cybersecurity-in-the-c-suite-a-matt
TRANSCRIPT
Cybersecurity in the C-Suite: A Matter of “Need to Know”MARCH 11, 2015 BY CHRIS KENTOURIS — LEAVE A COMMENT
Cybersecurity has been described as everything from a
top-down corporate mission to a shopping list for
software packages that monitor networks and systems
for suspicious activity. Given the breadth and complexity
of even identifying the risks, it’s no wonder that all sorts of
management are discovering they’re now riding the
cybersecurity bus.
Nowhere is this accumulation of corporate talent more
apparent than in the C-suite, where according to industry
experts, everyone is eventually involved. That means the chief executive officer, chief information officer,
chief operations officer, chief technology officer, chief risk officer, chief compliance officer and let’s not
forget the chief information security officer.
With regulators such as the US Securities and Exchange Commission and Financial Industry Regulatory
Authority breathing down their necks, fund management shops, broker-dealers and banks need to figure
out what to do, who’s in charge, and how much information to share. What was that last one? Are
cybersecurity programs discussed on a need-to-know basis? Sometimes that’s the case, and that’s not the
only sensitive internal issue at the top management level.
HOME OPS TECH REGS CONTACT THE FINOPS STORY SUBSCRIBE LOG IN
Page 1 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
It has become a given that addressing cybersecurity risk isn’t only about spending money on technology. It
is also about putting the right program in place. Defining that program can involve sorting
out misunderstandings, conflicts of interest or simple ignorance. The result: a longer planning cycle than
anyone expected, and in a worst case scenario an actual breach while those in charge are dithering. That
breach typically means stolen investor or proprietary data, legal and public relations repercussions, and
even a regulatory fine.
Who Knows What
It is logical to presume that the CEO should be the one steering the ship and barking orders at the CTO or
CISO to get things done — that is, shoring up any holes before the ship sinks. Mistake One: the CEO thinking
he or she understands what managing cybersecurity risk is all about. Mistake Two: the CTO imagines he or
she is up to date on what cybersecurity is all about. Mistake Three: the CTO tells the CEO in detail everything
that needs to be done. Mistake Four: the CEO comes out of the meeting thinking that cybersecurity risk
management means checking off boxes.
In baseball, it’s three strikes and you’re out. In cybersecurity, all it takes is one. Too often, that first strike is the
CEO presuming that the task of handling cybersecurity can he handed off to the CTO on the presumption he
or she will do the right thing. “Surprisingly, CEOs will only ask blanket questions to CTOs or CIOs such as how
is our cybersecurity risk management and do you have a handle on it,” says Eric Anderholm, chief executive
of Sergeant Labs, a La Crosse, Wisconsin-headquartered firm specializing in monitoring cybersecurity risk.
“Such a question could erroneously generate either a yes or no type of response and cybersecurity risk
management can’t be handled with black or white answers. How about asking, what are we doing
specifically to address cybersecurity risk and is it working?”
What is a bad answer? A vague response or laundry list of software that should be installed. “If the CIO or
CTO can’t provide details or trends the CEO can understand, or if he or she believes that buying the right
software eliminates the threat, there is a good chance the firm will have a cybersecurity problem,” says
Anderholm.
Granted, buying the right technology is a good idea but understanding just what that technology does could
require far more tech knowledge than a CEO would have. And it’s not even certain that every CTO would
understand it either. “Most CTOs are more qualified in addressing which applications are necessary for
running the operation, and what business continuity is necessary,” says Warren Finkel, chief executive of
ACE IT Solutions, a New York-based cybersecurity technology firm. “The landscape of cybersecurity threats
is constantly changing and the CTO can’t keep up with every scenario. ” Therefore, third-party experts
should come into the equation to do a more thorough analysis of what is needed after the basic questions
are asked.
Covering the Bases
What are those basic questions? Here is Finkel’s list: is anti-virus installed on every system; are computers
and servers being updated with security patches and updates; which employees have access to which data;
is data encrypted; are employees using Dropbox or other cloud applications, and have they been trained in
cybersecurity risk and social-engineering con games such as phishing?
Page 2 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
Once the answers are in, an analysis can be done of how well the firm’s current cybersecurity risk mitigation,
or lack thereof, will hold up against each of three risks — technical, financial and regulatory. Case in point: is
the right infrastructure in place to prevent a loss of data and which data is the most at risk for loss? Next up:
if we lose the data how much will our financial loss come to? Last but not least: will the program pass
muster in an exam by either the SEC or FINRA?
With so much information and analysis in play, the program can get bogged down unless communications
are limited to what people need know to play their roles. This is true even at the highest level. Providing the
CEO with too much information could short-circuit his or her ability to make any decisions. “CEOs could
easily become enmeshed in the nitty-gritty of tackling individual applications or individual tasks,” says
Daimon Geopfert, national leader for security and privacy services for consultancy McGladrey in Chicago.
