Nick Coleman, IBM’s Global Head of Cyber Security Risk, specializes in evaluating risks from cyber adversaries, digital transformation and regulations. Before joining IBM he served as The U.K. Government’s National Reviewer of Security and authored ‘The Coleman Report’ for the U.K Parliament. Coleman, who holds an MBA with distinction, is a Fellow and Chair of Digital at the Institution of Engineering and Technology. He regularly advises boards around the world on digital leadership, how to manage risk that results from traditional and new emerging business models, and how to create trust and resilience. Coleman, a scheduled speaker the World Economic Forum’s Annual Cybersecurity Summit November 12–13, recently spoke to The Innovator about how companies and boards should think about cyber security.
Q: Cyber-attacks and data breaches are regularly in the headlines. Are cyber security issues becoming worse?
NC: Cyber security attacks are multiplying and regulatory requirements are growing. The question is no longer if a company or an organization is going to be attacked, but when. The challenge is not only to protect but also to be able to respond. It is really now about risk management and there are two dimensions to that: firstly, seeing and evaluating cyber risks in the context of other risks and being able to start to understand what levels of risks are acceptable and secondly being able to measure and quantify cyber risks. That is an evolving piece because it is easy to measure impact after the attack but not so easy to know what the risks are before the fact. The digital footprint of companies and organizations has grown and grown, which means there are more things to secure and those things connect to more things so there are an increasing number of things to think about. The analogy that is often used is that of a car. First you had to get used to the idea that you needed seat belts and then alarms were installed to warn you that you had forgotten to buckle up. Security is on a similar journey. Some of the systems were originally sold many years ago with security bolted on. Now we know we have to design it better in the beginning and we have to put these alarms in place in areas where the hygiene is failing and where the attackers are trying to get in. Not every risk is going to be eliminated everywhere but rather than protecting everything equally companies need to understand which data is the most sensitive and then focus on getting the hygiene in place and functioning effectively for those areas. They also need to ensure the ability to respond fast and minimize the damage when something unfortunate happens. Risk management is about determining what are your critical assets, placing resources where it matters most and creating agility to your defense.
Q: What does it take to build trust and resilience?
NC: As we continue to adopt the cloud and new models of computing we are going to have to get the engineering right, meaning security will need to be embedded both into the build and the fabric of the business model and all of the security processes will need to be cloud-ready. We used to talk about confidentiality, integrity and availability. Now it is also about testing an organization’s risk appetite. Organizations need to price it out and ask themselves if a particular risk is something they are fine with. And they need to develop scenarios to prepare for how the company would react in real-time. There is a caveat: there are some scenarios we don’t know yet — the unknown unknowns -but companies and organizations that have honed their responses and built-in resilience should be able to minimize damage.
Q What do board members need to know about cyber security?
NC: Boards have been getting briefings about threat landscapes for some time but now they are asking ‘how do we know we are competent at evaluating the risks and managing them appropriately?‘ Business schools are trying to take these executives on a journey to help them become cyber literate, ask the right questions and make them capable of executing their roles. I myself teach a course to executives at business school. First, board members need to familiarize themselves with core concepts such as the NIST {Identify, Protect, Detect, Respond and Recover] cybersecurity framework, then they need to ask themselves whether they have a good understanding of risk and audit the organization so they have a sense of what type of cyber security is in place. They also need to have a clear idea of what their role is in case of a crisis. At IBM we operate a 23-ton truck that serves as a mobile crisis command center. It contains a data center, a command center and access to communication services so that we can test the organization at the board level by simulating a crisis, modeled on all the incident data we see out in the market. We try to make it as real life as we can. There are even stock tickers on board. This is done to ensure that in addition to being cyber literate and doing due diligence on their organization’s critical assets and cyber security system, that the board understand what their role is during a crisis.
Q: What advice do you have for organizations?
NC: Create a culture and process for security based on operational resilience and driven by risk appetites. Apply controls where they matter. Understand what operational and risk data you have, use artificial intelligence to see patterns quickly, automate security controls to do as much as efficiently and cost effectively as possible. It’s also important to realize that being compliant with regulations such as GDPR have changed the cybersecurity landscape so now risk management means you have to think about regulatory compliance as well as security and controls to be agile and ready for the cloud model.
