Cybersecurity | Key Questions All Executives Should Now Be Asking Their Cyber Security experts
Dr. Evangelo Damigos; PhD | Head of Digital Futures Research Desk
- Competitive Differentiation
- Emerging Technologies
- Digital Transformation
Publication | Update: Sep 2020
A good Chief Information Security Officer (CISO) is concerned with risk and specifically materialising the risk appetite of the business through education, processes and the appropriate technology to best support it. Understanding these risks and the planning to mitigate against them is the responsibility of the whole executive team and not just the CISO and their cyber security team.
With that in mind Kersty Bletso, Savannah Group Partner, Interim Management, Technology, Digital & Innovation Practice, spoke to a number of leading CISOs about the questions the executive team should be asking of their in-house Cyber Security experts. Here is a summary of the ideas discussed.
What should business leaders be concerned about regarding security at the moment?
- Do I know the key security risks affecting my organisation at present so that I can prioritise spend, effort and resources accordingly?
- Do I understand what our “crown jewels” are? Where are they? What would happen if they came under threat? Are they safe? How do I know they are safe?
Not every risk needs to be mitigated, but every risk should be identified, documented and managed. The executive team needs to work collaboratively to identify potential, actual and residual risks and to provide the ability to explain the impact on the business. Whether to mitigate, accept or manage risks is then a discussion around spend, resources and effort. This advantage of this process is that it also helps to identify and derive cost efficiencies.
Executives should aim “not to have a false sense of security but to be able to sleep soundly having knowledge of the organisation’s security position at any point in time.”
What are the biggest mistakes that business leaders make regarding security?
- Don’t regard security as a side arm of technology and make it the sole responsibility of the CIO/CTO.
- Don’t place security under the purview of the CIO/CTO as it reduces the effectiveness of the role and the ability of the CISO to understand and consider the risk not solely from an IT perspective but with an enterprise wide lens.
It is now considered old school thinking for security to be categorised as an arm of technology. Nor is it considered prudent to throw technological solutions at the problem of cybersecurity simply because the executive team aren’t confident in discussing it.
If the right place for security to sit is under the CIO or CTO, it begs the question why there is a continued upward trend in the number of security breaches globally if there are so many tech solutions available and being implemented.
CIOs already have a huge agenda delivering innovation, technology modernisations and the boarder tech strategy as well as trying to reduce cost AND create new products or services that will create revenue. There is a reason why building regs inspectors don’t erect buildings and gas and electricity inspectors don’t install gas and electricity. One body implements and the other body provides assurance.
There are further risks on the horizon as organisations begin bringing people back from furlough while looking at temporary cost reductions to survive. With security and technology budgets folded together there is a risk that investment in security will be reduced as part of broader cost cutting measures. Cyber criminals will be waiting for this to happen and there will be a greater chance of a serious breach happening.
What three questions should you be asking your CISO that you probably aren’t? And what answers should you be expecting to hear back?
1. Do we know where our assets are? Where our data is, who has access to it, and who is sharing it?
CISOs must provide assurance that asset management is being implemented to be able to quickly identify where the organisations most vulnerable assets are. Across the organisation, teams must be able to build and maintain their asset registers, identifying asset owners, and ensuring there are appropriate levels of security management for all data from its creation to its destruction. They should have started to implement classification and handling of information to ensure everyone understands what they need to do to protect it. They should also be agreeing a new data sharing policy, data security standards and controls, which can allow you to manage data security and to ensure that the organisation is able to meet its compliance and regulatory obligations. Finally, via an awareness and training program, they should be highlighting management of areas such as phishing attacks and sharing the outcomes and measurement to evidence the embedding of training into your ways of working.
2. What top security risks (top 5 risks) are currently over 4 weeks open and or pending? What is the biggest impact to the business at this time?
Some top risks will be the lack of asset management, patch management execution, low levels of supply chain risk management and incident response and management. Also there should be reporting on the assigning of appropriate risk owners (mostly likely an executive) for the mitigation of the risk.
