Gene Fredriksen is the Chief Information Security Officer for PSCU. In this role, he is responsible for the development of information protection and technology risk programs for the company. Fredriksen has more than 25 years of Information Technology experience, with the last 20 focused specifically in the area of Information Security. In this capacity, he has been heavily involved with all areas of Audit and Security. Fredriksen has served on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security. He was also appointed to represent credit unions in the Global Forum to Advance Cyber Resilience.
Christopher P. Skroupa: What’s new in the way cyber affects the 21st century company?
Gene Fredriksen: Businesses and consumers now demand instant access to business goods and services not just from their laptops, but now also from their mobile devices. Driven by that demand, companies are opting to rely more and more on the Internet to conduct business online. While the benefits of anytime, anywhere consumer access are clear, increasing reliance on the Internet has its cons, particularly when it comes to a variety of cybersecurity issues.
As the percentage of gross revenues from e-business grows, the risk to the business from cyber attacks and outages also grows proportionally. If there is an outage on an e-business site preventing a consumer from accessing goods and services, a savvy consumer will find it easy to visit a competitor’s website with a few simple keystrokes. It is not like the traditional model where the consumer would have to physically travel to another brick-and-mortar location. While we have enhanced to ability of consumers to visit us online, that same infrastructure allows those consumers to visit our competition just as easily.
Skroupa: Likewise, what’s different in company resilience? What’s been working, and what hasn’t?
Fredriksen: Resilience can be defined as the ability of a business to not just survive, but also to thrive in a rapidly changing or potentially caustic environment. When businesses choose to pursue an e-business strategy, they must be cognizant of consumer expectations. In a highly competitive e-business environment, the difference in cyber risk investment between vendors has already become an important criteria for selection.
This difference only becomes more important when a hacker or technology-related incident damages the business and customer relationship. As businesses seek to innovate to better serve the customer, they must ensure new technical solutions and processes also reduce the risk the new systems bring along with them. Security and business continuity must go hand-in-hand in order to achieve the necessary resilience to match the risk profile of the company.
Over-reliance on technology alone to solve resilience issues is doomed to fail. It takes a balanced approach utilizing People, Process and Technology to achieve security while improving operational abilities. Well designed, resilient solutions will also reduce daily “noise” for the operations team, allowing it to focus on infrastructure enhancements to enhance resilience.
Skroupa: How important is it for the board to be involved with the CISO?
Fredriksen: As we have seen with recent data breaches, there is an increasing pressure on boards to provide adequate oversight. The recent Equifax breach prompted questions about whether the board and executive management failed to supervise and manage the significant risks to the company. As a result, boards will increasingly be expected to have regular briefings with the CISO or a knowledgeable cybersecurity representative, and to ask probing questions about the program. Given the significance of the issue, two or three slides in a briefing deck will no longer be viewed as adequate oversight and supervision.
Skroupa: Technology is rapidly changing, is cyber defense keeping up?
Fredriksen: For cyber defense to effectively keep up with technology, we must first pay attention to the basics. The Equifax breach has been attributed to a patching problem. The Home Depot breach was the result of lax security on a third-party connection. Malware regularly makes it into organizations when employees open phishing emails. None of the basic blocking and tackling tactics are flashy or sexy, but we cannot be secure without them. Without a robust program to address the basics, no amount of technology spend alone will secure an organization.
A balanced approach of People, Process and Technology controls, tied to and commensurate with business risk, will establish a strong defense program for an organization. If the program is constantly evaluated against business risk and emerging technical threats, the program will remain strong. There are no guarantees against a breach, but the best defense is a strategic, balanced program.
Gene Fredriksen will be a panelist on The Internet of Things: One Example of How Technology Shapes—and Threatens—Value Delivery section at The 21st Century Company Program on November 7 in New York, NY.