Cyber Risk Meetup, sponsored by Privasec, joined forces with the Australian Trade and Investment Commission (Austrade) for the fourth edition of the gathering of security enthusiasts and professionals in Singapore on 29th May 2019.
Hosted by the Australian Government, following the welcome reception for Cohort 8 to the “Australian Landing Pad in Singapore” (an accelerator for startups to benefit from Austrade’s (The Australian Trade and Investment Commission) extensive global network of contacts, and to develop their product or service business model by exploring in-market business development, investment, mentorship and strategic partnership opportunities), the meetup saw another record turnout to hear from a panel of experts and speakers on topics ranging from Cyber Insurance to “The Art of Speaking to the Board.”
Today’s “Cyber Security” or “Cyber Risk” is a popular go-to concept covering a wide range of dynamics in the digital era. For many, it refers to information system exploits, attacks, espionage and intelligence operations. For some, it includes design weaknesses inherent in hardware and codes (software bugs). Increasingly, it is also associated with information seeking to confuse or deceive through social media.
This conflation of meanings lead to our varied assumptions of the scope and implications of a cyber event; moreover, our tenancy to focus on the technical aspects often leads to communication gaps with the Board.
To debunk common misconceptions and to learn to get the message right, the evening event titled “Managing Cyber Risk”, kicked off with speakers’ views of “Cyber Risk”, including the physical aspect in the “cyber” world.
Edward Wong (Regional Director, Tech, Media & Communications, Howden Group), noted that, while Cyber Insurance could be a stand-alone product with coverage limited to “cyber” impacts (data breaches and data losses and damages), it can also be part of an embedded product suite that insures Property (tangible damages) and/or Crime (money loss), and/or Professional Indemnity and/or Directors and Officers insurance.
Highlighting the Stuxnet example, Theo Nassiokas (Director, APAC Cyber & Information Security (CISO) Barclays) emphasized that “a cyber attack can be performed without a computer and can attack devices that are not computers”. “A cyber attack need not touch a computer. Your building management system can be attacked, placing people at risk”, he added.
Dr. Magda Chelly (CISO/ MD, Responsible Cyber Pte. Ltd.) also pointed out that “visitor without passes” is a Cyber security breach. Without question, this is a security breach; however, it could lead to a “cyber” event if the unauthorized personnel carry out an illegitimate “cyber” activity – such as planting an infected USB drive into the network while on-site, or installing a rogue AP.
What about bringing Cyber Risk matters up to the Board? How do we abstract out the technology jargon, and present Cyber Security in the context that the Board care about?
“Present your cyber security measures as stages of maturity”, and “conduct benchmarking compared to peers”, advised Darren Argyle (Global Head of Information Cyber Security Officer, Standard Chartered Bank) during the panel session moderated by Shamane Tan (Executive Adviosr, APAC Privasec).
“It is important to demonstrate you know the Cyber security situation of the company”, agreed Venkatesh Subramanian (Global CISO, Olam International Ltd). For example, “support your view points with independent data points, such as results from red teaming exercises, or independent assessments by external third parties”, he said.
“It is also important to emphasize there is no 100% security”, he emphasized. “A breach is inevitable. Get the board used to the idea of a breach”, he added.
In addition, “know your critical assets and what you are doing to protect them”, Mr Nassiokas recommended, when asked what are important in the message to the Board.
Ultimately, “the Board do not want to overspend, nor do they want to underspend on Cyber Security”, Mr. Argyle said. Certainly, with information playing a vital and competitive role in an increasingly networked society, Cyber Security is a key consideration when we assess the modern organisation’s competitive positioning.
By Jane Lo, Singapore Correspondent, MySecurity Media