Ross McKean, Partner, DLA Piper
Ross has over 20 years’ experience advising on data protection, privacy and cybersecurity law and chairs the UK Data Protection and Cyber Response practice. He advises clients across a wide range of sectors, notably those in the financial services, defence and technology sectors.
For additional insights from Ross, tune into Episode 8 of S-RM Insider, available wherever you get your podcasts.
In this interview, Ross shares his insights on what factors influence the extent of cyber confidence among CISOs and leadership teams, and provides some guidance on how best to prioritise cyber security amid a multitude of competing strategic imperatives and market forces.
S-RM: Do you think that organisations, in general, are over- or under-confident when it comes to how well their cyber security posture mitigates the legal risks associated with a cyber-attack?
ROSS: Some organisations are probably suffering from overconfidence and some have probably got it about right. It depends in part on whether the organisation has actually suffered a cyber-attack or has institutional knowledge of it – for example, through non-executive directors or directors who have joined from other businesses which have gone through the mill of a cyber-attack. If you have experienced a cyber-attack first hand, then you’re more likely to have a deeper understanding of the risks and the types of controls that you need to have in place to be able to make a realistic assessment of cyber risk.
Many organisations know that cyber is a challenge. It’s often reported as a top 10 or even top 5 board concern. But fewer organisations really understand the risk. Beyond being worried about cyber and knowing what the business is spending on IT controls and external third parties, many boards do not know whether they have the “right” cyber security posture for their business or indeed how to assess whether they do or not.
S-RM: And what do you think contributes to that feeling of uncertainty?
ROSS: Two things. One is complexity. It really is quite difficult to make a valid assessment of the likelihood that your organisation will be subject to a damaging cyber-attack and also the type of cyber-attack, because they come in all shapes and sizes. Some organisations get attacked all the time with phishing emails, etc. That’s not necessarily going to be an existential threat to the business, whereas a full-blown successful ransomware attack, extortion attack or data exfiltration are much more serious.
“We frequently see organisations that have been investing a lot of money in technology, but haven’t invested as much in stitching those technologies together, because it’s harder to do.”
It’s not easy to assess whether your organisation is likely to be at risk from cyber attacks. Many take the view that if they do not process personal data or consumer data then they are unlikely to be an attractive target. Regrettably that isn’t the case as demonstrated by the rise of ransomware attacks which have successfully targeted all sorts of organisations.
In addition to the complexity of assessing the likelihood of your organisation being victim to an attack, assessing what controls are “right” for your organisation to defend against attacks is also complicated. That can lead to over-reliance on technology solutions and cyber insurance as they are easier to understand than process, governance and training exercises – though these are equally, if not more important to successfully defend against cyber attacks.
The second point I’d make is the prevalence of background noise. There’s been a lot of that in 2020, which has been an exceptional and extraordinary year. Cyber risk is just another concern that organisations have had to add to an already very long list of risks and challenges, which means that in some cases there just isn’t necessarily the bandwidth for boards and organisations to explore in detail whether their cyber posture is optimised or not.
S-RM: Through your experience, what have you observed to be some of the most common oversights made by leadership and security teams when it comes to the way they build and maintain their cyber security programmes?
ROSS: It’s a common challenge that, because of the complexity of cyber, shiny technology and cyber insurance are often viewed as an attractive solution to a complex problem. We frequently see organisations that have been investing a lot of money in technology, but haven’t necessarily invested as much time and effort in stitching those technologies together, because it’s harder to do. Similarly, we also see organisations buy cyber insurance without really understanding whether the cover is right for their organisation. Frequently it isn’t.
Another thing that is often overlooked is the importance of training cyber response teams and making sure the organisation has got the right third parties in place (be they cyber forensics, communications consultants or law firms), and ensuring that they have rehearsed cyber response. Some organisations do this very well, particularly if they’ve been hit before, but others don’t. They have a cyber policy because they have to have one, and they pay their CISO and tech team a larger amount every year to keep them safe, and they may have appointed some external third parties to help in the event of a crisis: these are all important steps. But if you don’t actually practice stitching all of those controls and protections together (for example, in red teaming exercises, tabletop exercises and war games) then the first time you use the controls, is also the first time you’re getting to know the team, and all their strengths and weaknesses. That then becomes yet another headwind to dealing successfully with a cyber-attack. It’s key to have a policy, it’s key to have all of these controls, but I would encourage organisations to regularly practice.
