Nigel, can you tell the Risk Insights readers about yourself and your professional experiences?
I have been in the field of information security, or cyber security as we now call it, for nearly 30 years. I am a Chartered Engineer with a real passion for helping organisations manage their cyber business risk. So much focus in the cyber security world is around technology rather than risk, which in my mind is back to front. Without a decent assessment of risk how can controls be put in place? I have the privilege to work across many sectors including finance, manufacturing and critical national infrastructure and I am currently deep into the issues around the Internet of Things and industrial automation.
We are looking forward to you presenting at the New Generation Operational Risk: Europe Summit where you will be delivering a presentation on cyber security and business risk. Why do you believe this is a key talking point at the Summit?
Information technology is all around us and is a massive boon to our everyday lives (well mostly!). Unfortunately, the bad guys understand this and now see that undermining an organisation by stealing money, intellectual property or personal data can be a profitable business model. Gone are the days, mostly, of kinetic bank robberies. Now more profitable “bank robberies” can be taken from the comfort of a sitting room on the other side of the world. Cyber security risks need to be factored into every aspect of a company’s operational domain.
Cyber security is an area facing increased attention across the industry, are institutions seeing an impact on the bottom line and should they be stepping up efforts?
There is no doubt that cyber security issues should be very highly placed on organization’s risk registers. Board level awareness is much better than it used be even a couple of years ago. Nowadays no executive can ignore cyber security risk, and if they do it is at their peril. We have seen data breaches cost organisations a huge amount of money in both regulatory fines and remediation work, and with the new General Data Protection Regulation coming into play the regulators will likely become even more aggressive in prosecuting companies that ignore cyber risk and fail to implement suitable controls.
What are the key benefits of managing cyber security risk and incorporating into an operational risk model?
By proactively addressing cyber security related risks an organisation is facing up to the inevitable – if they haven’t been hacked or had a data breach then they are surely likely to be. That doesn’t always mean that nation state actors will be going after your data, instead an incompetent/non malicious data breach such as a lost laptop can still have catastrophic effects. I am a great believer in planning for the inevitable and by incorporating cyber security risks into your operational risk model you are getting a long way down a very challenging journey.
How do you see the role of the operational risk professional changing over the next 6-12 months?
I believe that every operational risk professional will need to adapt to changing threats and challenges in an increasingly uncertain world. What was considered normality only a year ago has been tossed aside with the huge geopolitical changes all around us. This impacts cyber security as a variety of actors see “cyber” as a cost effective way of conducting their nefarious business.