Industry News by Bret Piatt Oct 10, 2017 Cyber Security in the Boardroom - Week 54 Cyber Talk Radio Bret Piatt, CTR Host and Jeff Reich, cyber security industry expert. - Week 54 of Cyber Talk Radio Show Summary This past Saturday, October 7, episode 54 of Cyber Talk Radio hit the air on 1200 WOAI and iHeartRadio streaming. I was joined by Jeff Reich, an industry expert who currently works as a risk management and security consultant. In the first half of the show, Jeff introduced himself, telling us about his background in law enforcement and outlining a few of the numerous experiences he has had in the industry. Jeff and I then discussed the changing risk environment in the technology world. Jeff noted that for institutions like hospitals, the risk environment is shifting from one of facility risk to digital risk, and oftentimes they are very unprepared, especially with the necessary competency often lacking. This led us into a wider discussion about C-suite level risk management, and the challenges of different control structures. We discussed the Equifax hack and what that revealed about the structures that were not in place and the protocols which were not followed. At the same time, we discussed the need to constantly update protocols and perform perpetual threat analyses, a need demonstrated by, among others, the Target credit card hack, which happened through their HVAC vendor. The recent high-profile hacks have added to a wider change since the financial crisis, whereby society has become more knowledgeable about “black swan” risks, risks which are not very likely but would be catastrophic if they materialize. In the second half of the show, Jeff laid out some of the pitfalls of C-suite incentive structures. He explained that often chief security officers (CSOs) work under chief information officers (CIOs), and that their functions are diametrically opposed, meaning incentives are often misaligned. The CIO is typically rewarded for producing more apps and widgets faster, while the CSO’s job is to make sure they are safe and secure, steps which slow down the process. Jeff then went on to advocate that this situation highlighted the importance of creating a different role, the chief risk officer (CRO) within a company, who reports to the CEO and outlines what risks the company is facing and questions what level of risks the company wants to be taking. As Jeff alluded to, this situation is rather similar to insurance. It is not that risk can be eliminated, it’s that risks should be quantified and understood and companies should not take risks beyond what they are prepared to bear. Jeff explained this as a “circle of risk tolerance” and argued that within that circle of risk tolerance is a triangle of the risks actually being taken. The job of the CRO, as he outlined, was to measure each of the components of that triangle to make sure no risk was being taken that lay outside the company’s circle of risk tolerance. In this context, Jeff gave the example of race car drivers wearing helmets, while ordinary drivers don’t, clearly, they face greater risks than ordinary drivers and therefore they take different precautions. Finally, Jeff laid out his key advice for learning more about managing risk, for novices, people with some experience and experts. For novices, he advised tool-based learning, to get to grips with the mechanisms of risk management, and learning some programing. For those with some experience, he advised exercises in working out what the company’s “circle of risk tolerance” actually is. For experts, he suggested taking the CFO to lunch and asking him, “What are the five most important things for the company to do this year?”, and using that information to work out what risk management can do to further each of those goals. To learn more about cybersecurity, listen to the full episode replay available here! Upcoming episode – Saturday nights from 11:00 p.m. to Midnight - Episode 55, October 14: [Military Cyber Professionals of San Antonio] Listen to a replay of this episode or past episodes on a Cyber Talk Radio Podcast stream. Replays are available via the below podcast services: Pocket Casts iTunes Recent episodes – available to stream from our YouTube channel - Cybersecurity Legislation with Congressman Will Hurd Creating a “Culture of Security” with Dr. Greg White of University of Texas San Antonio Codeup’s Approach to Developing Responsible Programmers with Ryan Orsinger Career Matching for Military Cyber Jobs with Cyber Warrior Network Ethics of Artificial Intelligence and Paying Ransoms to Hackers with Van Lindberg 24th Air Force Cyber Operations with Sherri Hanson Bunker Labs and Empowering Military Veterans as Leaders in Innovation with Johnathan Paul Wojtewicz STEM Education and the Geek Bus in San Antonio with Jake Lopez at SASTEMIC Cybersecurity Program at Texas A&M University San Antonio Cybersecurity Master’s Program at St. Mary’s University Cyber Risk Management with Innove Cyber Security Awareness and Training with Inspired eLearning How to Secure Wordpress with WP Engine Have an idea for a topic or want to be a guest? Contact Cyber Talk Radio via our request a topic or be a guest form.