A recent roundtable dinner in Hong Kong, facilitated by Richard Lin and Matthew Edwards of Egon Zehnder, and Sean Duca, regional chief security officer at Palo Alto Networks, brought together executives from the region to discuss cybersecurity and why it is an increasingly urgent challenge for corporations and nongovernmental and governmental organizations, alike. The discussion was designed to exchange ideas, insights, and best practices, as well as promote security awareness and a mindset of prevention among attendees.
Attendees came to the roundtable for various reasons, but many were interested in hearing about peer trends—what others are seeing from an offensive and defensive security standpoint. Further, there was much interest in, as one attendee put it, “…the cost versus benefit of security—we know it’s important, but it’s difficult to understand.” One executive noted that security budgets have been increasing by double-digit percentages every year, so how to monitor—as well as measure—cybersecurity is a real challenge.
Much of the conversation centered on the following topics:
- Cybersecurity awareness and education: Cyberattacks are growing in frequency, sophistication, and impact. Adding to the challenge are employees who are not cautious about cyberattack attempts, exposing themselves to phishing, password theft, and various other intrusions. Consequently, education of staff to increase awareness and vigilance is now crucial. During the roundtable discussion, participants described some of the best practices they are employing at their companies, such as having regular training on data safety and running tests on employees through mock attacks. In some cases, the practice is taken so seriously as to reprimand and possibly terminate employees who repeatedly fail to respond appropriately to mock attacks. One director expressed how tough his enterprise is about security: “In phishing exercises, if someone clicks multiple times, they get fired—that’s how serious we take it!”
- Intelligence sharing and its challenges: While attendees generally agreed that information sharing on cyberattacks and their possible prevention is an important way to enhance defense measures across industries, it is clear that challenges prevail. An agreed observation was that the various perpetrators of cyberattacks are often more coordinated than the industries that are the targets of their attacks. The lack of cooperation is partly due to commercial competition among industry players and a tendency to avoid leaking news of attacks to the media. Two of the participants pointed out that, depending on how cooperative the board is, CEOs and CIOs might believe the short-term reputational risk in sharing information on attacks outweighs the potential long-term benefits of being more transparent. The comment was made that trust can be especially hard to build among industry peers, particularly among financial intuitions, where client confidentiality is paramount. There was, nonetheless, general agreement that practitioners can and should do better in sharing information, and it was suggested that support through government regulation could help.
- Raising management awareness of cybersecurity risks: Data protection ultimately helps reduce business risk. Compared with just a few years ago, there has clearly been a shift in the awareness of cybersecurity among C-level executives and boards. However, there are varying levels of understanding among organizations. Some attendees were sleeping well at night, knowing that effective investments and policies for cybersecurity were in place. Other attendees noted that CIOs still need to invest a significant portion of their time raising awareness within their organizations so that the entire management team fully appreciates the importance of IT security, with appropriate budgeting and headcount being afforded thereafter.
“I don’t need to start the conversation [about cybersecurity] anymore like I did seven years ago—leadership is demanding it,” said one attendee. Another agreed, “It’s an agenda item on the board now. They get the budget. Cybersecurity is one of the top 30 enterprise risks, and there’s a security-awareness team that looks at a lot of different things. In the end, we’ve found that humans are the weakest link.”
- Third-party service providers and contractors: Some companies may realize they cannot grow their in-house IT capabilities at the same pace that the overall business grows. They are, therefore, using third parties to supplement capabilities and control costs. This could result in data risks that are beyond the company’s control. Contracts and policies can be put in place to mitigate those risks. However, in reality, there are challenges associated with maintaining appropriate cybersecurity standards through contractors, and attempts must be made, therefore, to establish trust in conjunction with a sound legal framework.
- Data protection measures: The pattern of attacks can be random in nature and initiated by individuals, groups, or nation-states. Apart from focusing on building up strong defenses, some companies have taken proactive initiatives, such as creating “honey pots” to lure hackers into their networks, all in an effort to better understand and learn from their strategies to avoid future such attempts. Examples were shared of how cyberattacks could even result from an unflattering piece of public news that might cause a disgruntled cybercriminal to launch an attack.
- The CISO reporting line: In most cases, this depends on the industry nature and business size. In some situations, the CIO is also the de facto CISO and reports directly to the CEO. This is especially common in the technology industry where the need for high-level cybersecurity is more pronounced. In other organizations, CIOs or CISOs might report to a COO or CFO with a dotted line to the CEO. Strong opinions were voiced by participants that a CIO reporting to a CFO is suboptimal, as cybersecurity becomes a bigger issue requiring strategic, rather than financial, oversight.
- Legal and regulatory framework: In Hong Kong, the law does not require information sharing, and relevant cybersecurity and IT infrastructure legislation is not well-established. This is something that can be improved upon. A good example is Singapore, where the government and legislators have established a strong regulatory framework for cybersecurity.