This article summarises the key takeaways and learning points during the Expert Roundtable Discussion, “Cyber risks for businesses”, hosted by the Swiss Cyber Institute on 30 November 2022 and live-streamed to the Swiss Cyber Institute Community. A recording of the event is also available here.
Written by Yanya Viskovich Chair of Cyber Law & Governance Working Group at the Swiss Cyber Institute.
A company’s Board and its management has a duty to understand and oversee significant risks posed to the business. Today, that includes cyber risk. As the past two years have demonstrated, that risk is growing significantly.
The complex and dynamic nature of cyber risks – touching as they do every part of a business – demands interdisciplinary approaches that bring together people from across an organization. Hence, to discuss the cyber governance challenges that businesses face, and share best practices, key principles, strategies and tools to increase cyber resilience, experts at this Roundtable represented a variety of backgrounds. Panelists offered a number of concrete suggestions for businesses, their management, and supervisory Boards for enhanced cyber resilience. If you weren’t able to join us online for this hybrid event, summarized below are some concrete takeaways from the discussion which you might wish to bring back to your various organisations.
Who was at the table?
Dr. Maya Bundt – a senior leader and experienced, multiple board member, including Member of the Board and Chair of the Cyber Resilience Chapter at the Swiss Risk Association. She is a member of the Cyber Security Commission of digitalswitzerland, a member of WEF’s Global Future Council for Cybersecurity, and is a partner for Governance of Digital Risks at the International Center for Corporate Governance. In almost 20 years with the global reinsurer Swiss Re, Maya held a variety of roles in IT, Strategy and Reinsurance. From 2014 she was responsible for developing Swiss Re’s cyber insurance strategy and successfully built the Cyber and Digital Solutions function and team, and chaired the Swiss Re Cyber Council.
We were also joined by Susanne Gnädinger, the Chief Transformation Officer at MS Amlin AG, which is better known under its brand MS Reinsurance – where Susanne enables the company’s end-to-end transformation. Susanne holds a Master in Economics and Informatics from the University of Zurich and began her career at a software engineering company to learn the craft of programming. She subsequently worked in consulting, where she was involved in several projects in the financial industry. In 2005, Susanne joined PartnerRe, holding various roles across the business from Life Reinsurance, to Catastrophe, to Non-Life Reinsurance Operations, and subsequently moved into the role of Chief Transformation Officer when the company started to look into the usage of new technologies.
Andreas Pankow, who serves as the Chief Executive Officer of DGC Switzerland – a comprehensive cybersecurity provider and Partner of the Swiss Cyber Institute – also joined the panel. Andreas shared his more than 20 years of experience in various management roles at international companies, which have included UBS and Credit Suisse. Andreas is based in Zürich, Switzerland, out of where DGC builds up its international business. Andreas is an expert in strategic business planning, managing young companies in their growth ambitions as well as developing and implementing sales strategies. Andreas holds an MBA in Finance from EBS Universität, Germany, and degrees in Banking and Finance from École Supérieure de Commerce Et de Management (ESCEM), and San Diego State University.
Moderating the Roundtable discussion was Yanya Viskovich, a cyber resilience culture specialist and Chair of the Cyber Law and Governance Working Group at the Swiss Cyber Institute.
Notwithstanding the diversity at the table – panelists have worked on cyber risk from various angles including supervisory, governance, management, operational, technical, business, sales, change management, strategic and legal etc. – there was considerable consensus regarding best practices for businesses and their Boards, and the necessary ingredients for creating a cyber resilient culture that ensures business continuity.
Notably, there were three common threads that wove throughout the discussion which is summarized below under these topics:
1.“Managing cyber risk is part of the cost of doing business”
The discussion began with Andreas Pankow noting that the recent global increase in cyber attacks is not despite digital transformations, but because of them, notably owing to the fact that these digitalisations happened in the context of a general lack of cyber preparedness by Boards and corporate management. Moreover, COVID resulted in many businesses across many if not all industries having to digitalise certain elements of their value chain. For some, this was by sending their staff to work from home, whilst for others the sale of goods became possible only through e-commerce in order to remain in business. Many companies have kept many of these digital elements, yet many forgot to consider the security aspects of their digitalisation journey. In part, this was as a result of the urgency to act for business continuity, in others it was due to sheer laziness, a lack of attention, or not knowing better. It was noted that attackers spend on average between two and 6 months in an organisation’s system before the attack occurs. That in part explains this year’s spike in attacks. Dr. Maya Bundt noted that some companies such as Swiss Re had undergone a gradual digital transformation, for example over the past 20 years, but with COVID, many basic risk management tasks had to be redone or done differently, and challenges have increased for organisations in the context of a rapidly evolving regulatory landscape.
