maze sphere


Cyber risk with Irfan Saif

Leader's Corner | Perspectives from the front lines

The digitalization of the business landscape offers never-before-seen opportunities but also makes organizations more vulnerable to cyber attacks and breaches. At the highest level, leaders are focused on maturing their cyber risk programs and dealing with the fact that cyber risk is everywhere—from the light switch in the office to the systems storing the organization’s most sensitive information.

Cyber risk Q&A

Q. Why should leaders view cyber risk as a high priority?

Cyber risk may have a significant impact on an organization’s financial performance—both short-term and long-term. It may also affect brand and reputation and customer loyalty. It’s among the less well-managed risks because there’s historically been more rigor, experience, and regulation around financial, operational, and other more traditional risks. Cyber risk has also been historically handled lower in the organization, often narrowly siloed within IT, which means that it hasn’t risen to the same strategic level of importance in the past. The rate of change in the technology landscape outpaces other risk domains. Moreover, many boards and C-suite teams lack cyber risk experience, compared with those having financial and operational risk experience.

Cyber risk management is still viewed mainly as a technology problem, but it’s not. An IT security mindset prevails, artificially narrowing the view of an organization’s cyber risk. For example, the European Union’s (EU) 2018 General Data Protection Regulation requires organizations to holistically address the processing of data pertaining to citizens of the EU. Many organizations viewed this as an IT problem when, in fact, it posed much broader challenges in terms of sales, marketing, and business processes relating to how data is acquired, stored, processed, shared, and destroyed. So, making a decision about a sales or marketing initiative without considering cyber risk explicitly could land organizations in trouble down the road.

Q. What impact does the Internet of Things (IoT) have on cyber risk?

IoT is a fast-growing domain across all industry sectors. It’s seeing the most rapid adoption in consumer products, industrial controls and processes, and medical devices. IoT offers automation and data, which businesses are using to drive action, conduct deeper data analysis, drive predictive maintenance, and other efforts to improve overall efficiency and output and profit margins.

IoT also broadens the attack surface of enterprises. At a time when many organizations aren’t effectively addressing existing cyber risks, adding this new dimension for organizations to manage can be very challenging. Solutions are available to help clients adopt IoT in their business environments and proactively monitor those environments to react to potential threats in the IoT environment.

Q. What’s the best strategy for addressing cyber and other strategic risks?

First, it’s important for an organization to have a C-level executive responsible for enterprise-wide risks of various kinds, which gives risk the same priority as finance and operations risks.

Second, it’s essential to create a culture of risk management in which everyone is responsible for risk, including cyber risk, within their job functions.

Third, instead of simply buying more technology, senior leaders need to examine organizational design, process design, human interfaces, and ways of leveraging the right technologies to make experiences simple and seamless.

Fourth, leaders need to engage with new technology proactively rather than leave any one department or function to address adoption in a silo. I like cars, so here’s the analogy I use: The fastest cars have the best brakes. Sophisticated risk management enables organizational performance in similar ways. Move faster, with greater agility and confidence, knowing that the foundation for applicable controls, governance, and management are in place to help handle the speed, the curves, the bumps, and the unexpected.

Irfan Saif | Principal, Deloitte Risk and Financial Advisory

Irfan is a leader in our Cyber Risk Services practice and leader of the Future of Cyber innovation portfolio. He is also a co-leader of Deloitte’s CIO Program and has served as the Technology industry sector leader. Irfan’s experience, which spans more than 20 years, has been shaped by the opportunity to work with some of the world's most innovative companies. He has led dozens of cyber risk engagements for Fortune 500 clients ranging from strategy to technology implementation to breach response and recovery work.

The view from the C-suite

Cyber risk is a high-priority concern for senior leaders because it goes beyond the IT department. A cyber incident can result in the loss of intellectual property, compromised processes or systems, or appropriation of customers’ data. But it can also impact stakeholders in ways that pose threats to the organization’s reputation, brand, and bottom line, particularly when the incident draws media coverage or goes viral on social media.

Given the significant threat that cyber risk poses for an entire organization, it’s important for senior leaders to be fully engaged on the topic to act quickly and confidently in managing this threat. But that doesn’t appear to be happening.

In Illuminating a path forward on strategic risk—Deloitte’s survey of 400 CEOs and board members in organizations of more than $1 billion—only 38 percent of CEOs and 23 percent of board members said they are highly engaged in cyber risk. One reason for this might be that cyber risk reports often focus on technical details and technological risks. CEOs and board members could benefit from—and be more engaged by—cyber risk reporting and assurance that focus more on business risks and impacts.

The survey also found that only 25 percent of organizations plan to invest in cyber war-gaming or scenario planning, even though it’s a leading practice to assess vulnerabilities and response processes. Typically viewed as a cyber risk management exercise, these simulations should extend to address all potential threats on reputation, brand, and value. As a leading practice, war-games should be conducted at least twice a year—not as check-the-box exercises but as strategic opportunities to improve the organization’s overall reputation and resiliency.

In my conversations with members of the C-suite and board, I’ve found that talking about cyber posture, rather than cybersecurity, elevates the entire conversation around cyber risk. Cyber posture focuses on the key attributes of your cyber program and compares them with those of leading companies, both within your industry and in other sectors.

Although cyber postures vary substantially, within any industry and across industries, there are specific attributes found in the programs of leading organizations. By measuring your organization’s attributes against those, you can develop a picture of your current and desired cyber posture.

The concept of cyber posture recognizes that absolute cyber assurance is unattainable and that cyber-readiness is an ongoing journey. It also recognizes that cyber events pose threats to reputation, brand value, and top- and bottom-line performance. For those reasons, it focuses on the strategic impacts of cyber events and on management’s steps to address those impacts.

Chuck Saia | Former CEO, Deloitte Risk and Financial Advisory

Chuck previously led a risk consulting and financial advisory business comprising 12,500+ professionals. As CEO from October 2016 through May 2019, he oversaw a practice that is considered a global leader in risk and financial advisory services.

Need a path forward on strategic risk?

Explore the CEO and board risk management survey and Leader's Corner perspectives.

Did you find this useful?