My support for companies’ CIOs, and CISOs cyber programs gives me a unique vantage point to advise, continuously learn, and enhance my own development across many industries, companies, and company leadership and decision-making cultures. I’ve helped such leaders and companies across many industries, but pharmaceuticals and life sciences has always been the top of my list for where I like to spend time.
I’ve observed an interesting shift in audit committee conversations around cybersecurity programs and progress. Do we have slates of deep cyber experts with board seats asking deep technical questions? We do not. Is that what companies need? In most cases, they do not.
Having cyber risk focused conversations with boards and audit committees comes down to shifting the dialogue from historical technical updates to business risk conversations.
Where are we? Where are we compared to our peers? Where should we be? How are we going to get there? The fundamentals and basic Q&A needs of the story aren’t changing. But the way we articulate gaps and necessary investments needs to shift.
For example: Perhaps network segmentation isn’t all about specific brands of firewalls, explaining east/west traffic, firewall rules auditing, and complex draw bridges and getting lost on your feudal system analogy. Rather, it should be about helping leaders think about their own house, how they may have locks on the doors and an alarm system, but when the burglar punches through the living room window, there is a separate door a door lock to the basement, a safe with your family heirlooms, a liquor cabinet that has individual separate locks, and at the worst, it will slow any perpetrator down from looting everything while your alarm system is doing its job.
Q1 and Q2 2024 Trends: I’m hearing better questions being asked. Some examples:
- “Can we evaluate what our business risk and impact would be if we don’t achieve our cyber program goals or don’t advance the maturity at the tempo we desire?” Rather than debating “risk tolerance”, if we have one, what our should be, how do we think about scenarios where we advance our mission and don’t advance our mission. What tradeoffs exist to go faster or slower? Is budget the problem or is it organizational appetite or change management in our way?
- “I read that over $1 Billion has been paid to ransom in 2023. With government stances getting louder on not paying ransom, what do you see changing on addressing this risk”. The stance hasn’t changed here, but it is indeed getting louder. Governments typically have taken a “will not negotiate with terrorists” stance. But even for governments themselves, you still see prisoner exchanges and negotiations occurring. No one likes the idea of donating to future cybercrime or criminal enterprises, but if it is $100k of ransom against $1mil of daily business loss/impact, the decision makes itself time in time again. The bigger challenge is that these days, paying the ransom doesn’t mean you are out of the woods. It is getting to be more routine that greedy criminals will take a second slice at you with double-ransom or even stealing your data to threaten a public release (which could deteriorate your customer trust). Ransom payment as a default strategy is never a solid strategy, and you definitely can’t count on cyber insurance covering you. “Acts of foreign war” or missing multi-factor on some of your laptops or servers, is the quick trip down the starting blocks on corporate chutes and ladders.
- There also seems to be more recognition that throwing more dollars at tools won’t mitigate the risk of having far too few people to manage them, get them to scale, or handle the barrage of alerts that fire out on a daily basis. Unfortunately, though, the problem still exists. I’ve seen teams spend millions of dollars on tools with literally no one capable of operating them. They no longer sit in shrink wrap; they literally sit out on someone else’s computer (the cloud) and charge you whether you use them or not. The question that should be being asked if it isn’t, is on top of all of our external tool spend, outside support, and internal staff, how quickly or effectively can we action analysis, remediation, and action? Are there things we aren’t using or consuming? If the answer to either of those is not favorable, you have Tool to Human inequity, and you need to adjust your equation. Automation is great but only if it is real and in place. And I don’t see the human being replaced on this front any time soon.
Want to see more of my thoughts on questions and conversations board members, executives and cyber leaders should be having? Here’s a paper I wrote on the topic that is still highly relevant and needed for many companies.
https://www.revealrisk.com/building-senior-leader-engagement-in-cyber-security/
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector. He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.