3. How can we illustrate and or evidence confidence in our cyber defences?
Cyber security is most effective when supported by all pillars of security, namely information, technology, physical and personnel. Your organisation should have created a framework to provide proactive as opposed to reactive defences. The framework should bring together the best technologies in security incident event management (SIEM) and have brought on board strong analytical and incident response management capabilities. This coupled with security risk management activities and a strong focus on managing supply chain risk will heighten confidence in this area at this time.
Kersty Bletso, Savannah Group Partner, Interim Management, Technology, Digital & Innovation Practice, is highly experienced and well connected within the Digital and Technology community. She works across Private Equity, the FTSE, Fortune 500, AIM , TSX and SMEs globally. She is an advocate for Diversity and Inclusion within Technology and helping organisations bring Digitally Savvy NEDs onto their boards.
- The Big Picture - Intelligence Center
- The Big Picture - Platform
Objectives and Study Scope
This study has assimilated knowledge and insight from business and subject-matter experts, and from a broad spectrum of market initiatives. Building on this research, the objectives of this market research report is to provide actionable intelligence on opportunities alongside the market size of various segments, as well as fact-based information on key factors influencing the market- growth drivers, industry-specific challenges and other critical issues in terms of detailed analysis and impact.
The report in its entirety provides a comprehensive overview of the current global condition, as well as notable opportunities and challenges.
The analysis reflects market size, latest trends, growth drivers, threats, opportunities, as well as key market segments. The study addresses market dynamics in several geographic segments along with market analysis for the current market environment and future scenario over the forecast period.
The report also segments the market into various categories based on the product, end user, application, type, and region.
The report also studies various growth drivers and restraints impacting the market, plus a comprehensive market and vendor landscape in addition to a SWOT analysis of the key players. This analysis also examines the competitive landscape within each market. Market factors are assessed by examining barriers to entry and market opportunities. Strategies adopted by key players including recent developments, new product launches, merger and acquisitions, and other insightful updates are provided.
Research Process & Methodology
We leverage extensive primary research, our contact database, knowledge of companies and industry relationships, patent and academic journal searches, and Institutes and University associate links to frame a strong visibility in the markets and technologies we cover.
We draw on available data sources and methods to profile developments. We use computerised data mining methods and analytical techniques, including cluster and regression modelling, to identify patterns from publicly available online information on enterprise web sites.
Historical, qualitative and quantitative information is obtained principally from confidential and proprietary sources, professional network, annual reports, investor relationship presentations, and expert interviews, about key factors, such as recent trends in industry performance and identify factors underlying those trends - drivers, restraints, opportunities, and challenges influencing the growth of the market, for both, the supply and demand sides.
In addition to our own desk research, various secondary sources, such as Hoovers, Dun & Bradstreet, Bloomberg BusinessWeek, Statista, are referred to identify key players in the industry, supply chain and market size, percentage shares, splits, and breakdowns into segments and subsegments with respect to individual growth trends, prospects, and contribution to the total market.
Research Portfolio Sources:
Global Business Reviews, Research Papers, Commentary & Strategy Reports
M&A and Risk Management | Regulation
The future outlook “forecast” is based on a set of statistical methods such as regression analysis, industry specific drivers as well as analyst evaluations, as well as analysis of the trends that influence economic outcomes and business decision making.
The Global Economic Model is covering the political environment, the macroeconomic environment, market opportunities, policy towards free enterprise and competition, policy towards foreign investment, foreign trade and exchange controls, taxes, financing, the labour market and infrastructure. We aim update our market forecast to include the latest market developments and trends.
Review of independent forecasts for the main macroeconomic variables by the following organizations provide a holistic overview of the range of alternative opinions:
As a result, the reported forecasts derive from different forecasters and may not represent the view of any one forecaster over the whole of the forecast period. These projections provide an indication of what is, in our view most likely to happen, not what it will definitely happen.
Short- and medium-term forecasts are based on a “demand-side” forecasting framework, under the assumption that supply adjusts to meet demand either directly through changes in output or through the depletion of inventories.
Long-term projections rely on a supply-side framework, in which output is determined by the availability of labour and capital equipment and the growth in productivity.
