Learn From the Cyberattack Experience
Christopher Y. Clark conducts interviews with leading corporate directors and subject matter experts for NACD Private Company Directorship, a biweekly e-publication about private company board leadership and governance best practices, on critical issues from environmental, social, and governance (ESG) matters and cyber resiliency to succession planning and board composition.
According to Robert E. Kress, managing director of Accenture Security, organizations need to demonstrate why security is incredibly critical to business resilience.
Editor's note: This interview was condensed and modestly edited for clarity.
Bob, why did you move from being a managing director of Financial & Operational Audit at Accenture to a managing director of Accenture Security?
Several reasons: my background as COO of internal IT and my experience in internal audit were focused on deep knowledge of technology and risk, including cybersecurity risk, which prepared me well. In addition, I helped to create the Accenture internal information security function. Finally, through regular interaction with Accenture and client C-suites and boards I recognized the critical importance of getting cybersecurity right. These reasons, combined with an intrinsic interest in cybersecurity and a desire to make the world a safer place, made it an easy decision!
How is ransomware changing the practices of private companies (and public companies for that matter) and their boards?
Established ransomware operators are upping their game, focusing on new monetization opportunities. There has been a 160 percent year-on-year increase in ransomware events in 2020 alone—with little sign of any slow down here in 2021. Operators keep innovating, customizing ransom demands and constantly improving their ability to disrupt. Organizations need to strengthen defenses across people, processes, and technology; act fast; and demonstrate why security is critical to business resilience. Boards understand the risk and are encouraging their organizations to take four key actions:
Prioritize the human factor. Maintaining the health and well-being of the workforce is of utmost importance, essential for the smooth running of any enterprise. It also helps to mitigate risks to the larger community.
Protect the company infrastructure. Inform employees about known vulnerabilities and make sure their teams are diligent when it comes to testing and intelligence.
Be brilliant at the basics. With many workforces now remote, shift the information security focus from an enterprise infrastructure to a virtual and cloud environment.
Provide the tools and the teams to tackle risk. Evaluate and promote solutions that mean distributed teams can connect and collaborate safely, securely, and effectively—helping organizations to create better employee experiences while making them more productive.
Do you feel comfortable in the government’s efforts to “step up” when it comes to fighting cyber criminals?
The short answer is yes. The recent cybersecurity executive order (EO) is meant to improve the government’s ability to detect, coordinate, respond to, and investigate cybersecurity incidents while raising costs for attackers and promoting security and resilience across software and industry supply chains. We expect and hope that the EO will drive significant changes in companies’ secure software design and operations. If industry and government follow through on this promise, it will raise the security bar for everyone—improving resilience for US companies and as a result, the resilience of America to cyberattacks. We believe that additional emphasis on prevention will ultimately reduce costs for businesses.
Organizations should assess their strategy and capabilities to apply potential requirements and standards to their own enterprises. They will need to monitor the potential impact of these requirements against other emerging standards outside the United States and come up with a strategy to deal with any divergences. Companies should work together with their industry and their cybersecurity partners to collaborate in the upcoming standards' development.
What does it take to make the right spend on cybersecurity?
Cybersecurity spending tends to be impacted by several factors, including the maturity of the enterprise cyber defense function, the nature of the industry in which the enterprise operates, and management’s appetite for risk.
It is important to think about cyber spending in the context of the broader enterprise strategy. Is your spending helping manage the risk of acquisitions or entering new markets or engaging in a digital transformation? Understanding what the company’s most important risks are, and your organization’s risk appetite, really is the first step in determining the right spend.
In terms of spending on the right security investments, our recent research report, Accenture State of Cybersecurity 2020 report, outlines that non-leaders (average cybersecurity performers, but far from being laggards in cyber resilience) should consider scaling as fast as the leaders (an elite group that have higher levels of cybersecurity performance compared to the rest). This can help them to understand how effective investments in new security technologies will be in improving security detection rates and protecting more key assets — but only when they are fully deployed across the enterprise.
How should private company board members deal with cyber threats and breach flare-ups as they arise?
We recommend a two-step approach: what to do right now and what to do after an attack.
What to do now? Operate under the assumption that you are already breached and focus on resilience across the end-to-end value chain. Ensure your organizations are:
Focused on the basics: keep security hygiene up to standard; maintain controls and continue patching; protect crown jewel data.
Preventing and protecting: increase confidence through continuous validation and testing of your defenses; knowing your operations and what’s important; and modeling the threat against your operations and end-to-end value chain.
Making it personal: collaborate and prepare with legal, communications, senior management, and external service providers; tie business and personal objectives to cyber readiness.
Preparing, preparing, and preparing again: planning and validating to constantly measure and improve resilience and adjust the course over time.
What to do after an attack? Ensure your organizations are taking the following actions:
Trace the attack. Use incident response, forensic analysis, and threat intelligence to identify how the attack occurred and build a comprehensive understanding of the intrusion and impact.
Collaborate and report. Notify industry partners, consortiums, law enforcement, and appropriate authorities for greater threat awareness.
Learn from the experience. Quantify the financial and reputational impacts and identify metrics and resources to meet the board and C-suite’s expectations for cyber resilience.
Update risk and mitigation plans. Evaluate current inherent and residual risk measurements and work to identify any beyond acceptable levels.
Strengthen defense posture. Establish tactical plans to remediate and harden the environment.
Christopher Y. Clark is the former publisher of Directorship magazine and former NACD senior director of partner relations.
Robert E. Kress is managing director of Accenture Security. As the global quality and risk officer at Accenture Security, Kress is responsible for identifying, assessing, and managing risk in Accenture's Security business, along with overseeing the quality of Security services delivered to clients.
Christopher Clark, Former Publisher, Directorship & Senior Director, Partner Relations, National Association of Corporate Directors
Bob Kress is a managing director at Accenture Security, where he is the cochief operating officer and the global lead for quality and risk.