Dr. Maya Bundt pointed out that corporate strategic decisions bring both opportunities as well as risks for a business, and as such, “Managing cyber risk is part of the cost of doing business”. To mitigate the risks, Boards and management need to be aware of and proactively consider the impact of corporate decisions on their business’ cyber risk profile. However, rather than treating safe and secure products and services as just a risk or cost topic, Boards and management should also conceive of these as strategic assets.
It was acknowledged by all that in many cases, security is often overlooked in favour of efficiency or initial cost. When business needs are prioritized over safer cyber behaviours, Dr. Maya Bundt noted that determining how to strike the right balance is a question that should be determined by a business’ strategy and risk management framework. In effect, this requires businesses to ask themselves: What is the risk that the business wants to take? And, What is the risk we are taking if we do or do not take this business decision? It is important that the business understands the risk and applies, enforces and lives its security and risk policies. It was acknowledged that sometimes, a more cumbersome approach or process is required in order to safeguard the business’ digital assets. Andreas Pankow noted the need for pragmatism and to find the balance between the risk and the return. He also acknowledged that business needs have a certain urgency sometimes, but that nevertheless certain risk and security elements should be applied, and this can occur even after the business decision has been made.
Dr. Maya Bundt noted that conceiving of the issue as a business need versus a security need posits this as a mutually exclusive decision or zero-sum game, and this dichotomy mindset can be avoided when the business need includes security requirements, in which case there is no discrepancy or trade-off between the two. Susanne Gnädinger pointed out that when demonstrating the cost to the business of not implementing security requirements, it is critical to speak the business language of the Board and the business. Andreas Pankow noted that in organisations where the CISO needs to convince the CFO that cyber risk is not a ‘sunk cost’, this is reflective of a cultural problem. Having statistics at hand that are industry relevant can help to persuade the business to consider the cyber risk of a business decision, as can being able to show a ‘price tag’ for the company’s annual cybersecurity costs in comparison to the average cost of a cyber attack. Andreas Pankow noted that it is the CFO’s responsibility – not that of the CISO – to look at those numbers and take a decision, ensuring business continuity management.
Doing business in a digital world means cyber risk is part of the cost of doing business. Hence, it is folly to regard cybersecurity expenditure as a ‘sunk cost’. Nevertheless, such attitudes prevail in many businesses, and awareness plays an important role in this respect. For example, news items, media articles and publications highlighting the personal liability of executives and Board Members in cyber attacks, can help to push management and Board members in the right direction when it comes to embedding security requirements in business decisions.
Andreas Pankow noted the inherent risks in the corporate strategy element of expansion – whether vertical or horizontal – from an M&A transaction to onboarding a new vendor – and the need to allocate resources to address the risks. In the context of third-party due diligence and managing vendor risk, Dr. Maya Bundt noted it is important to identify those vendors who are critical for the business’ operational continuity, assess their supply chains and have a view of their vendors. Whilst it was acknowledged that this is a daunting and challenging task, particularly for organisations with multiple vendors in the tens of thousands (which is often the case in larger multinationals), this is an essential security requirement. Andreas Pankow shared his view that there is no such thing as a trusted vendor, and accordingly each business must define and enforce its own risk criteria to determine which vendors it decides to interact with, and with whom it will share systems and data. Susanne Gnädinger also noted the complexity of third-party due diligence in the context of multiple vendors and stressed the importance of prioritisation in terms of their criticality.
