Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search

BRINK News is transitioning to This Moment platform on MarshMcLennan.com as of March 31, 2023. Read the update here.

Risk and the Corner Office

Wrestling With Cyber (In)Security: A Four-Point Plan

I confess to having spent more than a little time lately thinking about cybersecurity, but maybe not for the same reasons as most. My thoughts range from skepticism about the naiveté, ignorance or disingenuousness (depending on your perspective) expressed at some fairly high levels about how widespread and pernicious such activity is, to serious concern that the management of such risk in many places is dangerously deficient.

Having directly dealt with this issue as a CRO and a consultant, my worries are predicated on the fact that a) this is not a new series of challenges, b) a lot of smart people have spent a great deal of time and effort thinking about how to deal with the multidimensional challenges of cyber risk and c) it is growing, metastasizing and not going away.

It is hard not to raise an eyebrow when one hears comments about lack of awareness or sensitivity to cyber risk, especially from governments (or the national headquarters of major political parties) and large firms. If such activity hasn’t been near or at the top of the risk inventory for years, if it isn’t something the CEO and the CRO talk about regularly and isn’t the subject of consistent reporting to stakeholders and the board (or their equivalents), something is seriously awry.

And if you are still approaching the issue from the perspective that you can keep the barbarians from the gate, you are even further behind the eight ball.

At the beginning of the decade, those such as the U.S. Department of Defense and the Department of Homeland Security, among others, who were serious about addressing cyber risk had already moved from prevention to active management, based on the presumption that the enterprise had already been hacked or would be. This shift sounds simple, but, as with many implementation issues, it is extremely challenging to effect in practice. This is because of the multidimensional nature of the problem.

There are external as well as internal issues to managing the cyber risk problem, and unless all of these are addressed, monitored and modified simultaneously and constantly, a hole in one’s defenses is likely to occur. Real-time, three-dimensional chess is an apt analogy for what is needed to keep things under control.

It’s hard not to raise an eyebrow  about the lack of awareness to cyber risk from governments and large firms.

A comprehensive explanation of how to address cyber risk is beyond the scope of this column; however, below is a high-level overview of the most critical ingredients that should feature in any such effort:

  1. Drain the moat and stay away from the ramparts: Trying to keep out those that would seek to do you harm is a fool’s errand at this point. Instead, as a first step, fully identify, prioritize and address the cyber aspects of your potential critical information, operational and competitive vulnerabilities.
  2. Explicitly revise your strategy and business plans in light of these findings: These threats need to be fully incorporated into your strategic deliberations and your performance and risk measurement frameworks. Everyone on the senior management team, as well as the board, needs to be fully informed about the types of exposures that could arise, what the potential implications of different kinds of breaches could be, how the firm is/plans going forward to manage them in a multi-layered, reward-to-potential risk prioritized way, how they should respond if and when such an attack(s) materializes and, as important, what specific aspects of cyber risk management they are personally responsible for and will be held accountable for managing according to the policies and guidelines established. To achieve these last two objectives, explicit appetites and tolerances for different types of cyber events needs to be established, monitored and reported to management and the board. And the subject should be a standing agenda item for both the board and management.
  3. Think and act “inside out” as well as “outside in”: In most, if not all, cases—given that email and social media are the most prevalent vehicles used by hackers—your employees need to be the first line of detection and defense. Continuing education, training and periodic internal testing should be mandatory for all employees and board members. The better your staff understands the possible ways in which outsiders may try to get in to your systems and the potential consequences that could ensue, the better you will be at constraining/containing potential adverse impacts.
  4. … and “bottom up” as well as “top down”: Little things are likely to matter as much (and in some cases more) than a major systems breach. The latter is certainly going to be extremely harmful if it occurs, but unless you are woefully derelict, it is very hard to achieve. It is far easier (and the much more often employed tactic) to find a weak link—such as an employee clicking on an email containing malware, giving the malware access to your system and the ability to migrate through it to find and extract data and information over time. This is why a comprehensive, layered system monitoring and reporting capability is critical. It is the electronic equivalent of the “If you see something, say something” approach that was developed after 9/11.

There is a great deal more that needs to be done to create a top-notch cybersecurity framework, as the devil truly is in the details. Regrettably, the almost daily headlines suggest that far too many firms, governments, and other entities have yet to achieve even this level of proficiency.

Bob Kopech

Adjunct Assistant Professor of International and Public Affairs, Columbia University and former Vice President and Group Chief Risk Officer, World Bank

Bob Kopech is an adjunct assistant professor of International and Public Affairs at Columbia University. He previously served as vice president and group chief risk officer at the World Bank. Before joining the World Bank he spent 16 years with Oliver Wyman, where he was a vice chairman and managing director and a lead developer of the Corporate Risk Practice. He also founded and led, for ten years, the firm’s Global Emerging Markets Practice. Prior to that, he spent 19 years at J.P. Morgan in a variety of senior positions in Emerging Markets ranging from portfolio management to sovereign debt trading to corporate finance and risk management. He can be reached at: rikopech@gmail.com

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe
​​