In a speech at the Commonwealth Club of California in San Francisco, Casserley set out an integrated plan for building cyber security, urging organisations in the public, private and social sectors to adopt this proposal as a package, rather than relying on a sub-set of actions in response to growing cyber threats.
“We are in the middle of an extraordinary technological revolution in the way we live and do business,” said Casserley. “Alongside the amazing cyber opportunity, there are substantial risks. By bringing together technological solutions, by influencing human behaviour, and by developing the insurance market, we can distribute cyber risk in order to enjoy the potential of a connected future.”
In his remarks, Casserley compared cyber risk management with the integrated response to fire that emerged following rapid urbanisation and the development of cities. He argued that capturing the massive benefits of urban living required a joined-up response to fire: measures including the creation of fire brigades, new building materials and codes, fire prevention education, and a move away from open fires for heating. Casserley argued that none of these (and several other) moves would have been sufficient alone to reduce fire exposures, and that a similarly integrated response is needed for cyber risk.
Casserley’s integrated plan for “protection and prevention” addressed governance, technology, people challenges and capital allocation.
On governance, Casserley called for oversight of cyber security at the most senior executive levels of organisations, and (where applicable) the Board’s risk committee.
On technology, he noted that we should assume that hackers already have access to our data on the inside of our organisations. The average time between a breach and its owner noticing is more than 200 days, so cyber professionals should perform regular checks on the integrity of information inside systems, he said. Casserley also encouraged institutions to see technology as a very necessary but not sufficient line of defence against cyber-threats.
On workforce strategy, Casserley called on organisations to invest in making their employees “cyber-smart”, noting that two-thirds of data loss incidents are caused by people within or close to the company. He also observed the link between workforce morale and cyber breaches, where companies with higher morale record fewer breaches – accidental or deliberate. Human capital experts can develop programmes that incentivise employees to be vigilant in the protection of a company’s digital assets.
Casserley also highlighted the role of cyber insurance to cover potential losses, noting that available capital for cyber risk is currently constrained as the markets continue to find it hard to quantify the risks. Current estimates put cyber insurance capacity at between US$500 million and two billion dollars per risk. But Casserley noted that the insurance market will deepen when all the stakeholders are engaged in finding solutions to manage cyber risk.
|