The Cyber Security Podcast from PwC UK: Communicating cyber risk to the c-suite

Subscribe to our cyber security podcast series

The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.

Subscribe to our podcast on: 

Transcript

Introduction by our host, Abigail Wilson: Hi, I’m Abigail Wilson. I work in PwC’s threat intelligence team, and I'll be your host for this new series of our PwC UK Cyber Security Podcast. It's been a while since our last episode was recorded in late 2018. Over the last two years new challenges have emerged in the cyber security space, although many fundamentals have continued to remain of key focus. Last year in 2020, we saw organisations rapidly adjust to the COVID-19 pandemic and with it a shift in the threat landscape, as well as the emergence of new strategic risks. In this third series, we'll be focusing on some of the latest developments in cyber security covering cyber risk, resilience, and threat intelligence. Each fortnight we’ll welcome a different guest to give you practical insights on how to improve your cyber security and create a more resilient business.

In this episode, we'll be discussing cyber risk, and specifically how to make sure the c-suite can understand it. We know this is a really important topic and our latest research shows that only 38% of UK organisations are very confident their cyber security budget is allocated to the most significant risks. Clearly more needs to be done to get a handle on cyber risk, and make sure companies are not wasting their cyber spend.

I’m excited to be joined in our virtual studio today by Philippe Korur, who leads on our cyber risk reporting platform. Philippe is going to explain why a different mindset is needed to effectively manage cyber risk, and of course how you can improve your own cyber risk reporting.

Philippe Korur: Hi Abi, thanks for having me.

Phillipe firstly, just to give some background for our listeners, why is cyber risk reporting so important?

Philippe: So as you’ve said there are not that many execs that seem to be quite confident of their cyber budget and the way that it should be prioritised. Obviously, that's one of the key goals of execs, and what they want to do with cyber risk monitoring. As you said, COVID-19 has hit us and a lot of ransomware attacks are happening currently. We are really continuously changing and in a complex threat landscape, and that requires us to think a bit differently about how to measure and report on cyber risk. So what is really important in cyber risk reporting is really trying to get away from just controls and just controls compliance, and really focus on what are the key risks and threats, and how to monitor those, and how you can show to your execs where you need to prioritise. And also, give a level of good assurance to your stakeholders, including the board and regulators.

It sounds like this is really fundamental for organisations. Tell me from your experience, where is it going wrong, what are the common problems that you've seen?

Philippe: There are quite a few challenges that we've had and that we’ve seen from clients. Obviously, there could be a lot of data out there and just the sheer amount of data, companies don't really know what to measure and how to measure cyber risk with that data, and which metrics, for example, to focus on in reporting, which can be a key element to look at, and how to relate those, for example, back to threats and risks. How do we actually also show how much threat we have and how real is the threat, and how to visualise that in a report really. And also, what is the likely impact of a security incident, and how do you know what types of losses can impact the company? Finally, what type of controls can bring the most risk reduction benefits. There are many, many questions out there to ask yourself and to respond to in a good cyber risk report, so the challenge is quite great.

It sounds like there are many key challenges. One I feel is a challenge around communicating with the c-suite. What do you feel is causing this breakdown, especially between the CISO and of course the c-suite, who may not have the same cyber security background of course?

Philippe: Yes exactly, it depends on the company of course, and the politics in the organisation. But obviously a lot of CISOs are very busy firefighting specific incidents and they don’t have that much time to take a step back and address the wider picture, look at what are the key risks that are happening, the threats that are changing, and where I can actually prioritise. Rather, they are pulled right and left by different stakeholders in organisations to focus on really narrow topics related to specific incidents that may have happened, but that don't necessarily help looking at it from a strategic perspective, what could be the really impactful risks out there that could happen on top of what already happened.

Another area that can also be quite restrictive is obviously the existing processes and tooling that the company may have. That may limit the CISO’s ability to communicate in a good way. Obviously, as just an example, is just creating a very flexible dashboard to be able to communicate it may not be possible just due to the tooling that has been already implemented out there, so that needs to be thought about as well.

It sounds like there are quite a few issues in terms of just even getting started with cyber risk reporting. For organisations who are just starting to develop their cyber risk reporting and are starting this journey, what does good look like at this stage for them?

