Brian White is a Principal at The Chertoff Group, a premiere global advisory firm focused exclusively on thesecurity and risk management sector. He is a subject matter expert on corporate risk management strategies with experience both in the public and private sectors. As the former Counselor to the Deputy Secretary, U.S. Department of Homeland Security, he was substantively involved in the development and execution of the Comprehensive National Cyber Initiative. His areas of expertise include corporate strategy planning, M&A and private equity strategic advice, supply chain security, and new business planning and execution.
Christopher Skroupa: At the time of a cyber-attack, how do company executives define and protect their most critical assets and put into place a business continuity plan?
Brian White: It is important to note that at the time of an attack it will already be too late for a company executive to identify those critical assets. The intruder will have located them and targeted these assets. Once the company identifies the cyber intrusion, each second is critical to effectively responding. With this in mind, it is essential for business executives to conduct a strategic review and analysis of their most vital assets and make investments to create a more resilient enterprise. It’s not about what they should do at the time of an attack, but rather how they implement a response and recovery plan. The biggest risk a company faces in today’s uncertainty of cyber-attacks is not being prepared.
Skroupa: As cyber-attacks become more sophisticated, how does a company executive best prepare for agile risk management and prepare effective response plans?
White: Practice is everything. In today’s world of cyber uncertainty 100% protection against a cyber-attack is not possible, even with the strongest of security measures in place. Therefore, creating an effective risk management and response plan is a key mitigation activity. Companies and enterprises should prepare and practice table top exercises with key executives and work with crisis communications professionals. Messaging the cyber-attack to customers and stakeholders must be included in an active response plan, both in protecting assets and restoring operational functionality. Understanding the key decisions and having preemptive conversations on how to disclose the attack and seek to regain trust from customers is a fundamental step in developing an effective response plan. Additionally, planning and preparation will be helpful in building the team regardless of whether it’s a cyber-event, a natural disaster or a product recall.
Skroupa: With an unforeseen attack, how can executives trust that their response plan will even work?
White: The hard fact is that you will never know if the plan will work before a cyber-event. But as General Dwight D. Eisenhower said, “Plans are nothing; planning is everything.” The key is to engage in the process of planning and exercising so company stakeholders know their roles and responsibilities. As a CEO, the first time meeting with the CISO and his or her team cannot be during the crisis. Every plan will have opportunities and vulnerabilities. Understanding the plan’s parameters and options will enable an executive to make decisions quickly and accurately at first response. If the plan initially fails, they will have the knowledge to divert and implement a modified response. An exercise two to three times a year for three to four hours each time will make all the difference if there is a major breach.
Skroupa: What assurance can company executives give and prove to their stakeholders that the company is prepared?
White: As an executive, they must be knowledgeable of all operations of the business, and most importantly have a deep understanding of the risks and threats to their organization as they continue to evolve. From there, it’s a combination of hiring good people, considering cyber insurance, planning, exercising, sharing information with others in the industry and generally being aware of this issue. It is no longer acceptable for executives to say that they don’t understand “cyber” or its threat to their organization. Protecting your company’s “bottom line” includes protecting your cyber assets and preparing an effective response plan. Major breaches will have a detrimental effect on a company. Today, CEOs must understand this threat and provide assurance to their stakeholders that it is a top priority.
Skroupa: There are many products and services available to companies for data protection, malware defense, and overall cyber security. How can I determine which ones will work best for a company?
White: Company executives must understand their organization’s vulnerabilities, threats, and most importantly, their overall risk. Selecting the security products that work for their company is a decision that should be based on an enterprise’s unique requirements. While most products do their job, there is no single reliable solution which is why a defense–in-depth approach is critical.
Serhat Cicekoglu, Director of Loyola University Chicago Quinlan, Center for Risk Management adds: “Preparation is pivotal to company resilience. It creates muscle memory and adapts to changing circumstances. As a result, company resilience becomes a way of thinking rather than a set of instructions. It is impossible to test all the scenarios available to attackers. However, scenario planning and war gaming exercises improve the level of preparedness, significantly. Such preparations allow companies to uncover their vulnerabilities and reveal a better understanding of what is necessary to survive an attack and sustain business operations without a permanent loss of capability.”
On October 14, 2014 , Loyola University Chicago, Quinlan School of Business, Center for Risk Management will host its first Executive Dialogue Series seminar program on Resilience—Big Data and Cyber Security. Continue the discussion with Brian White, Serhat Cicekoglu, Director of Quinlan’s Center for Risk Management, and a select group of 25-35 company executives and internationally renowned experts on resilience. To inquire about attending contact firstname.lastname@example.org.