Balancing Risk and Challenging the Risk-averse

As General Manager ANZ at RSA Security, Antoine Le Tard is no stranger to prioritising risk. Sitting down with our Senior Analyst Peter Hind at Security Edge, the two explore the distinctions between security and risk, how to balance it, and how to challenge a risk-averse organisational culture.

Peter Hind:

Antoine, we’ve just come from a roundtable event, and you made an interesting point at that roundtable: That we’ve got to stop thinking of cyber in terms of security, and think more about it in terms of risk. Could you explain a bit of your thinking in that area?

Antoine Le Tard:

It’s a great question and great pickup in the roundtable. If you go back maybe five or six years ago, Gartner came out and said that there are four major mega-trends that are shaping the industry in the world in which we live. Those were cloud, mobile, social, and big data. And the implications of those mega-trends and organisations is the way in which they manage security; meant that the perimeter that they traditionally held the crown jewels behind, was slowly dissolving. And if you fast-forward to where we are today, the perimeter is all but dead.

Social media channels, cloud channels, your third-party networks, the hyper-connectivity of the networks that people are connecting over, means that the controls that you had in place to protect your environment in the first place, no longer work.”

We need to move away from the conversation around cybersecurity. Because security also got a bad name. Security in the sense of five, ten years ago was: ”We need to stop you from doing things that we can protect ourselves from other people trying to get what we’ve got.” Whereas, when you look at the world in which we operate today, the conversation needs to move more to a risk-based conversation. And the reason why I say risk-based conversation, is because we’re talking with business people, business leaders, people that are transforming the way in which they take advantage of market opportunities. And if we’re talking to them at a technology level, they’re not going to understand what it is we’re saying. And so, as industry professionals, we need to start transforming our language into the language of the business. And we know for a fact that the business understands the language of risk. And so if we can bridge the gap between what technology is telling us, the risk of it being introduced into our environment, and how that risk is going to manifest as an impact to the business, the business will understand that conversation far better than it would do the cyber conversation.

Peter Hind:

What I find interesting about this sort of phraseology, is that risk implies a balanced decision, you have a choice in risk. You could go parachuting, you could go surfing but you can decide whether you want to make that or not. Security in some ways implies imprisonment or something like that. Is that a way of getting the business to start recognising that they’ve got to think about the balance of risk? They’ve got to say ”Yes, that’s a decision we’re prepared to take or no, we shouldn’t take that decision.”

Antoine Le Tard:

Absolutely. A great pickup on the security controls.

Control is quite binary, it’s a yes or a no kind of answer, whereas risk is a lot more complicated than that.”

There are a number of factors that contribute to an organisation making a decision as to whether or not they would like to do something. More often than not, it is “I’m not going to do it because it’s going to introduce too much risk” or “Yes, I’m going to do it because the upside of doing it far supersedes the risk that I’m prepared to take.”

As organisations start to think about the digital transformation, and taking advantage of new technological landscapes, and the advent of 5G, and IoT, and artificial intelligence, they have to start thinking differently about the risk that they’re prepared to take, and how they quantify them. Whether or not the risk that they’re introducing to the business is a risk that they’re prepared to accept, and whether or not that matches the risk tolerance of a business. As an example, an aviation company may have a completely different risk tolerance to a fast-food company. And so, moving into the digital landscape as a fast-food chain is less risky to the viability that organisation, as to an airline industry moving into say, IoT, as an example, and the potential likelihood of something like a jumbo jet being hacked, as an example.

Peter Hind:

Well, it’s interesting because what the speaker said today was that we all have to be in a digital world, we will have to be on a technology treadmill. We have to constantly keep refreshing our technology, embracing new technologies, because if we don’t, competitors will get a headstart on us. But he also made the telling point that actually the vulnerabilities in the new products that we’re introducing, are going to be discovered by the bad forces, ahead of the good guys, because they’re looking for where they can break it into, but we’re not approaching it from that sort of perspective. So there’s an element of what you’re saying is we’ve got to be prepared to be playing catch-up, and we’ve got to be prepared to try things, and be aware of the consequences.

