In a Roundtable Discussion, HSBC, Nokia, Amgen, Global Law Firms Agree: Security Metrics Must Align with Business Goals

December 19, 2019  Jeff B. Copeland

Cyber Risk ManagementFinancier Worldwide Magazine convened a roundtable discussion on cybersecurity that’s a strong indication of what senior leadership in global companies expects from CISOs going forward. A comment, from Gerald Reddig, Global Product Marketing Director, Nokia, summed up the consensus from the group: “Board members and C-suite level executives benefit from security metrics aligned with business goals that clearly show the likelihood of impacts and costs.”

Here’s a sampling of more opinions expressed – all with an underlying implication that an approach to cybersecurity risk that’s business aligned, quantified in financial terms and based on a standard, recognized model for analyzing likelihood and impact of cyber events (like FAIR™, used in the RiskLens platform) — is now the order of the day:

Matthew McCormack, SVP and CISO, GSK: 

“Companies should be using one of the many industry standard control frameworks to allow them to use a standard language to identify and quantify their risk landscape. Once that has been done, the board should accept the level of risk that they feel matches their risk appetite and balance it with the investment they are willing to make. You can never get to zero risk, it is not possible, but a well-informed board and chief executive are very valuable in your daily fight against the bad guys.”

David Navetta, Partner, Cooley, LLP:

“The best method for evaluating cyber risk is to stop viewing the problem as a technology issue, and instead treat it as a business impact issue. When viewed through a business impact lens, companies are better able to calculate the resources they need to minimize material impacts. Those responsible for data security often lack this context, and as a result may be more focused on addressing attacks rather than risk and potential impact. Unfortunately, getting to this point is difficult for companies, because the IT and security function is still very much siloed from broader business strategy. It takes specialized leadership on both the IT and the business side to bridge the gap.”

Nassos Oikonomopoulos, Head of Technology Controls, Regional Operating Model and Europe, HSBC:

“Over the years, I have encountered senior management in denial and lacking an understanding of how critical cyber risk is. Nowadays, corporate mood towards cyber has radically changed. I have yet to encounter a cyber professional working for a bank or any other organization where cyber risks are not seen as critical. Even in less regulated sectors, digital channels are very important for delivering customer value. As a consequence, boards are increasingly aware of the disruptive potential a cyber threat has for business loss and unhappy customers. Cyber professionals, more than ever before, have their executives’ full attention. The burden is now on CISOs and their teams to deliver credible mitigations, while continuing their efforts to educate stakeholders and customers on cyber risk.”

Great Gu, BISO-JAPAC, Global Information Protection, Amgen:

“Cybersecurity is a now an essential topic for discussion in the boardroom, as cyber security posture can impact the stock price of listed companies. So, it is necessary to present the company’s cybersecurity maturity and gain the attention of board members. I am already seeing more business operators creating clear cyber policies and broadcasting them in a top-down approach. Management members that advocate these policies are making a very strong statement.”

Read more insights from the Financier World article, Cybersecurity Roundtable.