Cyber Risk Management in the Digital Age


An article by Martin Tang, Chairman of the IRM Switzerland Regional Group

On 18 June 2019, the Institute of Risk Management Switzerland Regional Group hosted an event on “Cyber Risk Management in the Digital Age. At the Brasserie Lipp, next to Zurich’s Bahnhofstrasse.

The meeting was made possible thanks to a headline platinum sponsorship by NTT Security, the “Security Center of Excellence” of the NTT Group, one of the largest global Information & Communications Technology companies. NTT Security operates 10 security & operations centres, seven R&D centres, has over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents. It also invented the emoji.

Martin Tang welcomed members, guests and moderated the evening.

Apac6

The first keynote was Kai Grunwitz, Senior Vice President EMEA of NTT Security.
Kai is a leading cyber security expert and influencer and is in the top 10 global cybersecurity thought leaders @ Thinkers 360. He is a regular keynote at leading events for example the Gartner Summit and hosts his own conferences in Frankfurt and London. He frequently appears on television such as Switzerland’s SRF 1 show Eco Wirtschaftsmagazin PLAY >. Kai Grunwitz’s keynote topic was: “The battle for Digital Survival”.

Apac3

The 2nd keynote was Jean Paul Koelbl, Principal Consultant @ NTT Security, Switzerland. Jean Paul’s keynote was “Self-Sovereign Identities- the new business enabler”.

The keynote speeches were followed by a lively panel discussion and Zsuzsanna Kunszt, Head of Legal at AXA XL, as a panelist on GDPR and Martin Tang, as a panelist on cybersecurity awareness and risk culture. 

APAC1

 

The key takeaways from Kai Grunwitz’s keynote on “The battle for Digital Survival” were:

  1. There are two components to digital transformation: technology and society. Everything depends on trust, which we need to build with holistic cybersecurity as the cornerstone, protecting both people and data. At NTT Security, we often see too much emphasis on technology and too little on society and people, when it comes to digital transformation projects. “Society 5.0” addresses this imbalance.

  2. Too often companies are eager to support the ransomware business model, by paying out ransom money when hacked. A recent survey shows that in Switzerland 40% of companies are ready to pay ransoms. We instead recommend investing in cybersecurity to guard against breaches. This begins with formulating a cybersecurity strategy and introducing and continuously maintaining strong cybersecurity measures, both technical and operational e.g. patching, backup etc.

  3. Cyber risk awareness, effective training programs for employees and a strong cyber risk culture are critical success factors for cyber defence and cybersecurity. Too often we see awareness training programs performed for compliance reasons only. Instead, the training programs need to focus on changing the employee cyber risk culture. To move them to a place where they become cyber risk aware for the right reasons, to protect the company they work for, to protect their jobs and families. Gamification is an integral part of class-leading cybersecurity awareness programs.

  4. Artificial intelligence (AI) and machine learning (ML) play a very important role in data/ information storage and development. However, AI/ML based software protections working with algorithms cannot be relied on alone to provide strong cybersecurity. Strong AI/ML is only as good as the data that is fed into it and the algorithms used. This data must necessarily be of the highest quality to produce quality results. Too often poor data hinders AI/ML. Oftentimes, AI/ML identify only certain types of threats; indeed, sometimes they identify too many threats, which cannot then provide intelligent threat management information nor effective cyber risk management learnings and action steps. We recommend you focus on high data quality and combine AI/ML with deep cybersecurity team insight for optimal cyber security.

  5. The role of the Chief Information Security Officer (CISO) is evolving. Every company needs to establish the right CISO profile to match its particular business requirements as well as its cyber risk exposure and cybersecurity maturity. The objective for every CISO is ideally to become a partner to help the business to attain its objectives. If the business decides on digital transformation, then rather than being perceived as a potential inhibitor of the digital transformation, the CISO’s clear objective must be to enable the digital transformation.

