By Bret Piatt
Oct 10, 2017
This past Saturday, October 7, episode 54 of Cyber Talk Radio hit the air on 1200 WOAI and iHeartRadio streaming. I was joined by Jeff Reich, an industry expert who currently works as a risk management and security consultant.
In the first half of the show, Jeff introduced himself, telling us about his background in law enforcement and outlining a few of the numerous experiences he has had in the industry. Jeff and I then discussed the changing risk environment in the technology world. Jeff noted that for institutions like hospitals, the risk environment is shifting from one of facility risk to digital risk, and oftentimes they are very unprepared, especially with the necessary competency often lacking.
This led us into a wider discussion about C-suite level risk management, and the challenges of different control structures. We discussed the Equifax hack and what that revealed about the structures that were not in place and the protocols which were not followed. At the same time, we discussed the need to constantly update protocols and perform perpetual threat analyses, a need demonstrated by, among others, the Target credit card hack, which happened through their HVAC vendor. The recent high-profile hacks have added to a wider change since the financial crisis, whereby society has become more knowledgeable about “black swan” risks, risks which are not very likely but would be catastrophic if they materialize.
In the second half of the show, Jeff laid out some of the pitfalls of C-suite incentive structures. He explained that often chief security officers (CSOs) work under chief information officers (CIOs), and that their functions are diametrically opposed, meaning incentives are often misaligned. The CIO is typically rewarded for producing more apps and widgets faster, while the CSO’s job is to make sure they are safe and secure, steps which slow down the process. Jeff then went on to advocate that this situation highlighted the importance of creating a different role, the chief risk officer (CRO) within a company, who reports to the CEO and outlines what risks the company is facing and questions what level of risks the company wants to be taking.
As Jeff alluded to, this situation is rather similar to insurance. It is not that risk can be eliminated, it’s that risks should be quantified and understood and companies should not take risks beyond what they are prepared to bear. Jeff explained this as a “circle of risk tolerance” and argued that within that circle of risk tolerance is a triangle of the risks actually being taken. The job of the CRO, as he outlined, was to measure each of the components of that triangle to make sure no risk was being taken that lay outside the company’s circle of risk tolerance. In this context, Jeff gave the example of race car drivers wearing helmets, while ordinary drivers don’t, clearly, they face greater risks than ordinary drivers and therefore they take different precautions.
Finally, Jeff laid out his key advice for learning more about managing risk, for novices, people with some experience and experts. For novices, he advised tool-based learning, to get to grips with the mechanisms of risk management, and learning some programing. For those with some experience, he advised exercises in working out what the company’s “circle of risk tolerance” actually is. For experts, he suggested taking the CFO to lunch and asking him, “What are the five most important things for the company to do this year?”, and using that information to work out what risk management can do to further each of those goals.
To learn more about cybersecurity, listen to the full episode replay available here!
Episode 55, October 14: [Military Cyber Professionals of San Antonio]
Contact Cyber Talk Radio via our request a topic or be a guest form.