A New Framework in Risk Management

By Kevin Richards, Managing Director, Global Head, Cyber Risk Consulting, Marsh

Kevin Richards, Managing Director, Global Head, Cyber Risk Consulting, Marsh

What are the various challenges that the enterprise landscape faces today pertaining to data management?

The world today stands at the cusp of a massive digital explosion. From wearables, autonomous vehicles to smart grid and smart delivery energy systems, everything is becoming digital and changing the way customers and businesses interact. In the wake of these evolutions, companies are at a higher risk of exposure to cyber predators that are trying to breach business infrastructures. At this juncture, a critical question arises: whether organizations are ready to handle such vast amounts of data and all the risks that come along with it?

The ever-growing trend of digitalization is giving rise to new capabilities and innovation in terms of skills, knowledge, and processes. With almost every human activity now digitally recorded, more data is being generated that didn't even existten years ago. We are now seeing the myriad of different cloud services and new computing capabilities offered by cloud providers. But, there exist certain areas where things could go wrong. The fact that innovation and the digital marketing mix is expanding faster than cybersecurity infrastructures makes organizations vulnerable to posing cyber threats. Organizations are trying hard to stay in line with these evolving times, and thus, they have multiple incident response programs that are testedregularly.

Today, if you ask any chief information security officer about recent malware or ransomware software, they are able to explain the technical nuances of how that software works and how it impacts the various deployed technologies. Therefore, it's not a technological issue; rather,it's about staying up with all the changes happening in the business at a certain point of time. Also, a degree of asymmetry is played out whenever something new (a cyber incident) is put into a business environmentwhen the attacker happens to be in the right place at the right time. In such scenarios, the security defenses can fail in reacting quickly enough to the threat, and the attacks is successful.  This is one of the biggest challenges that our technology teams are up against – defenders have to be correct every time and all the time, while the attacker only needs to be correct once.

"our purpose is not to protect servers but shield businesses and safeguard their customers' critical data and reputation"

Can you please elaborate on any significant projects that you are currently working on at Marsh and how are you helping your clients become more cyber resilient?

We discuss the cyber risk landscape in several different ways. While working with a wide array of clients over the years, we have realized that cybersecurity teams are fundamentally focusing on the technological capabilities of their program. These capabilities include the kind of firewalls or encryption being used or the type of data loss prevention or identity management program that is implemented to protect the business. We are also recognizing the need to make these real for the industry by illustrating the cyber-related financial impact of investment as evidenced by the reduction of cyber risk.

Even though organizations look at various audit reports and technological readiness reports, they fail to articulate the cyber exposure in terms of dollars from an enterprise risk perspective. So, we at Marsh are trying to bridge the gap between the technological understanding and business impact as a result of those moves.We are also helping companies engage in conversations around the strategies they can formulate in investing their dollars intelligently to create strong cyber resilience. At the end of the day, our purpose is not to protect servers but shield businesses and safeguard their customers' critical data and reputation. Thus, we are working to build a bridge between technology and business speed by looking at technical conversations in objective, business-focused terms.

With all these digital transformations happening, how do you envision the future in this landscape?

Organizations are truly at the beginning of their digital journey. In the next 20 years, not only the digitization of business processes will continue to accelerate but also the way B2C interactionstake place will change. And, cyber exposure will be the lion's share of the exposure, be it in transportation, logistics, manufacturing, or retail industry. Cyber-attacks have impacted these sectors to the scale of hundreds of billions of dollars in losses, not because of damage to their products but due to the business interruption the cyber-attack caused - they couldn't ship products or in some cases accept new orders. This is going to be the new domain of exposure and we have only scratched the surface of the potential business interruption caused due to cyber malware.

What would be your single piece of advice to colleagues or aspiring professionals in the field who are looking forward to embarking on a similar venture?

My one piece of advice to all of them is that you need to break down cyber challenges into a business context and in financial terms..By doing this, you can let the math provide objective numbers to frame the discussion, which thenallows cyber risks to be compared directly to other enterprise risks.  From there, future cyber technological decisions can be evaluated as to whether theyprovide maximum impact in reducing organizational cyber risk.

Read Also

Enterprise Risk Management and Cyber Security

Enterprise Risk Management and Cyber Security

Monica Khurana, CIO, RS Investments
Hybrid Workspace: A Boon or Bane?

Hybrid Workspace: A Boon or Bane?

Greg Becker, President & CEO, Silicon Valley Bank
The Importance of Quantifying Risk

The Importance of Quantifying Risk

Jamie Samans, Director, Information Systems Security at American Institutes for Research
When is The Right Time to Evaluate My Information Security Risk Strategy?

When is The Right Time to Evaluate My Information Security Risk Strategy?

Gary Sheehan, Director - Information Security at Elon University

Weekly Brief