Cybersecurity is a team sport

Mary Galligan supervised the US Federal Bureau of Investigation’s (FBI) inquiry into the Sept. 11, 2001 terrorist attacks. She later served as special agent in charge of cyber and special operations in the FBI’s New York office, where she led the largest technical and physical surveillance operation in the agency.

John Gelinne was chief of staff and third in command of the US Navy’s Cyber Fleet, conducting full-spectrum cyber operations, shaping the Navy’s cyberspace workforce, and driving the integration of cyberspace capabilities and technologies into the Navy’s operational environment.

Beyond their impressive résumés and shared passion for combating cyber threats, Galligan and Gelinne have something else in common. Both are now directors in the Deloitte Cyber Risk Services practice in the US.

“We’re thrilled they made that choice. I’m sure they both had many attractive career options where they could leverage their unique skill sets, experiences, and valuable networks,” says Ted DeZabala, Deloitte Global Cyber Risk Services leader. “Professionals like John and Mary, and many others with distinguished cyber risk credentials, give Deloitte a tangible advantage in this space.”

Building resiliency among clients

Deloitte believes cyber has become a strategically important business risk issue, and that companies need to be “secure, vigilant, and resilient” to effectively manage risks. “Our Cyber Risk Services professionals are dedicated to helping organizations protect information assets, be aware of the rapidly evolving threat landscape, and respond to and recover from incidents that are becoming increasingly inevitable,” DeZabala explains.

“Professionals, like Mary and John, know from past experience that despite everyone’s best efforts, breaches do occur. That is why they are dedicated to resiliency,” he continues. “How damaging breaches become can depend, in part, on how rapidly the situation can be analyzed, how decisively leaders take action, and how effectively teams interact with customers, media, legal counsel, law enforcement, and industry peers. How you respond defines you in the marketplace. Resilient services help clients be prepared to respond.”

In helping clients prepare, Gelinne draws on the military readiness model he knows well. “Before a ship is deployed, we have to ensure it is ready to perform,” he says. “To do so, we assess our resilience level; build capabilities through training; conduct a validation-certification exercise; and implement sustainment activities to stay ready, fix weaknesses, and maintain strengths. Deloitte is advancing that same methodology within Cyber Risk Services.”

This four-step approach can help organizations at all stages of maturity attain and maintain a targeted level of cyber resilience through cyber wargaming and simulation, disaster recovery planning, incident response, and business recovery services.

Not just a “tech issue”

“I was attracted to this role, in part, because I share my colleagues’ holistic approach to cyber incident response,” Gelinne says. “We understand cyber breaches aren’t just a technologist’s problem. Our approach is designed to prepare and validate an organization’s overall cyber resilience from the boardroom, to the war room, to the individual employee, to the organization’s stakeholders and customers.”

Galligan, who spends much of her time educating clients’ board members and senior executives about the risks their organizations face, agrees. “Deloitte helps clients focus on what matters most from both a business and technology risk perspective, and then provides tailored and cost-effective solutions,” she says. “Beyond that, what stands out to me is the trust clients place in Deloitte. Because our professionals serve so many among the Fortune Global 500^®, there isn’t much we haven’t seen. Clients value that, and respect the knowledge we have about their organizations and industries.”

That knowledge is especially evident in cyber wargaming. “Many consultants offer wargaming, but for most, it’s a tabletop discussion versus a true wargame that really tests a client’s full response capabilities,” Galligan says. Adds Gelinne: “Cybersecurity is a team sport. It takes all hands on-deck to be successful. So, when Cyber Risk Services tailors wargames for clients—which we customize to each client’s industry and build in probable scenarios, drawn from real-life experiences and client situations—we bring the whole organization to the table and aggressively test their response plans and communications channels.”

Galligan says requests for cyber wargaming continue to increase, in part, because regulators are writing stricter, new guidelines urging organizations to not only have resiliency plans in place, but also have them tested—preferably by objective, third parties like Deloitte.

“With cyber attacks in the headlines so frequently, fear of a major incident often drives investment. But, we encourage our clients to consider cyber risk as a positive component of their forward-looking initiatives,” Galligan says. “Organizations constantly create advantages through new technologies, expansion, mergers and acquisitions, new customer-engagement models, and more. Managing cyber risks is critical to the success of these moves. Threat actors can steal information, disrupt operations, corrupt data, shut down controls, and destroy clients’ systems.

“Organizations need to tighten up how they address those risks. This is a strategic concern, not just a technology concern,” she continues. “There’s a lot of self-gratification in being able to help clients transform their approaches. I spent 25 years with the FBI helping people, and I’m glad I’m still doing that with Deloitte US.”

“Deloitte”, “we”, “us”, and “our” refer to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. See additional information.