“Best practice is having a war game where you bring all the different stakeholders together at least once a year.”
And when you do practice, don’t do so just within silos. Many CISO teams do tabletop exercises quite regularly. It’s part of the culture now, so I’d say there’s good maturity across many sectors for red teaming and war gaming within the CISO team. What’s less common though, is testing your response more widely and getting your lawyers involved, or your communications team and other internal and external stakeholders. Best practice is having a war game where you bring all of those different stakeholders together at least once a year. In this way, you can test how everyone works together, which means that when you have to respond to a real event, you’ve got trusted advisors around the table. You already know them, you’ve already run through the practice, and so you’ve normalised the risk.
It’s never fun as the victim of a cyber-attack, but it’s much less stressful if you’ve tested your team and controls before you have to deal with a real cyber-attack, versus trying to cobble together a team on the Sunday of a bank holiday weekend, which seems to be when it always happens.
S-RM: How would you suggest that organisations balance the need to mitigate the legal risks of a cyber-attack with the operational and financial risks of a breach? How do they prioritise?
ROSS: It’s a great question, but a really difficult one to answer because organisations operate in very competitive markets. Cyber controls are expensive, technology is expensive and cyber forensics firms are expensive. Lawyers aren’t cheap either. In other words, cyber security costs money and you’re spending money on a contingency that may never happen. So it’s not easy for CISO teams, technology teams, and chief risk officers to justify the right budget for cyber.
There isn’t an algorithm (yet) to answer the question: ‘How much should I be spending on cyber?’ But you can get some data points that might help structure your thinking around this question.
For example, peer benchmarking, i.e. looking at information about what your peer firms – particularly competitors – are spending on cyber can be helpful. It’s also very helpful to see what firms are spending after they’ve been attacked, because it will likely be a lot more than what they were spending before they were attacked. And the answer as to what you should be spending is probably between the two.
It’s difficult in these extraordinary times to get budget for what is a cost to the business. So you should look at the space between what many firms are spending as a minimum, which is where they think they can justify the spend (they’ve probably deferred some investments, they might have some old servers that are no longer in support, they may not have endpoint security because it’s expensive, they may not quite have got around to implementing multi-factor authentication), and the sums paid by those who have experienced the worst of a cyber incident.
Data on fine payments is also valuable, i.e. looking at what fines have been imposed on organisations historically. And keep in mind the emerging class action threats. Ask yourself: ‘How much could we as an organisation suffer if we’re subject to a successful cyber-attack, and then off the back of that, a class action threat.’ Doing so will help those within CISO teams to justify a higher spend on proactive assurance.
There is no scientific answer, but hopefully this has given our readers some ideas of the data points they can use to inform the answer to the question: ‘How much should I be spending on cybersecurity?’
S-RM: As businesses grow, be it organically or through M&A, how should they adapt their cybersecurity posture accordingly? And how does their legal risk exposure change with that growth?
ROSS: As businesses grow there tends to be a lag between what they should be spending on cyber (as their cyber exposure grows) and what they do spend on cyber.
Growing internationally or even within an existing market, is complex and expensive. And at the moment, businesses are in a very volatile, challenging market internationally. They face ongoing pressure to be first to market or to beat off the competition to acquire assets or other businesses in short order. But getting cybersecurity right takes time and therefore organisations often don’t get it absolutely right when they are forced to rush products and services to market or rush through an acquisition to remain competitive.
I think that’s simply an economic reality, but it’s still something to be aware of, for CISOs, CROs and the C-suite more generally. Particularly so if you’re moving into sectors that are data-rich, and/or which have historically been more prone to cyber-attacks. The commercial priority will be getting into market and getting market share. Ensuring you have full cyber security won’t be the number one concern. So there is a tension and I think that organisations just need to be alive to that tension and ensure that this lag is not too great because it can come back to bite you. I won’t name names but there have now been several sizeable regulatory fines imposed on both sides of the Atlantic on purchaser’s of businesses which turn out to have been breached due to rushed or substandard cyber due diligence. These fines plus follow-on claims for compensation and reputational damage can quickly turn a successful acquisition into a problem child.