Long-term growth prospects, are impacted by factors including the workforce capabilities, the openness of the economy to trade, the legal framework, fiscal policy, the degree of government regulation.
Direct contribution to GDP
The method for calculating the direct contribution of an industry to GDP, is to measure its ‘gross value added’ (GVA); that is, to calculate the difference between the industry’s total pretax revenue and its total boughtin costs (costs excluding wages and salaries).
Forecasts of GDP growth: GDP = CN+IN+GS+NEX
GDP growth estimates take into account:
All relevant markets are quantified utilizing revenue figures for the forecast period. The Compound Annual Growth Rate (CAGR) within each segment is used to measure growth and to extrapolate data when figures are not publicly available.
Our market segments reflect major categories and subcategories of the global market, followed by an analysis of statistical data covering national spending and international trade relations and patterns. Market values reflect revenues paid by the final customer / end user to vendors and service providers either directly or through distribution channels, excluding VAT. Local currencies are converted to USD using the yearly average exchange rates of local currencies to the USD for the respective year as provided by the IMF World Economic Outlook Database.
Industry Life Cycle Market Phase
Market phase is determined using factors in the Industry Life Cycle model. The adapted market phase definitions are as follows:
The Global Economic Model
The Global Economic Model brings together macroeconomic and sectoral forecasts for quantifying the key relationships.
The model is a hybrid statistical model that uses macroeconomic variables and inter-industry linkages to forecast sectoral output. The model is used to forecast not just output, but prices, wages, employment and investment. The principal variables driving the industry model are the components of final demand, which directly or indirectly determine the demand facing each industry. However, other macroeconomic assumptions — in particular exchange rates, as well as world commodity prices — also enter into the equation, as well as other industry specific factors that have been or are expected to impact.
Forecasts of GDP growth per capita based on these factors can then be combined with demographic projections to give forecasts for overall GDP growth.
Wherever possible, publicly available data from ofﬁcial sources are used for the latest available year. Qualitative indicators are normalised (on the basis of: Normalised x = (x - Min(x)) / (Max(x) - Min(x)) where Min(x) and Max(x) are, the lowest and highest values for any given indicator respectively) and then aggregated across categories to enable an overall comparison. The normalised value is then transformed into a positive number on a scale of 0 to 100. The weighting assigned to each indicator can be changed to reﬂect different assumptions about their relative importance.
The principal explanatory variable in each industry’s output equation is the Total Demand variable, encompassing exogenous macroeconomic assumptions, consumer spending and investment, and intermediate demand for goods and services by sectors of the economy for use as inputs in the production of their own goods and services.
Elasticity measures the response of one economic variable to a change in another economic variable, whether the good or service is demanded as an input into a final product or whether it is the final product, and provides insight into the proportional impact of different economic actions and policy decisions.
Demand elasticities measure the change in the quantity demanded of a particular good or service as a result of changes to other economic variables, such as its own price, the price of competing or complementary goods and services, income levels, taxes.
Demand elasticities can be influenced by several factors. Each of these factors, along with the specific characteristics of the product, will interact to determine its overall responsiveness of demand to changes in prices and incomes.
The individual characteristics of a good or service will have an impact, but there are also a number of general factors that will typically affect the sensitivity of demand, such as the availability of substitutes, whereby the elasticity is typically higher the greater the number of available substitutes, as consumers can easily switch between different products.
The degree of necessity. Luxury products and habit forming ones, typically have a higher elasticity.
Proportion of the budget consumed by the item. Products that consume a large portion of the consumer’s budget tend to have greater elasticity.
Elasticities tend to be greater over the long run because consumers have more time to adjust their behaviour.
Finally, if the product or service is an input into a final product then the price elasticity will depend on the price elasticity of the final product, its cost share in the production costs, and the availability of substitutes for that good or service.
Prices are also forecast using an input-output framework. Input costs have two components; labour costs are driven by wages, while intermediate costs are computed as an input-output weighted aggregate of input sectors’ prices. Employment is a function of output and real sectoral wages, that are forecast as a function of whole economy growth in wages. Investment is forecast as a function of output and aggregate level business investment.