Theo Nassiokas: How exactly can a CIO mitigate Cyber Risk? – Highlights
What you need to know
- Cyber risk is the risk of business disruption due to technology, telecommunications, or utility failure causing a loss of service or data.
- Cyber-attacks don’t always require a computer. It’s possible to use another device or to attack something else, such as an electricity network, during a cyber-attack.
- Cybersecurity and cyber resilience are two different things.
- Companies need to set up a cyber insurance plan to cover the cost of reacting to a major event or cover an area that’s otherwise not covered.
- Cyber insurance considerations need to be closely interwoven into the crisis management plan.
At ADAPT’s CIO Edge, technology risk and regulatory focused security leader with 20 years of professional experience in cybersecurity, Theo Nassiokas, examined the basics of cyber risk.
Nassiokas defined the three elements of a cyber attack: threats, actors and delivery methods. Threats are the most common ways attacks occur.
Delivery methods determine the means through which the attack is performed. Actors are the people that perform the attack. They have a variety of motives.
To explain cyber risk to managers and the C-suite, Nassiokas proposed finding a way to quantify it through the 4-step Scenario Based Op Risk Quantification approach.
The methodology he introduced consists of four workshops. The first workshop is about understanding the technical possibilities. Then, the operational employees need to estimate how long the company can last with an automated service down. The third step is determining how a possible issue would financially impact the company. Finally, operational risk quants should make sense of that information and determine the likelihood and impact of a possible attack.
Nassiokas explained the difference between cybersecurity and cyber resilience: cybersecurity is about prevention and cyber resilience is about the reaction to an attack and its impact on the business. He also introduced the need for cyber insurance.
“There are risks you want to accept, risks you want to transfer, and risks you want to mitigate,” Nassiokas said.
This is part of Theo Nassiokas’ keynote he delivered at CIO Edge. Only ADAPT Research and Advisory clients can access the full video, become one today.