That means he or she will be distracted from taking the broad view of the overall program, which should be
flexible enough to accommodate changes in the level of risk, business lines or technology advancements. A
better idea for briefing a CEO: present trends in security for the overall organization rather than daily issues.
Enabling the CEO to focus on the firm’s current cybersecurity baseline and tracking consistent improvement
over time offers a sense of progress or indicates where resources are needed at a high level. The only
specific daily issue that should draw his or her attention are “big ticket” items that present oversized risk
such as cybersecurity incidents.
Quantifying Risk
Just how big are the financial risks? The larger question is who has the data and insight to figure that out.
The CEO might unthinkingly look to technology staff for dollars-and-cents, since the data assets are under
their control. But financial risk management isn’t their speciality. Chief information security officers might be
a better bet, but only if the firm has one. Chances are it doesn’t. Only the largest banks, broker-dealers and
asset managers have such dedicated professionals. Everyone else likely relies on the CTO or CIO.
So what’s left to do? How about pooling knowledge. “Have the CTO, CIO, and risk manager in the same room
to come up with the right risk metrics and explain what is necessary,” says Bryan Seely, a cybersecurity
consultant based in Seattle. “Those metrics also need to take into account information provided by the CTOs
staffers, who will be able to filter out the noise from each business line, on what they want and what is
realistic.”
Case in point: staff might want remote access or more access to information they shouldn’t have. The CTO
can’t afford to buckle to these requests without thinking about the security risks involved, which is what
some inexperienced ones do. In fact, CTOs may have a conflict of interest in monitoring cybersecurity risk
for no other reason than their primary agenda being to provide access, availability and ease of use. Pursuing
those goals may contradict best practices for cybersecurity. If the same person has dual roles of overseeing
both availability and security, there is a risk that security will not be the winner when it comes to conflicts.
“For many CTOs, the balance between availability and security is often over-weighted to the one that makes
their users happy,” say Geopfert.
Of course, it will eventually all come to funding. Does the CEO want to spend the money to ensure the best
cybersecurity risk mitigation program possible or will it just be the minimum? Not surprisingly, some CEOs
Page 3 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
want to save money and do the bare minimum. “What can we do to satisfy regulators, is the common
question we hear, because they don’t view cybersecurity as offering a competitive advantage. They just look
at the cost,” says Yigal Behar, chief executive of 2Secure, a New York-based cybersecurity technology
provider.
Getting to Yes
So just what can be done to persuade a recalcitrant CEO? The fear factor, especially when the regulators are
carrying a big stick, can be persuasive. But it can also backfire. Granted, explaining how the SEC or FINRA
might fine a firm if it doesn’t have the correct program in place could generate some interest, but it is
unlikely to move beyond the level of checking off the boxes. Even worse, the chief compliance officer might
sell the CEO on the idea that earning a certification is the best way to move forward, but that will all depend
on what the certification covers. “At best it is the bare minimum. It only means the firm has completed the
basics and it could easily focus on only one aspect of cybersecurity or some small part of the environment,
rather than the full monty,” says Geopfert.
He advises that firms think of compliance as the first mile in a marathon. It is a good start, but there is a lot
left to do. Organizations need to move beyond compliance with a regulation or standard, into a process
meant to improve the maturity and effectiveness of their cybersecurity program over time. A solid start is to
compare the current cybersecurity governance and technical capabilities against a major standard such as
ISO 27002 or NIST SP800-53, both of which have been specifically cited by the SEC to determine a firm’s
strengths and weaknesses. Focus on getting an entire program on prevention, detection and correction at a
basic level before trying to deploy highly advanced solutions in one area, recommends Geopfert.
One way to persuade a CEO of the need to spend on cybersecurity is to have the chief risk officer deliver
the bad news alongside the chief technology director, suggests Seely. The bad news: just how expensive it
can be if sensitive data is lost. Client data is often considered the most significant asset at risk, followed by
trading strategy — the secret sauce of how a firm makes money. Financial forecasts of how well the firm is
expected to perform are next in line. Last, but not least, bring out the numbers of how much each type of
security breach will cost, with the firm’s preparedness just as it is now.
If the CEO has any doubt the firm is vulnerable, it’s time for a penetration test — an authorized hacking
attempt to help illuminate security weaknesses. “Penetration testing offers the most effective way of rapidly
identifying a network’s most serious security risks and prioritizing remediation efforts,” says Finkel. What’s
more, it can be used to identify which current security protocols are effective, and to prove to regulators as
well as investors that business systems have been tested and are secure.