Antoine Le Tard:

We always have to be bold in the decisions that we’re making if we want to take advantage of new technological advancements and also be first movers into markets.

What we have to do as an industry is help organisations enterprise in federal governments to use the phrase ‘See around corners.’ So anticipate the risks that may eventuate through a decision or a change that they’re introducing to the organisation.”

I was having an interesting conversation at RSA conference earlier in the year with an electricity provider, and they were talking about the advent and the rise of Tesla and the demand that that’s going to create on the electrical grid. What they hadn’t quite considered was that every electrical point that they put on the network is another vector or a tack for somebody to get into the network. And so that conversation opened up a whole raft of other conversations around what risks would that introduce into their environment if they were to roll out these electrical charge points across the country.

Peter Hind:

You made the point in some ways that risk is often associated with the culture of the organisation, and its willingness to take the risk. And the culture is often formulated at the top of the business, by the CEOs and the board members, and stuff like that, and the point made at this roundtable was actually, “You’ve got to try and penetrate that area to get their thinking spread down to others in the business.” Is that your experience?

Antoine Le Tard:

So I’m a huge supporter of trying to set at the top. If the C-suite and the board members are talking about risk, positive risk-taking, positive risk notification, that culture spreads throughout the organisation. And what we need to start seeing is a move away from vilifying people who are raising risks in the organisation, and rather celebrating it.

We heard earlier in the year from Dr Giovanni Ferrero about creating risk champions in the team, so that the risk champions were sharing the known risks of vulnerabilities with engineers that were actually building rocket ships to put people on the moon. And there was no retribution for raising any risk because you knew that there were lives on the line for it.

Culturally we need to move from risk being a negative we can’t do that because to a yes, we can take the necessary and appropriate risks if we address the risks in an appropriate manner.”

Peter Hind:

But you’re also saying there is a need to surface those risks, so people are conscious that that risk exists within the organisation. Something like getting this on a risk register, or something like that.

Antoine Le Tard:

The biggest challenge that we’ve seen over recent months is organisations have a number of risk tools, they have a number of risk reporting regimes, every organisation that I’ve come across works in a various number of silos and business functions. And naturally what that’s doing is almost encasing risk in a box, or in a vertical within the business, rather than surfacing up and distilling it down at an executive level. And so if organisations can find a way to integrate risk management toolsets, risk management processes, risk management frameworks, into common set of tools, that then distil up at the executive level. So the executives have a full end-to-end holistic view of all risks that exist in the organisation. So that they can take necessary action on the risks that mean the most to the respective business, or the respective circles of their service.

Peter Hind:

Risk is usually managed in a business through a sort of governance, risk compliance type part of a business unit. Do you think there’s an argument to be said for moving CISO type cybersecurity away from the IT department, and into a more general risk division within the organisation?

Antoine Le Tard:

That’s an interesting question, and information security is a very specialised domain. As is the risk and your associative domain. The chief information security officer absolutely has a place in the organisation, and that place is somewhere elevated, at the C-suite, and quite possibly as a peer to the Chief Risk Officer, as opposed to part of the organisation.

Peter Hind:

How do you think you measure the success of what you invest and spend on cybersecurity?

Antoine Le Tard:

It ultimately comes down to: Are you investing in the right areas of the business? What are the areas in the business that matter the most in terms of your growth and protecting corporate assets, whether that be personally identifiable information, or research and development, or some of the organisation’s trade secrets? And where that investment is going into, is it reducing the risk to the appropriate level of tolerance that you’re prepared to accept

There are great tools that have entered the market around risk quantification, that they’re giving organisations the ability to assess investment into either infrastructure and risk management programmes, and the representative risk reduction that it’s introducing into the organisation.