BAE Systems on what compliance needs to know about cyber risk

Despite their best efforts, companies are increasingly vulnerable to cyber risk, driving home the realization that a reactive, check-the-box mentality towards cyber-security is no longer acceptable.

We spoke with Bill Sweeney, financial services evangelist at BAE Systems Applied Intelligence, about the changing threat landscape and how companies need to employ a top-down response to it. Security skills are necessary, and will be required, in procurement, audit, compliance, and legal when handling vendors, verifying compliance policies, interpreting regulations and interacting with law enforcement, he says. And that is just the beginning.

CW: You see a lot of businesses, including hospitals and commerce-focused entities pay “ransomware” demands [where a hacker, rather than leak or abuse data, encrypts it and holds it hostage until they are paid]. Why do they give in?

Sweeney: Think of a small online store that is going to be out of business for three days, maybe five days, maybe more. That might be the difference between surviving and not surviving.

CW: Who is making the decision? Obviously, you can’t have a lower-level employee making the call.

Sweeney: This goes all the way to the CEO. I’m sure the CEO is having conversations with board members, apprising them of the situation, taking guidance, and then putting forth a business case that basically says: “Look, we are damaged no matter what we do.” From a reputation standpoint, you are damaged because they got in. They are asking for a low amount of money, however, and if you called in a consulting firm and asked them to undo this, you would probably pay 10 times as much.

The guys who are doing ransomware have studied the market and figured out where people’s pain points are. A hospital paid $17,000 and it was one of the biggest ransomwares ever. Usually it is in the $500-2500 range. It is annoying, but you can make it go away. I can then yell at my providers about how to stop this. I don’t mind paying once; I don’t want to pay every week.

CW: Are banks targeted?

Sweeney: You don’t hear much about it. The guys who are doing ransomware are only going to make a couple of thousand bucks, so how much trouble do they want to go through? They are going to go after soft targets and banks are not known as soft targets. You need to put a lot of work in to beat their defenses.

CW: How have evolving cyber-attacks changed the response we see from compliance officers and the C-suite?

Sweeney: Cyber-crime and cyber-attacks are not solely technical issues any more. They can disrupt the entire business and should involve the entire business.

Chief information security officers have had to develop new skill sets and mindsets. CISOs used to be very reactive: when something happens they fix it. Now, they have to be proactive and that’s why you see a lot of them who are coming out of the FBI and other law enforcement backgrounds, where people are used to intelligence, and thinking through the scenarios under which they could be attacked. CISOs have also had to become more comfortable addressing the board and their peers.

They are expressing the responsibilities of each of their peers and then holding them accountable. They are not quite audit. They are not quite the chief operating officer or compliance officer. They are somewhere in the middle, from a security perspective.

They are saying that your people need to go through training. They will want to run war games. The skillset of the CISO has dramatically changed.

ABOUT BILL SWEENEY

Bill Sweeney,
Chief Technology Officer and Financial Services Professional,
BAE Systems Applied Intelligence
Bill Sweeney is chief technology officer and financial services professional at BAE Systems Applied Intelligence and is entrusted with cultivating innovative technology solutions in cyber-security, fraud prevention and regulatory compliance for buy- and sell-side professionals worldwide.
Prior to joining BAE Systems Applied Intelligence, Sweeney served in senior roles for several technology boutiques. From 2000 to 2007, he served as chief information officer of compliance and legal technology for global financial services company Citi. Prior to that time, he was chief technology officer at HSBC from 1994 to 2000.

CW: How do they fit within the chain of command when it comes to getting buy-in for their approach?

Sweeney: That has to come right from the board level. The board has to sit down and have a conversation about how they are going to meet their accountability demands.

The board is accountable for running a secure business and nobody would ever question whether they had a right to impose rules about financial stability. Of course they do, and the chief financial officer reports to them. Nobody would ever have any doubts about their ability to keep the company honest. That’s why compliance officers report to the board. This is another area where the board has to come down and say that the company needs a plan. The board, however, can’t develop the plan. They can explain what they desire and then the CISO has to be able to translate that into a plan.

How do I get from where I was to where I want to be? That is where a CISO needs to be able to prioritize and address the board in a way it can understand. “If I spend $3 million on endpoint security, we will improve security 22 percent. If I spend $3 million dollars on web security, we are only going to improve 1 percent.” They have to be able to translate their efforts into business benefit so the board can make a decision.

CISOs need to understand technology. They don’t need to be a programmer any more, but they need to know how to think about making technology secure and what the challenges are. They need the ability to interact with peers and be proactive instead of reactive. They need to have a financial background and be able to express themselves in business terms.

CISOs used to do stuff; now they sit on the board and talk about how to direct the digitization of the whole firm and how to use technology in a competitive way.

CW: Some boards are adding cyber-security expertise to their ranks. What else do they need to do?

Sweeney: The first thing boards need to understand is that they have to hold themselves accountable. There are many things boards are held responsible for where there is not a board member directly responsible for oversight.

The design of the solution has to fit the way the board works. The most important thing is for the board to recognize they are responsible for this and that they set up a mechanism by which they can hold themselves and the people in the company accountable. Then, they need to monitor those accountabilities and make sure people are doing what they set out to do.

CW: A challenge, and one keeping many up at night, is the security weak spot that can be posed by vendors and third parties. What should the response be?

Sweeney: You really need to start with awareness. I was at a conference and somebody suggested that you should put all your money into endpoint security. My point was that you are in trouble if you have a vendor connection and they don’t patch in their endpoints

Yes, you should do as much as you can with your own endpoints, but don’t be mislead that that is all you do.

You could have major losses as a result of this. You can work with your vendors and engage third parties to help them offset risk assessments or, depending on your relationship, to offset the costs. Insist on it, so you are assuring that your vendors are regularly being evaluated by a third party and you take the appropriate action as needed. The cost of doing that will be more than offset by your savings in operational risk factors.

If you can make yourself more secure by helping make your vendors more secure it is a win-win for both sides.

CW: What’s the next security challenge?

Sweeney: I talked before about how cyber-risk is an operational risk, but when you look at the regulated industries what you see is more and more regulation being put on the different industries. FINRA, the OCC, and the SEC are all coming out with cyber-guidance and that’s going to lead to cyber-regulation, which will lead to cyber-audits.

This is a really good reason for compliance people to go to a cyber conference, come up to speed, and start thinking about how to ensure that your company is going to be compliant with all of these laws and regulations. That’s a big change for compliance.

If a compliance officer says they will just rely on their CISO, it is an abdication of responsibility.

Thank you, Bill.