Finkel recommends that penetration tests be conducted annually, and the results used to
adjust investments in security personnel and technology. Naturally, technology spending will have to go
alongside human engagement in the program. That translates to educating staffers on how to stay alert for
any potential data breaches and what to do if one is suspected, so staff need to know who to alert and
when. CEOs don’t have to be told of every attempted breach as it takes place, but they do need to
know what was done to prevent any financial loss. Should an actual breach occur, staff should know what
the escalation plan would be, who is to be notified and when, and what measures are in place to mitigate
damage.
Page 4 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
Not Whether but When
Given the sophistication of cybersecurity criminals, experts say that its not whether a breach will ultimately
happen, but when. Taking preventive steps can go only so far. That’s where third-party cybersecurity liability
insurance can fit into the equation. Much like health insurance, it can be used as a last resort to pay off
unforeseen expenses such as claims from investors, costs of regulatory investigations, forensic
investigations to locate the breach and identify how it occurred, privacy notification costs, public relations
campaigns for crisis management, and business interruption.
Surprisingly, hedge funds can end up spending the least on cybersecurity liability insurance because they
have less risk than their traditional fund peers or banks and brokerages, according to Richard Maloy, chief
executive of Maloy Risk Services, a cybersecurity insurance broker in New York. The reason: they hold very
little personally identifiable information in their systems because the data is held with fund administrators. By
contrast, a registered investment advisor can have thousands of individual client accounts and family
members’ social security numbers in its systems.
Having established cybersecurity insurance procedures offers the added benefit of keeping down the cost
of insurance for fund managers. Policies can range from as little as US$5,000 for funds with up to US$250
million in assets under management to over US$13,500 a year for funds with over US$1 billion in assets
under management, says Maloy, whose firm specializes in alternative investment funds. Insurance may be
an expense a CEO would consider a bargain.
Still: word to the wise, insurance isn’t a complete panacea. Coverage may be capped at only US$1 million.
Prevention is still king.
(Visited 132 times, 12 visits today)
FILED UNDER: COMPLIANCE, FUNDS, RISK, SLIDER
TAGGED WITH: DATA, FINRA, FUND OPS, HEDGE FUNDS, SEC, SECURITY
Leave a Comment
You must be logged in to post a comment.
Need To Register?
20 20 1
Page 5 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
Search this website…
THE FINOPS STORY
Welcome to FinOps Report. I'm Chris
Kentouris, your editor.
Ho, ho, ho and happy new year to all our
wonderful readers!
We wish you spectacular successes in 2015,
zooming through this year's mountain of
challenges with clear-eyed aplomb. And of
course, being recognized with appreciation and
compensation for your indispensable work.
One thing you don’t need in your life this year is
the three-article-a-month limit at FinOps Report.
Recognizing how annoying that is for many
readers, we decided to give you a massive break
– from the frustration of trying to get your
companies to pay your subscriptions.
We love that you read us. We want you to have
all the FinOps you want. So we’re taking the
subscription price down to $15 every quarter.
Think you can afford that out of your own
pocket?
We're counting on it.
And in response to the inevitable, unhelpful
questions about whether we’re feeling okay, and
have we considered how this looks to price
ourselves so low, and don’t we understand that
your companies won’t pay for it, we have this to
say:
You’re welcome. We know you appreciate our
hard work on your behalf. Now pull out your
personal credit card and sign up. It’ll make you
Page 6 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
feel better and it will make us appreciate you
even more, if that’s possible.
Stay safe tonight. See you next week. We have
more great stories in the works for you.
Read More…
SIGN UP FOR FINOPS ALERTS!
First Name *
Last Name *
Email *
SUBMIT
ARCHIVES
› March 2015 (2)
› February 2015 (6)
› January 2015 (6)
› December 2014 (6)
› November 2014 (7)
› October 2014 (10)
› September 2014 (9)
› August 2014 (11)
› July 2014 (12)
Page 7 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
› June 2014 (11)
› May 2014 (9)
› April 2014 (12)
› March 2014 (11)
› February 2014 (12)
› January 2014 (14)
NEWS TOPICS
AIFMD AML Brokerage Ops CARDS CFTC
Clearinghouses Collateral ComplianceCorporate Actions CUSIP Custodians Data
Depositories Dodd-Frank DTCC EMIR ESMA FATCA
FCA FINRA FIX FSB Fund Ops Hedge
Funds Innovation Investment Ops KYC Matching
Middle Office Ops Ops Risk Outsourcing Post Trade
Private Equity Reconciliation Regulators
Reporting Risk Mgt. SEC Security Settlement
Standards Swaps T+2 UCITS Valuation
Technology
Technology
Data
Infastructure
Innovation
Ops Risk
Regulations
Reporting
Risk
Rules
Standards
Operations
Operations
Clearing
Custody
Financing
Funds
Return to top of page
Copyright © 2015 FinOps · Privacy Policy
Page 8 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/
Page 9 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"
3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/