Making the case for responsive IT Security to Management

Last week I had an insightful exchange with leading IT Risk practitioners from Zurich Insurance Group, Boehringer Ingelheim, AGRICOOLTUR S.p.A, SEBA Bank AG and Just Eat Takeaway about moving from "Vulnerability to IT Resilience".

The excerpt above is a moment in the discussion, where Slava Fadyushin from Just Eat Takeaway asked the group for ways to make a cogent case for investing in responsive & resilient IT Security to management by stating:

"I would be happy to hear any other ideas how to better demonstrate value to the stakeholders...when you analyse risk and maybe the risk event doesn't happen."

I listened back to the recording of the webinar a few times and deduced some illuminating suggestions for gaining management buy in from the panellists.

Interestingly, a few of Slava's comments themselves help make the case for responsive IT Security to management.

?? Mapped and quantified consequences of inaction

Several of the panellists mentioned that "knowing your environment" by mapping critical systems, third-parties and processes is key for dealing with the evolving threat landscape to address incidents with adequate response plans.

Frederic Virmont, Information Protection and Security Officer at the pharmaceutical company Boehringer Ingelheim went a step further by stressing that attacks would have to be expected and prepared for with a keen focus on recovery, due to the criticality of their products for society.

The first and second order consequences of IT disruptions i.e. impact on patients, reputational damage, remediation costs and increased insurance premiums etc. are significant in the pharmaceutical industry. Therefore just focusing on the likelihood of an incident and not the expected full impact minimises the wide ramifications of incidents that disrupt operations and ultimately affect the bottom line.

Slava raised that "one of the challenges is involving (boards) in risk management"; this could be overcome by showing how key metrics, processes and board agenda items are impacted by inadequate IT Security (i.e. low revenue throughput, incident resolution costs, product launch/M&A delays etc.).

Following that, Nick Bruno the CISO of SAI360 outlined the way inefficient IT Risk Management (ITRM) personally disrupts management, because they would have to approve the execution of Business Continuity Plans at inopportune moments and/or unsocial hours when incidents occur.

Cogently mapping how sound ITRM protects the bottom line, as well as prevents operational and personal disruption, would be a way to make responsive IT Security tangible to management.

?? Validated Assurance for Management

During the introduction Marco Bachmann, IT Audit Director at Zurich Insurance Group mentioned that he is responsible for audit risk assessments, planning and execution across the global footprint of Zurich Insurance. Crucially, Marco stated that his board of senior executives rely on his 3rd line activities that validate the robustness of their control environment.

In addition to the internal audit requirements, there are several regulations that require boards to sign off on the effectiveness of risk and control frameworks like Article 5(2) in EU DORA and the proposed revisions to the UK Corporate Governance Code.

Being able to provide senior management executives with ICT framework assurance, calls for an investment in GRC technology that optimises the underlying processes and aggregates data for reporting. Platforms like SAI360 with IT Risk Management (ITRM) capabilities support management assurance among others through

• a group-wide overview of the IT risk & control posture,
• insight into the linked decisioning with an audit trail,
• consistent assessment/task completion through automation,
• role/rule-based workflows across all lines of defence,
• and steady data aggregation for timely ext./int. reports.

?? Offer a cost-effective vision for responsive IT Security

The risk practitioners made clear that the cost of resolving incidents is significant and cyber crime business models have reduced the thresholds for attacks.

In other words, no one is safe from cyber attacks-not even the local butcher as Jeff Schiemann, Information Security Officer at SEBA Bank AG cited in his example of SMEs being targeted. So the size of an organisation and relative lucrativeness of an attack is no justification for ITRM inaction-cyber criminals have adapted their business model to cast a wider net for some time now.

Merely raising the spectre and magnitude of threats can have a debilitating effect on stakeholders, that one is trying to galvanise into action. Thankfully the panellists proffered a cost effective vision and action plan for responsive IT Security which included suggestions like:

• Seek endorsement and support from management
• Get ready for incidents and prepare for the worst
• Continuously assess risks, gaps and response coverage
• Build up threat-informed defence for pre-empting attacks
• ITRM is team sport: Involve risk stakeholders broadly and train

As Pierlaurent Barbieri the CFO at AGRICOOLTUR S.p.A made clear, IT Security deficiencies affect stakeholders across the value chain-from suppliers to clients- and can set organisations back, who also trade on the trust equity built up over years.

As the saying goes trust is "hard to gain and easy to loose". With clients expecting frictionless product and service experiences, it doesn't take many disruptions to significantly impact revenue due to lost client trust.

Therefore, pre-empting incidents with responsive ITRM would be a more cost-effective approach to managing IT risks, than dealing with the multi-layered business fallout without it.