All panelists pointed out that addressing cyber risk is not a once-off nor a point-in-time issue; the cyber threat is persistent and never goes away. Accordingly, penetration testing is not a once per year event that secures your business for the rest of that year. Rather, cybersecurity must be made part of the company’s normal operations and embedded in the business’ risk culture. This means it must be a continuous element of a business’ practices, implemented and part of a business’ and an individual’s daily life – like brushing one’s teeth. Susanne Gnädinger noted that in this respect, it is a bit like wanting to become fit or planning to run a 10K race, which requires daily exercise rather than just going to the gym once every few months. Such habit formation increases cyber resilience because when it is embedded into the business’ daily work and its DNA, this makes it simpler and easier for employees to engage with the topic, and will assist in pivoting the fear that surrounds cybersecurity into awareness and engagement.
Andreas Pankow pointed out that cyber risk needs to be a daily topic on management’s agenda. It was further noted that some businesses naïvely assume that they will not be attacked. However, there is no industry, company size or organization type that is not in attackers’ focus. Dr. Maya Bundt noted that there is no business too small to be a victim of a cyber event. Andreas Pankow pointed out that one reason for this is the professionalization and digitalization of the attackers themselves. Dr. Maya Bundt noted that the concept of ‘collateral damage’ – whereby businesses that may not be in the attackers’ direct line of focus are still significantly impacted – is often overlooked. This may be as simple as using a supplier or vendor that has been attacked. Susanne Gnädinger noted that the proliferation of device use as a consequence of digitalization was analogous to masses of people driving on the roads without the knowledge or experience of how to operate a vehicle.
Cyber risk must be a Board topic and a management topic, but this is often not yet the case in some companies because of the fear and lack of familiarity with cybersecurity as a topic by Board members and management. Andreas Pankow pointed out that cyber risk is often a challenge for mid-cap companies facing a succession problem; it can be a problem both on the business side as well as the personal side, and requires further awareness-raising.
2. A business’ ‘risk culture’ will fundamentally affect the business’ cyber resilience
A risk culture exists whether an organization realises it or not, and must be studied in the wider organisational cultural context. A company culture in which people are encouraged to ‘speak up’ if they notice something that could potentially cause harm to the business or risk the business’ continuity, or in which making mistakes is understood as something we all do – creates a healthy risk culture. Such cultures provide a business with a head start opportunity to trouble-shoot a potential problem before it becomes an incident for crisis management. Boards and management play a critical role in creating such an organisational culture. They must lead by example and ‘walk the talk’ when it comes to modeling security values and behaviours. This means that Boards and management must demonstrate that they take cyber risk seriously and make cyber resilience part of their organisation’s DNA, including by rewarding and incentivising behaviours that promote strong cyber hygiene, such as encouraging the reporting of risks, not making people feel guilty about having made mistakes, using regular feedback loops, and rewarding employees who identify vulnerabilities in the business before attackers do.
For supervisory Boards, Dr. Maya Bundt pointed out that it is important that they also ‘walk the talk’, including by avoiding promoting behaviours that may incentivize bad cyber practices or undermine good cyber hygiene. Moreover, Dr. Bundt stressed that it is important that supervisory Boards have an open and direct communication channel with the CISO. This creates Board interest in the topic and helps to dispel common myths. Similarly, when a Board knows and has a direct line to the CISO, this can help in translating operational cyber risk topics into what that means for the business, i.e., what it means in Swiss Franc/Euro/USD terms, and what it means for a business’ suppliers, customers, shareholders. This then encourages a pragmatic risk management framework. Susanne Gnädinger noted that this approach towards open communication also creates purpose in an organization because it requires looking at the topic from an end-to-end perspective for the company, making every employee’s contribution towards the business’ overall cyber resilience more tangible. In this respect, the time-honoured human tradition of storytelling – including leaders being vulnerable and sharing their mistakes as well as good behaviours – is a powerful tool to be leveraged for modelling good cyber practices to everyone in the business.
3. The human factor in cybersecurity
All experts agreed that the human factor plays a critical role in cyber resilience in a variety of ways, yet is generally under-appreciated and often misunderstood. In a digital world, everyone in the business has an important role to play in ensuring the business’ cybersecurity and hence in maintaining its operational continuity. Businesses need to understand their people and their processes and how they work. People across the business must be enabled through positive psychology and empowered as key players contributing to the business’ raison d’être. This means leaders need to know the capacities and skillsets of their people and the value they add, and engage with their people. In larger companies this becomes more challenging but can be remedied through delegation.
