We notice you are currently visiting the UK site. Would you like to visit our main site instead?

Businessman protecting data personal information on virtual interface

C-Suites need to stop taking unnecessary risks

#KingstonCognate introduces Bill Mew

Photo of Bill Mew

Bill Mew is a key opinion leader, digital ethics campaigner and entrepreneur. As a key opinion leader, Bill focuses on striking the right balance between ‘meaningful protection’, where he has been ranked as the top global influencer for data privacy, and ‘the maximization of economic and social value’, where he is also one of the top influencers for everything from cybersecurity, and digital transformation to govtech and smarter cities. He also appears weekly on TV/Radio (BBC, RT, etc) as an expert on these topics - more broadcast airtime than any other technologist in the UK.

As an entrepreneur, Bill is the founder and CEO of CrisisTeam.co.uk, where he works with an elite team of experts in incident response, cyber law, reputation management and social influence to help clients minimize the impact of cyber-attacks.

The Corporate Culture of Risk Taking Can Lead to Real World Disruption

Corporate Managers Working at a large video tablet

Some risk taking is foolish. Much of the sub-prime bank lending that led to the credit crunch, and ultimately to the global financial crisis was to people who very obviously could never afford the loans. And yet the banks were almost all doing it.

While more recently, nobody foresaw the lockdown and the fact that simple acts like going to school, work, meeting friends or going to the beach could ever be a threat to your life and to those around you. But now that we understand the context, it is obvious.

Both the global financial crisis in 2008 and the current pandemic have been extremely disruptive events, for which its consequences could have been avoided, or at least mitigated if we had had a greater risk appreciation or listened to the credit risk managers and health experts sooner.

Young businessman shows the word: Risk management

Does Corporate Culture have a lack of risk appreciation?

The way that we account for risk is also often illogical and unpredictable. We have seen a massive switch to home working which has opened a new attack vector for opportunist cyber criminals. You would expect organisations to be focusing on the security of their cloud applications, but all too often there is an assumption that the cloud provider deals with security, when in reality misconfigured cloud instances are one of the most common sources of data breaches.

While you’d never leave your cloud or your laptop without any password or protection at all, organisations frequently delegate procurement of IoT devices and simple items like USB memory keys to their procurement department. Inevitably they then acquire the cheapest devices available, rather than paying a little more for extras like encryption. Ask yourself, was the USB memory stick that you last used encrypted and password protected? If the answer is ‘no’ then you need to conduct an urgent cyber risk audit.

The failure to account for risk is not only cultural – from the selfie taker to the procurement manager, we don’t always appreciate risk – but it is also a result of the way that organisations operate.

Who is accountable for Cyber Risk?

Data protection and Cyber Security on virtual interface

Bankers failed to appreciate credit risk because the way that their performance was measured was solely in terms of revenue and profit. All departments in almost all organisations have revenue and profit as the performance metric for which they are measured and rewarded. These are return on investment (ROI) measures. As long as this is the way that individuals are incentivised and organisations are managed, there will be little or no effective risk appreciation.

The only senior manager focused not on ROI, but instead on return on risk (ROR), is the CISO*. Based on the organisation’s risk appetite and the budget, the CISO does all that they can to mitigate cyber risks and counter cyber-attacks. Unfortunately having a perspective that is at odds with the rest of the management team means that the CISO can find that they are often not only isolated (what I term CISOlation), but can also sometimes be scapegoated, even when data misuse occurs as a consequence of actions taken by the CMO** or when a security breach occurs as a consequence of ones taken by the CIO***, and when their warnings were ignored.

It is as if members of the senior management team are all watching a TV where only two of the three colour feeds are working (revenue and profit). They can see roughly what is happening across the business, but they don’t get the full picture. When major risks do appear, often out of the blue, they are visible to the CISO, but not to the others and if the warnings are indeed ignored then this can lead to calamity.

The three key points should always be considered

It is hoped that the recent experiences will make us all far more risk aware. C-Suites need to change the way that they incentivise and manage their teams and ensure that their perspective including all three key elements: revenue, profit AND risk. Procurement managers need to appreciate risk and understand how buying decisions from relatively low-cost devices (encrypted drives don’t cost a lot more) to larger complex systems need to be taken with cybersecurity in mind.

With a risk-aware culture paying a small cyber-risk premium for everything from secure, encrypted devices to complex multi-cloud systems would be seen as a sensible investment, and CISOs would know that they’d be able to raise the alarm without being ignored.

Colleagues meeting to discuss their financial plans

Cultural change needed to make a difference

As a society we have never been as interconnected or as reliant on technology as we are now and therefore as vulnerable – especially with the threat landscape evolving and growing continually.

Leadership is required to change the way that the management team and all those below them behave and this kind of cultural shift towards greater risk appreciation, needs to come from the very top. A culture of digital ethics (including data privacy and security), needs to permeate all levels - from top to bottom. Organisations that have this culture of digital ethics, and that are risk aware, are not only less likely to experience a data breach but will also be better able to respond in the event of one.

Incentives to get this right are everywhere

Close up of full ticked all check list box

If the GDPR fines, the regulatory sanction of losing the right to process data and the litigation and reputational damage from getting it wrong were not enough, there is a real reward for getting it right. Just as consumers and investors are abandoning those brands that are tarnished by cyber-attacks and privacy abuse, they are also willing to pay a premium for trusted brands that have an association with digital ethics.

Customers in all sectors, not just tech, are becoming increasingly discerning and demanding. Research into what they expect of companies, rather than governments, has found that data security and privacy have surpassed even diversity and sustainability. Indeed, security and privacy are now the main things that consumers expect firms to take a stand on and they will be unforgiving if you get it wrong. So, it really does pay to do the right thing!


Ask an Expert

Kingston can offer you an independent opinion on whether the configuration you’re currently using, or planning to use is right for your organisation.

Self-encrypted SSDs

We offer advice on what benefits SSDs will bring to your specific storage environment and which SSD is most suitable for your mobile workforce to ensure you are working securely on the go.

Ask an SSD Expert

Encrypted USB Drives

We offer advice on what benefits using Encrypted USB will bring to your organisation & which drive is best suited to your business needs.

Ask a USB Expert

Related Articles