Philippe: What good looks like is achieving a good dashboard visualising the right key risks, threats, key controls, and what are the top metrics to actually also show and report. On top of that, obviously you need to be able to answer the “so what”, around okay, let's say I’m outside my level of appetite on particular risks, what am I doing to get them back to an acceptable level. Obviously, you need a transformation view, where you need to show what are the investments and projects in place to enable a better level of risk, so that's another area.

It sounds like that type of information is really key when communicating with the c-suite. For CISOs, how do they start to bring that information together, what inputs do they need?

Philippe: Really they need first to think about what are the key building blocks that can help them create this type of dashboard. That can be for example, what are the top risks, how do they relate back to the relevant threat scenarios that can lead to those risks occurring, and what are the key controls out there that can map back to those threat scenarios, and what are the metrics to monitor on an ongoing basis, those key controls and risks over time. Having thought about that, having put that in a visual dashboard, you can then start bringing more and more automation in that.

It sounds like once you've got those key basics in place you can start looking forward into long-term advancements of your cyber risk reporting. My question is, how can organisations take it to the next level, what should they be aiming for?

Philippe: The next level, yes, that's an important part. I mean you need to be able to aim towards more and more real-time data and to go away from subjectivity of trying to get data, for example, from different stakeholders, asking them questions and sending them questionnaires, rather trying to get the data from its source where possible. There is a growing area called continuous control monitoring and the combination with risks and threats is really what we call continuous risk monitoring. Being able to create dynamic dashboards on top of source data coming from your permission access management tool, from your different security tools, and your threat intelligence tooling will enable you to, over time, get more and more real and robust data to feed into your reporting, which is really key.

From your experience, what type of resources and capabilities are needed for an organisation to take that step further?

Philippe: Obviously it will depend on the company's current maturity and where they are in their journey to reporting, but there is a mix of risk expertise and data analytics background that is required in teams. Some organisations decide to go fully in-house with large teams doing both or going hybrid with some elements of risk and data analytics being done in-house with vendors accelerating them on both fronts, on helping them visualise dashboards or accelerating them from a detailed analytics point, creating the right, for example, connectors to their security tooling. It will just depend on the appetite of bringing in as well the partners in that space, but there is a requirement of people who understand security, risk, and data analytics, which can be areas that are not that much available in the industry.

For organisations thinking about this next step in their journey, what would you say for helping support them achieve this, are the key benefits of this advanced approach compared to basic risk reporting?

Philippe: So yes, the key advantage of going towards more advanced risk reporting is obviously getting more and more robust and accurate views of your risks. With data coming directly from your source tooling and decreasing the subjective assessments. Secondly, obviously you will decrease the amount of manual effort and chasing different employees and getting assessments from those different employees, and apparently you can introduce actually more robust risk quantification modelling. With more automation in place and good quality data coming in, you can actually put in a bit more complexity around the measurement approaches that you use to get more precise outputs out of them. We've seen that being done as a next step as well and that creates a more precise view of what is the spread of risk for example, which can create better conversations at the exec level.

It sounds like it will really help drive meaningful conversations and help to address the issue we talked about earlier around the difficulties of communicating risk to the C-suite.

Philippe: Yes.

Thanks, Philippe. To wrap up, it would be great to finish with, what would you say your top tips are for our listeners on how they can improve their cyber risk reporting at whatever stage they're at on this journey?

Philippe: Yes, obviously they should ultimately look at creating a journey towards a data-driven cyber risk monitoring and reporting capability. And basically, to do that, you would need to first build your building blocks to risk monitoring, including identifying your right risks, threats, key controls, metrics and the relevant projects that tie back to those areas. Build a dashboard, and then go on a journey to finding the data from source and connecting it over time, and making it more and more robust and automated.

Outro by our host, Abigail Wilson: Thanks so much Philippe for sharing your stories and your insights; and of course, thank you to everyone listening. If you'd like to find out more about how we can help improve your cyber security, just search for PwC cyber security; and of course, please subscribe to keep up to date with our latest episodes of this podcast. Thanks everyone, see you next time!