Businessman protecting data personal information on virtual interface

C-Suites Need to Stop Taking Unnecessary Risks

#KingstonCognate introduces Bill Mew

Picture of Bill Mew

Bill Mew is a key opinion leader, digital ethics campaigner, and entrepreneur. As a key opinion leader, Bill focuses on striking the right balance between “meaningful protection,” where he has been ranked as the top global influencer for data privacy, and “the maximization of economic and social value,” where he is also one of the top influencers for everything from cybersecurity and digital transformation to govtech and smarter cities. He also makes weekly appearances on TV/radio (BBC, RT, etc.) as an expert on these topics—with more broadcast airtime than any other technologist in the UK.

As an entrepreneur, Bill is the founder and CEO of CrisisTeam.co.uk, where he works with an elite team of experts in incident response, cyber law, reputation management, and social influence to help clients minimize the impact of cyberattacks.

The Corporate Culture of Risk Taking Can Lead to Real-World Disruption

Corporate managers working at a large video tablet

Some risk-taking is foolish. Much of the sub-prime bank lending that led to the credit crunch, and ultimately to the global financial crisis, was to people who very obviously could never afford the loans. And yet the banks were almost all doing it.

More recently, nobody foresaw the lockdown and the fact that simple acts like going to school, work, meeting friends, or going to the beach could ever be a threat to your life and to those around you. But now that we understand the context, it is obvious.

Both the global financial crisis in 2008 and the current pandemic have been extremely disruptive events with consequences could have been avoided, or at least mitigated, if we had had a greater risk appreciation or listened to the credit risk managers and health experts sooner.

Young businessman shows the word: Risk management

Does Corporate Culture Have a Lack of Risk Appreciation?

The way that we account for risk is also often illogical and unpredictable. We have seen a massive switch to home working, which has opened a new attack vector for opportunist cyber criminals. You would expect organizations to be focusing on the security of their cloud applications. All too often, however, there is an assumption that the cloud provider deals with security, when in reality misconfigured cloud instances are one of the most common sources of data breaches.

While you’d never leave your cloud or your laptop without any password or protection at all, organizations frequently delegate the procurement of IoT devices and simple items like USB memory keys to their Procurement department. This department inevitably acquires the cheapest devices available, rather than paying a little more for extras like encryption. Ask yourself, was the USB memory stick that you last used encrypted and password protected? If the answer is “no,” then you need to conduct an urgent cyber risk audit.

The failure to account for risk is not only cultural—from the selfie taker to the procurement manager, we don’t always appreciate risk—but it is also a result of the way that organizations operate.

Who Is Accountable for Cyber Risk?

Data protection and cyber security on a virtual interface

Bankers failed to appreciate credit risk because the way that their performance was measured was solely in terms of revenue and profit. All departments in almost all organizations have revenue and profit as the performance metric by which they are measured and rewarded. These are return on investment (ROI) measures. As long as this is the way that individuals are incentivized and organizations are managed, there will be little or no effective risk appreciation.

The only senior manager focused not on ROI, but instead on return on risk (ROR), is the CISO*. Based on the organization’s risk appetite and budget, the CISO does all that they can to mitigate cyber risks and counter cyberattacks. Unfortunately having a perspective at odds with the rest of the management team means that the CISO is often not only isolated (what I term CISOlation), but can also sometimes be scapegoated, even when data misuse occurs as a consequence of actions taken by the CMO** or when a security breach occurs as a consequence of actions taken by the CIO***, and when their warnings were ignored.

It is as if members of the senior management team are all watching a TV on which only two of the three color feeds are working (revenue and profit). They can see roughly what is happening across the business, but they don’t get the full picture. When major risks do appear, often out of the blue, they are visible to the CISO. If the warnings are then ignored, this can lead to calamity.

Three Key Points Should Always Be Considered

It is hoped that the recent times will make us all far more risk aware. C-Suites need to change the way they incentivize and manage their teams, and ensure that their perspective includes all three key points: revenue, profit, AND risk. Procurement managers need to appreciate risk and understand how buying decisions that range from relatively low-cost devices (encrypted drives don’t cost a lot more) to larger complex systems need to be taken with cybersecurity in mind.

With a risk-aware culture, paying a small cyber-risk premium for everything from secure, encrypted devices to complex multi-cloud systems becomes a sensible investment, and CISOs know they can raise the alarm without being ignored.

Colleagues meeting to discuss their financial plans

Cultural Change Needed to Make a Difference

As a society, we have never been as interconnected or as reliant on technology as we are now, and therefore never as vulnerable—especially with the threat landscape evolving and growing continually.

Leadership is required to change the way the management team and all those below them behave, and this kind of cultural shift towards greater risk appreciation needs to come from the very top. A culture of digital ethics (including data privacy and security) needs to permeate all levels—from top to bottom. Organizations that adopt this culture of digital ethics, and that are risk aware, are not only less likely to experience a data breach but will also be better able to respond should one occur.

Incentives to Get this Right Are Everywhere

Close up of fully checked checklist box

If the GDPR fines, the regulatory sanction of losing the right to process data, and the litigation and reputational damage from getting it wrong were not enough, there is a real reward for getting it right. Just as consumers and investors are abandoning those brands that are tarnished by cyberattacks and privacy abuse, they are also willing to pay a premium for trusted brands that have an association with digital ethics.

Customers in all sectors, not just tech, are becoming increasingly discerning and demanding. Research conducted into what they expect of companies, rather than governments, has found that data security and privacy have surpassed even diversity and sustainability. Indeed, security and privacy are now the main things that consumers expect firms to take a stand on and they will be unforgiving if you get it wrong. So, it really does pay to do the right thing!

#KingstonIsWithYou

Ask an Expert

Kingston can offer you an independent opinion on whether the configuration you’re currently using, or planning to use is right for your organisation.

Self-encrypted SSDs

We offer advice on what benefits SSDs will bring to your specific storage environment and which SSD is most suitable for your mobile workforce to ensure you are working securely on the go.

Ask an SSD Expert

Encrypted USB Drives

We offer advice on what benefits using Encrypted USB will bring to your organisation & which drive is best suited to your business needs.

Ask a USB Expert

Related articles