Cybersecurity: A new world for Risk Managers?
Risk Managers who, historically, have not had to deal with information system (IS) security issues haven’t kept up to date on these subjects that they perceive as primarily technological. This is a bit less true for those having worked in national defence where security is part of the company’s DNA. Because, when we talk about IS security, we’re talking about the company’s IS – which is the CISO’s turf – but also the security built into the products sold to customers. We’ve also called this “Safety,” and through the propagation of internet architectures and connectivity it’s becoming a global IS security issue. Previously, Risks Managers weren’t part of this world; its concepts aren’t new, but it has become globalised in BtoB and BtoC. They need to try to understand this more specific kind of risk management. And ISS players need to change their focus from technical solutions to more global ones that include governance and all aspects of cyber security.
What role should each person play?
There are two specific kinds of expertise. The CISO is responsible for deploying a good security policy for the company’s information systems independently and with the obligation to report on his activity (e.g. if the organisation an OIV, etc.). The Risk Manager has to ensure the company has an IS security policy. He has to ensure he has understood this policy and discussed it with the CISO. What’s more, he has to be able to model IS security risk scenarios and their consequences for his organisation. But he can't do this without the CISO, who doesn’t always have this expertise which requires a macro view. If a presentation needs to be made to the audit committee, if the Risk Manager has to buy insurance, they need to work together. The CISO provides his expertise on the subject and the Risk Manager his ERM process management skills. The Risk Manager depends on the owners of the risk. He can’t do everything.
Have you seen positive developments in recent years?
Things have really changed with a general increase in awareness. LPM, the designation of OIV and other things have meant that the issue can be addressed “from above”, involving management. Of course, there’s still a lot to be done, but we’ve come a long way thanks to the Assises de la Sécurité, security solutions providers and the insurance market. We understand a lot more than we did two years ago. Things are clearer today: CISOs have security policy deployment plans that include governance, steps to be respected, budgets, etc.; and Risk Managers model scenarios trying to see if insurance capacities have to be purchased for the quality of the guarantees.
You mentioned cyber insurance. A lot of CISOs are still confused about this.
That’s often for confidentiality reasons. Working with insurance companies means revealing sensitive information to third parties. But Risk Managers, especially ones in “sovereign” groups, are used to living in complex environments. We can deal with an insurance file while maintaining a good level of confidentiality for the elements shared with trusted insurance companies. This problem didn’t appear with cyber risk, but it is more sensitive because it touches the company’s nervous system. So, you obviously have to be careful and disclose only necessary information. But ISS experts shouldn’t use this as an argument against insurance.
AMRAE will be participating in the round table “Digital safety and security: towards global security” on Wednesday 5 October at 5:00PM.
To know more, click here.