  6. GDPR is a success story. We have created something very important for Europe and the rest of the world.

Here are the key takeaways from Jean Paul Koelbl’s keynote on “Self-Sovereign Identities- the new business enabler”.

  1. There is an ever-growing risk of identity fraud when implementing a central B2C or B2B identity access management. This risk can be mitigated with secure authentication services, identity assurance services, by monitoring compromised usernames and with network reputation services.

  2. With federation of identities, there needs to be continuous risk management of the identity provider. Secure authentication services and identity assurance services come into play here too.

  3. At this time, self-sovereign identities has been a very successful tool in managing the risk of identity fraud, by establishing decentralized identities and relying on strong key management (trusted computing platforms).

  4. Self-sovereign identities enables new business models and allows for true digitisation of the full value chain B2B2C M2M.

  5. Google, IBM, Microsoft, Gemalto, RSA, Mastercard, NEC, VISA are actively developing standards, tools and software to secure identities. According to Gartner, broad implementation is expected to begin by 2020.

Key takeaways from the panel discussion were:

  1. Assume breach. Hackers will always find a way in and naturally will seek the easiest way in. It is much easier to hack in via a target company’s third-party supplier, so it is imperative for companies to introduce and require of their suppliers the highest standards of cybersecurity. Hackers will always be faster, not slower.

  2. At the heart of cybersecurity are awareness, effective employee training programs and a baked-in risk culture of cybersecurity. 90% of all cyber attacks originate from a spear-phishing e-mail, so you can do much to make your company cybersecure if you can get this huge building block right. It is critical to re-train your employees from being the first line of attack to the first line of defence. Reject compliance-based cyber awareness training in favor of risk culture-based awareness training, where employees learn that through their daily cybersecure actions and responses, they can protect the companies which they work for, their jobs and the jobs of their co-workers and their families, whom they raise and support with their jobs.

  3. There is no absolute standard of cybersecurity. The best objective for CISO’s and CRO’s is to work towards a best practice standard in all areas of cybersecurity. Criminals and nation states are organised like large corporate companies and themselves work to best practice standards as their objective is to get in to your network. They are continuously looking for ways to hack in. Best practice standards ensure high levels of cybersecurity and better job security for CISO’s and CRO’s. In the UK, the average job tenure of a CISO in the UK is 22 months, which speaks volumes to the need to set higher standards of practice.

  4. Cyber hygiene is crucial, “Patch, patch and patch”. Backup and restore, keep 1 copy offline. Limit and manage administrative privileges.

  5. Deception is a useful tool, being used by 10% of market.

The winner of our tombola prize was Anne-Marie Schramm of Roche, who received a fine bottle of claret. Congrats Anne-Marie!

Martin Tang thanked Kai Grunwitz for NTT’s sponsorship and for the deep insights gained from the keynote presentations. Martin said “For the last 2 years I have attended Kai’s Information Security World conference in Frankfurt. This attracts over 600 participants and has 5 simultaneous sessions running for 2 full days. I am impressed by the high quality of keynotes and the depth of NTT Group’s services. It comes as no surprise to me that NTT Group is in the top 5 IT services providers globally and that 80% of the Fortune Global 100 large corporates choose NTT Group.”

 Apac5

Kai Grunwitz responded “The dynamics of digital transformation require not only a mature risk awareness but also continuous development of cyber risk training and programs. The Institute of Risk Management plays a key role in providing employees with the necessary risk management and digital risk management training and tools to help the companies they work for on their journey to a secure and risk aware digital transformation. Risk management and cybersecurity are essential pillars for the future success of companies and the digital survival of our society.”

After the meeting, members and guests transferred to the Jules Verne Panorama Bar to enjoy cocktails and canapés, on a wonderful summer’s evening, with delightful 11th floor views over the rooftops of Zurich.

Thanks again to our headline platinum sponsor NTT Security for making this event possible, thanks to our keynotes and panelists and to our members and guests for their challenging panel questions and active participation.

 Apac8

Access video coverage of Kai here.

Click on this link for more information about IRM Switzerland Regional Group