see them as providing independent views and validating that controls and capabilities have been implemented correctly and are being enforced. Cyber security should not be treated as a tick-box exercise by them or anyone else in the organization, and instead their activities should revolve around providing a truly accurate view of cyber risk in the firm with pragmatic recommendations to address weaknesses. An increasingly common approach is for internal audit to run red team exercises. Red team exercises closely mimic how a hacker or other unauthorized individual would try to gain access to an organization’s data or facilities. They would use ‘all-source’ skills and capabilities to achieve what they’re after. Examples include using hacking tools to identify technical weaknesses in systems to allow a path in, using human psychology to send phishing emails to employees to trick them into clicking on links, or even lying to staff at the front desk to deceive them into providing physical access to the building. While the internal audit team doesn’t necessarily have the in-house skills to complete these activities, they typically have the ability to call on those that do, who can then complete an assessment in a manner that those in the audit team (as well as the rest of the organization) can digest.

It used to be that organizations put all their effort into preventing cyber-security incidents. While organizations should still do their best to be proactive in this regard, the reality is that any organization could be susceptible to a cyber breach with an overused (but accurate) security adage, “It’s not a question of whether you will have a cyber incident but instead it’s a question of when”. As a result, I always recommend that organizations implement appropriate capabilities for the timely detection of actual or suspected security incidents. Further, organizations must consider how they would react to a security incident once it is detected. There are many organizations that have struggled with responding correctly to an actual cyber incident once it’s been identified, and have inadvertently made the event much more impactful. Proactively planning for how to respond to a cyber incident (including running some tabletop exercises) is a great way for an organization to hone its capabilities for when they’re really required.

I’m often asked about whether Cloud computing is secure or not. Being a consultant, I always reply, “it depends.” Ultimately, it is contingent on the sensitivity of the data being stored in the cloud, the consequential impact if the data were to be breached (or fail to be available when required), the type of cloud service being adopted (public or private), and the quality of services delivered by the cloud provider. I see a place for cloud computing providing benefits to many organizations, but my advice is to go in with your eyes open and implement it properly. Edge and fog computing are also likely to become an increasing theme when organizations consider cloud computing. 

Linking to this, I’m also asked about what questions should be considered when exploring the impact of adopting or not adopting new technology. The top three questions I would be asking if I were a CFO would be:

  1. Tell me the business benefit and why this technology is the best for meeting our needs.
  2. Explain how you will ensure it doesn’t become obsolete or superfluous in a short amount of time.
  3. If the technology were to fail, explain how we would detect this and the impact to our firm.

When considering new technology, also consider when to adopt. Depending on the technology, early adopters can get some immediate risk reduction when compared to their peers, and when it comes to delaying the implementation of cyber tools, we’ve seen that this can lead to exposure. I would never recommend being a laggard when implementing security tools. However, early adopters will have to accept the fact that it may take some time to tune the technology appropriately, as appropriate experience of the technology may be in its infancy.

A core belief of mine is that it is important for organizations to keep up to date on cyber security, including new methods of attack and new approaches to prevent and detect them. Cyber security is additive, which means that organizations will have to deal with yesterday’s cyber-security threats and challenges, today’s cyber security threats and challenges, as well as tomorrow’s.

So what about the future? You can be certain that criminals and hackers will evolve their tools and techniques, with their attacks becoming more complex and creative. In addition, cyber security already touches all parts of our lives, from transportation to banking facilities, and even in our homes with multiple connected devices. While they offer us many advantages, such as efficiency and convenience, obviously if any of these are compromised the consequences can be highly impactful. Cyber security is being further embedded in everything we do; a fused or mosaic linkage between the physical world and the digital world is now becoming a reality, and neuro-prosthetics is opening a new bridge to how humans connect to digital capabilities. While this (and other bio-enhancements) will open up new routes for efficiency, convenience and a ‘must have, cool factor’ that will guarantee their adoption, it will undoubtedly open new and unprecedented avenues for cyber attacks.

Therefore, before adopting the latest technology and swooning over the benefits it can bring, I recommend that organizations be clear on the risks up front before embracing new technology. If there is one thing that history has taught us in cyber security, it is that the ‘bad guys’ are already working out how to exploit new technology for their gain. Let’s ensure we turn the tables on them.



Paul Hanley

Paul Hanley

Paul is the National Lead Partner for Cyber Innovation in Deloitte, providing Cyber Risk services nationally. He directs a team of security professionals that provide security consultancy services to a wide variety of clients. Paul is a recognized expert in information security, with significant experience in the field. He has particular experience in aligning security functions to the needs of the business, and providing cyber-security direction for Board-level executives. The majority of Paul’s clients operate globally, and Paul has experience working in Canada, the US, Europe, Scandinavia and India.

In his career, Paul has been directly involved with a number of high-profile, billion-pound programs and has built strong senior business relationships.

Paul has also been a CLAS consultant approved by CESG to provide information assurance advice to government departments and other organizations, and has advised many regulators and government departments on how to achieve effective cyber security in the new world of cyber risk. While strongly versed in all areas of security, his key subject-matter specialties include forming and running global security functions, business transformation, security innovation and leading, large-scale information security programs.

Paul also has expert knowledge in driving effective cyber-security improvement, information security risk management, technical security architecture design, IT risk management, cryptography, disaster recovery and business continuity planning.


Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.