Cyberattacks are becoming increasingly common and their impact on enterprises can be substantial and severe. When a company is breached, there can be significant financial repercussions, as well as negative ramifications on their brand and the loyalty of their customers.
Despite the problems that a cyber breach can create, some companies may not be preparing as aggressively as they should be to identify risk, mitigate the damage from a successful attack and diffuse the financial fallout.
To learn more about how all levels of an organization – including the C-Suite – perceive and plan for cyberattacks, Aronson, Risk Cooperative and Ridge Global are banding together to conduct a 360° Cyber Risk Survey. We recently sat down with Natasha Barnes, a Technology Risk Services Manager at Aronson LLC, and Andres Franzetti, Chief Strategy Officer and Founding Member at Risk Cooperative, to discuss the survey and what they expect to learn from it.
In part one of our two-part interview with Natasha and Andres, we discuss what separates this 360° Cyber Risk Survey from others they’ve seen and why cyber risk should be an important focus for all members of an enterprise – particularly the CEO and COO.
Here is what they had to say:
Corporate Growth, Capital Style (CGCS): Aronson has partnered with Risk Cooperative and Ridge Global to conduct a 360° Cyber Risk Survey. What is the point of this survey?
Andres Franzetti: We’re working with Aronson and our colleagues at Ridge Global on developing this survey because of what we’re seeing in the market. Cybersecurity is a growing, evolving threat that is not going away anytime soon. If anything, it’s just going to get more compounded once all of the connectivity from the Internet of Things comes more to the forefront. And organizations, we feel, are not necessarily prepared or evaluating this threat the right way.
So, the premise of the survey is really about helping institutions and organizations look at their cyber posture and cyber risk – not from the standard market approach of technology and whether they’re spending enough on defensive measures to prevent a breach – but rather from a business resiliency and business continuity standpoint. We’re looking to shift the discussion from the [Chief Information Security Officer] and the [Chief Technology Officer] more towards the board level and C-Suite level – the CEOs and CFOs particularly. We’re looking to turn this risk – and its consequences – into a more tangible, financial concept so that they can see the impact across the organization. Only then can they start analyzing it and weighing the necessary countermeasures and build up resiliencies accordingly.
Natasha Barnes: We also are interested in seeing the results because we’re looking across enterprises of different sizes, IT maturity levels and in different marketplaces. There are various rubrics and standards for what should be done regarding cybersecurity and safeguards; we’re interested in seeing how that’s being adopted across the board – and as it relates to enterprise size and industry. We want to see how these organizations are working to address their cybersecurity and IT architecture, and how they’re looking to address this evolving risk.
CGCS: What information is Aronson looking to expose? Also, what types of professionals and organizations are you looking to have participate in this survey?
Andres Franzetti: If we look at the macro level of an organization, the large companies like Procter & Gamble, Target and Sony have the corporate balance sheets to absorb a cyber breach. They can withstand the liability pay outs for any private information that is compromised. They can even withstand – in many cases – the reputational exposure. Especially if there services/offerings are more goods and services oriented than an organization that is primarily data driven.
But when you start going downstream – when you go to the smaller companies in the middle market – they’re the ones that are truly most vulnerable and in the most need of cybersecurity consulting. These organizations don’t often have the right level of communication or awareness at the board and C-suite around their cyber posture. And, as Natasha discussed, they may have a false sense of security – where there is no CISO position, they are hedging that their IT teams and/or external support are handing it, that they have systems in place – but that doesn’t always translate to a secure cybersecurity posture or environment. Often, just throwing money at it – or technology at it – isn’t enough to really protect an organization. They need a stacked approach. They need an approach that leverages more proactive cybersecurity philosophy and leverages education and communications – and insurance as well – to help develop a more robust organization.
So, we’re really looking to get to the middle market in this area. And we’re looking to get responses from the C-Suite on a broader level to better understand their knowledge of cybersecurity and where their exposure is.
Natasha Barnes: Compliance doesn’t equal security. There may be an organization that says, “oh, we’re PCI compliant,” and then they’ll have a breach right after that. More needs to be done to address and minimize these breaches – and to prevent them. And that’s the type of information that we’re looking to generate from this survey – learn what people are doing and provide guidance to help them become more secure.
CGCS: Why is cybersecurity such an important topic for enterprises today? What kind of risks does cybersecurity pose to an enterprise? How could a security breach impact them and their bottom-line?
Andres Franzetti: It’s such an important topic for enterprise because this is no longer just about whether they can adequately respond to a breach. Today, it’s a matter of business continuity and resiliency. As Natasha mentioned, compliance doesn’t necessarily mean you have good cybersecurity. Being able to withstand a cyber breach – being able to withstand the reputational fallout that results, and being able to have business continuity in the face of ransomware, legal expenses and other expenses – that’s really the crux of the matter here.
For a lot of middle-market organizations that don’t have fortress balance sheets, these cyber breaches are not a question of just continuity, but a question of survival. Organizations need to be able to evaluate what a cyber breach means for their organization. That’s why the survey is not just designed to cover the technology – while that’s a part of it. It’s geared to discover the larger financial impact that a cyber breach event will have on an organization.
Considering the stakes, it’s essential that the entire C-Suite understands if the company can withstand the liability lawsuit. They need to understand if their reputation can withstand public scrutiny of a breach disclosure. In today’s environment, it’s not a matter of if you’ll be breached, but when you’ll be breached – and if your organization can withstand that public scrutiny, have that resiliency and be able to continue onward.
Natasha Barnes: We’re more interconnected now. Today’s organizations are more connected and have more third-party risk. Data doesn’t just stay in one organization and get emailed out to a couple of service providers anymore. Multiple partners and service providers are sharing data – that’s how business is getting done – and that data is being spread across all of these different entities. And they’re all responsible for managing the cyber risk collectively.
That’s what continues to make cybersecurity more challenging today, and makes cybersecurity so essential today. Organizations need to take heed of that, because it can make or break them. Even Target – a company that likely has a robust compliance program – was breached. What happens with a smaller company – one that doesn’t have a similar comprehensive program in place or personnel with the sufficient depth and breadth of cybersecurity experience? We’re also seeing a lot of smaller companies who have outsourced their IT departments in part or in whole, which has decreased the awareness of their cybersecurity posture while increasing the amount of knowledge entrusted to third-parties.
Andres Franzetti: And that’s why taking a proactive approach – and not just buying the latest technology or an insurance policy – is essential. It has to be a stacked approach of education from the board level all the way down and then back up again. They need to employ technology and services that are proactive in helping analyze and mitigate breach responses as quickly as possible. And then they need to ultimately leverage the financial market – such as insurance – to make sure that any liability doesn’t hit their P&L, but rather goes into the insurance market. Eventually that will allow organizations to put a fixed price on that uncertainty.
The way court cases have gone recently, it’s as much of a concern for the C-Suite and board members as much as it is for the IT leadership in an organization. Stakeholders and shareholders are holding board members and CEOs accountable for these kinds of lapses in fiduciary responsibility. With the high fluidity of how it’s evolving, it simply can’t be an issue that’s ignored by organizations, especially companies in the middle-market that are most vulnerable.
In our next article on Corporate Growth, Capital Style, we’ll feature part two of our two-part interview with Andres and Natasha. In the second part of our discussion, Natasha and Andres discuss the types of threats facing companies, what they’re anticipating to discover from their cybersecurity survey and when readers can expect to see results. To take the Aronson, Risk Cooperative and Ridge Global 360° Cyber Risk Survey online, click HERE.