The impact on humans of managing cyber risk is also overwhelming, and this must be considered from a wellbeing perspective, as well as an operational and strategic vantage point because it is also a cyber risk factor. Dr. Maya Bundt noted that as cyber crises often play out over weeks and months, the stretch on cybersecurity crisis teams is often huge, and their humanness is often overlooked and disregarded – i.e., they have families, and lives outside of managing these crises. In addition, unmanageable workloads can increase cyber risk by causing a lack of presence and attentiveness. This further behooves businesses to consider the human factor in their cyber security strategies, and plan for events and contingencies with their employees’ and crisis teams’ capacities in mind.
On the subject of security awareness training, all panelists noted that it must be engaging, fun, employ gamification as much as possible, use role-plays, escape rooms, and simulation methods that allow you to “feel the pain” of a cyber attack. Importantly, awareness trainings must be ‘translated’ in ways that people can understand how what they do fits into the bigger picture when it comes to protecting and securing the business’ ‘crown jewels’. It was noted in this context that good cyber practices must become as routine as “brushing your teeth”. In the context of social engineering, Andreas Pankow noted that poor digital security in the private home, and on private devices, is often the conduit for cyber attacks on businesses.
The imperativeness of employing positive psychology when raising awareness or conducting training and education in organisations was also stressed throughout the discussion by all panelists. It was noted that the language used within an organization plays an important role in either undermining or reinforcing a strong cyber culture. Andreas Pankow observed that “Zero-Trust is misunderstood internally” and sends a counterproductive message that our fellow colleagues cannot be trusted. This is compounded especially in the context of the damaging cliché that “humans are the weakest link” in the security chain.
There was general consensus that awareness needs to start well before people enter the workforce, and that there is a societal obligation in this regard to educate the next generation by educating children about cyber risk in schools. As a result of home-schooling during COVID, the age at which children first use devices has lowered, requiring greater awareness raising and digital education at an earlier age. Andreas Pankow noted that DGC has started a successful digital education project in schools in Germany teaching students about the risks of digital communication.
The discussion was followed by a rich Q&A session with a number of thoughtful questions from our online audience, many of which touched on points raised during the discussion and which have been included in the outline above, and some final recommendations by the panelists, as summarized below:
- Be prepared. Whilst you can’t prepare for the exact event, you must prepare for something to happen. In the face of overwhelming risk, prioritisation in terms of focus and investment is required. Being prepared means doing scenario planning and having contingency plans in place that clearly set out who does what, when and how for all types of situations including in the event that all systems and data are encrypted by ransomware, preventing all digital communication (emails, internal channels, VOIP etc). You must have a business continuity plan in place that deals with digital harms in the same way that we have plans to follow in the event of a physical harm (such as fire). The plan must include where to find the plan in a crisis, how to act, and who to contact.
- Do your risk management work. Understand what exposures you have, where you have critical assets, processes, vendors etc; every organization has their own risk profile and each must organize their own mitigating actions around their individual risk profile and don’t ever stop doing this.
- Conduct simulations and table-top exercises routinely, just as fire drills are done regularly.
- Know and trust your people and understand their motivations and pain points;
- Keep security awareness alive by using positive reinforcement and story-telling in security awareness training and education programs.
- See awareness-raising beyond a ‘tick the box’ compliance exercise; avoid boring “click, next” trainings; use role-plays, escape rooms, and gamification methods that allow you to ‘feel the pain’ of a cyber attack.
- Invest and participate in public-private partnerships, which facilitate dissemination of best practices and allow us to help each other. Some good examples of such partnerships in Switzerland are the Swiss Financial Sector Cyber Security Centre FS-CSC (https://fscsc.ch) in partnership with the National Cyber Security Centre (https://www.ncsc.admin.ch/ncsc/en/home.html); and the National Test Institute for Cybersecurity (www.ntc.swiss) which facilitates companies’ understanding of how their network components increase or mitigate their cyber risk exposure.
- Embrace the use of collective offensive and defensive capabilities whereby companies band together and join forces against cyber attackers.
- Support the continued development and use of risk standards, scorings and minimum requirements set by industry bodies and Governments (for example in critical infrastructure). These offer a map for companies, providing benchmarks in industries. In cyberattacks, organisations are fighting a common enemy across the world and in that regard companies should not see themselves as competitors.