European Business: Your book is called “A Leader’s guide to Cybersecurity”. Does it mean, that cybersecurity is a leader’s project only?
Thomas J. Parenty: Cybersecurity should be viewed in the same way as other corporate priorities, for which company leadership needs to both underscore the importance of the priority and set direction for accomplishing the associated objectives. These are necessary prerequisites for motivating and focusing the people throughout an organisation whose work contributes to improving a company’s cybersecurity posture.
There are specific challenges to companies and their leaders in the area of cybersecurity. They all come down to the perception that cybersecurity is too complex and difficult to understand – this is totally wrong by the way. The problem is that leaders delegate the work to IT or cybersecurity organizations. Because of this delegation these two important leadership requirements (emphasizing the importance and setting the direction of what the goal is) disappear. The actual direction is now led by someone other than the leader.
One of the major points our book makes is to demonstrate to corporate leaders, starting at board level and continuing through the executive team, what they need to know and understand about cybersecurity. It is actually quite simple.
European Business: What does cybersecurity mean and involve?
Thomas J. Parenty: When thinking about cybersecurity in a company, you need to keep in mind that cybersecurity by itself has absolutely no meaning. It only has meaning in the context of critical business activities that could be impacted as a result of a cyber-attack. Any cybersecurity topic has to begin and end with the risk of a cyber-attack. Companies face many types of risks, political or weather risks for example. We look at cybersecurity from a perspective of: How could a cyber-attack impact a critical business activity? A cyber risk is directly related to the company and its customers. A cyber-attack could take so much more than customer data.
Jack J. Domet: Since these critical business activities are often supported or controlled by computers, they can be subject to cyber-attack in addition to traditional risks. This is true not only of digital-only activities, such as accepting credit card payments or tracking customer relationship data but also to activities that take place in the physical world, ranging from automobile navigation systems to setting radiation doses in cancer treatment. As CEO, you should be informed of how cyber-attacks could cause these business risks to materialize and use this perspective to decide on investments to protect your company.
"A cyber risk is directly related to the company and its customers. A cyber-attack could take so much more than customers´ data." Thomas J. Parenty
European Business: How can politicians and regulators influence cybersecurity?
Thomas J. Parenty: In terms of cybersecurity regulations, one of the first ones have been breach notification regulations. If a customer’s information is compromised, the company actually has to tell them. It is where things started. Afterwards more technical requirements such as compliance with various cybersecurity regulations must be met. What we have noticed from looking at these regulations is: the intentions are good, but the unintended consequences often run counter to cybersecurity and actually diminish data protection efforts. In many jurisdictions, multiple government agencies are competing to impose their own regulations. We find this is particularly the case in financial services.
"As CEO, you should be informed of how cyber-attacks could cause business risks to materialize and use this perspective to decide on investments to protect your company.” Jack J. Domet
European Business: Some insurance companies offer insurances to protect companies against cybercrime. How useful are these insurances?
Jack J. Domet: The insurance market is quite similar to the regulatory environment. They can lead to moral hazard and drive behaviors that actually diminish security and increase cyber risk. The cyber insurance market is still in a period of rapid evolution and there are several challenges that are currently playing out in the courts.
I can state one recent example: Mondelēz, the owner of Cadbury and Oreo, is currently in litigation with their insurer Zurich American Insurance Co. In the aftermath of a cyber-attack which rocked their supply chain and cause to more than $100Millon US in losses, Mondelēz filed a claim on its policy with Zurich American Insurance. Because the attack was attributed by the UK and US governments to Russia, Zurich has taken the position that it was an act of war. and denied the claim, citing an exclusion for losses resulting from hostile action by any government. These exclusions are common, and since it is a common temptation to attribute these cyberattacks to nation states like Russia or Korea. That is a potential risk for buyers going forward.
There are fundamental structural problems in the market. One relates to the insurers’ fundamental decision to pick and choose the risks they want to cover. Cyberattacks are not like car accidents or weather risks. Cyberattacks are a relatively new risk for insurers and the way that they affect individual companies is both unique and evolving. Unlike traditional risks, insurers have little historical data available for underwriting cyber risks.
Thomas J. Parenty: There is another big difference regarding the types of risks. A weather risk for example is geographically limited, a cyberattack is not. It can spread to many different countries and companies. That makes it so difficult for insurance companies to pool and cover the risk.
Interview: Vera Gaidies | photos: Harvard Business Review Press