Interview with Sonja Stirnimann

swissVR Monitor: Many companies don’t seem to see the importance of increasing their cyber resilience until they actually become the victim of a cyber attack. Do companies tend to ignore or underestimate cyber risks?

Sonja Stirnimann: I still see Boards tending to leave cyber security largely to their IT function rather than recognising it as a part of their strategic responsibility. I think that’s the wrong approach. This is a really important issue, because it affects the company’s – and the Board’s – assets, reputation and ability to operate. Cyber resilience is one of the most important competitive advantages any company has, but many Boards still underestimate it when thinking about how to prevent serious disruption.

I wouldn’t presume to judge whether they are consciously ignoring the risk or simply underestimating it, but it’s human nature to sidestep an issue when we lack expertise in it. This may be unconscious but in the context of cyber resilience, it can have fatal consequences. And purely from the perspective of the Board’s responsibilities, it is essential that this issue receives the proper attention.

swissVR Monitor: So what role does the human (risk) factor play in cyber resilience?

Sonja Stirnimann: Resilience is not the same as resistance. Resistance tends to focus on IT security, the company’s IT infrastructure and preventive measures, including monitoring. Resilience, on the other hand, focuses on how quickly the company can be up and running again for its stakeholders after a crisis.

Cyber attacks often pose a severe threat to a company’s ability to operate, and in exceptional circumstances like a cyber attack, that ability depends hugely on the reactions of its Board. But not all Board members – or companies themselves – have received professional training to prepare them for such a crisis. It is one of the core responsibilities of the Board and senior management to ensure that the company can continue to operate, so it can also be a good idea to rehearse for such a crisis, with lessons learned fed back into processes to improve them. Cyber resilience is therefore all about an organisation’s ability to recognise cyber attacks, respond to them and recover from them while maintaining its ongoing operations. The difference between resistance and resilience can be illustrated by the life cycle of cyber crime incidents.

Resistance primarily means preventing or stopping attacks that could cause damage to the company, such as security measures including firewalls, intrusion detection systems and cyber security rules. But while resistance is important, it cannot completely prevent a cyber attack. And these days we have to assume that we are all under attack all the time, so resistance covers preventive measures that mitigate or minimise that risk.

Resilience on the other hand is about an organisation’s ability to react rapidly to an attack or to disruption to its systems, to recover and to continue operating. This includes detecting attacks, responding rapidly and restoring systems so that it can continue to do business. By contrast with resistance, which relies on preventing attacks, resilience is about limiting the impact of and damage caused by attacks. And the ability to continue operating is the central objective.

swissVR Monitor: Companies tend not to discuss cyber attacks publicly. How can we persuade them to stop seeing the issue as taboo and be more transparent?

Sonja Stirnimann: We’ve been living with ‘cyber’ for at least 40 years, yet for many Boards, it is uncharted territory compared to other operational risks. What I find, though, is that the fear factor and taboo tend to die away if the problems are discussed in a safe space with like-minded people at Board and/or management level. And this means having not just that safe space but also the willingness to share experiences and to learn. I’ve found that Boards appreciate this openness and can learn a huge amount from each other. And it can help if such discussions take place across different sectors.

swissVR Monitor: So who within a company is responsible for cyber resilience? Where is that responsibility located?

Sonja Stirnimann: Many companies still don’t see this as an issue requiring action or have only recently recognised its importance, so I think cyber resilience – and the upstream cyber resistance – need to be recognised and tackled as an operational risk at Board and management level. Depending on the company’s and Board’s level of maturity, they may also need to go on a learning curve, which can be steep. The Board and management are role models, in cyber resilience as in many other areas.

swissVR Monitor: You advise companies to start by raising awareness. What does that mean in the context of cyber resilience?

Sonja Stirnimann: Awareness raising starts with active discussion, information and training – at all hierarchical levels. We learn from analysing and discussing case studies and using them to identify our own risks, which requires openness and recognition that any of us could be affected, sooner or later. These discussions often take place only once there has been an attack, rather than preventively before an attack can happen. But my experience is that companies that think strategically before an attack with a view to enhancing and securing their competitive advantage do better in terms of protecting their assets.