In this episode, Monica Verma talks to Marc Vael, CISO and risk management expert on cyber and systemic risks, cyber risk exposure, how to make your risks more tangible, visible and understandable, and key elements for effective risk management, integration and communication.
Looking for your dream job in cybersecurity?
Don't know where to start or how to go about it?
Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career.
Monica Verma 0:00
Hey folks, welcome to a brand new episode of We Talk Cyber with Monica, your one and only platform for real world stories from some of the renowned global experts in security, privacy and leadership, making a real impact every single day. If you wish to have the real stories directly from the source, and learn and understand; What does it take to build a personal success story? What are some of the biggest challenges within security, privacy and leadership that we face today? And what can we do about them? And more importantly, how can you build your cybersecurity career even stronger, break into leadership and take it a step further, then this podcast is the right place for you! So before we hop into the episode, make sure you subscribe to my YouTube channel: Monica Talks Cyber. You'll find all my videos, including podcasts videos, and if you love listening to podcast audio, then please tune in subscribe to We Talk Cyber in your favorite podcast app, do it right away. So you don't miss any of the amazing stories and conversations. Shout out to today's sponsor: Simplycyber. If you're interested in more technical security content, then check them out. So let's hop right in the episode: This is We Talk Cyber with Monica.
Monica Verma 1:29
So we have a fantastic episode for you today! Because we're talking about cyber risk and all about risk management. We'll be talking to an industry leader within this space. We'll be talking to Marc Vael on what are cyber- and systemic risks and their importance in risk management. Why do organizations need to care about cyber risk exposure? And how do you even define or calculate it? How can you define your risks in a more tangible, visible and understandable manner? What are some of the key elements to effective risk management and communication around it? What are some of the key elements for effective integration of cyber risks within enterprise risk management and accountability? So if you want to hear about all these and more, let's meet our guest right away. This is We Talk Cyber with Monica. Hi, Mark, how are you doing? Welcome to the podcast show today.
Marc Vael 2:22
Hi, Monica, thanks for inviting. It's quite an honor! And looking forward to discussing and hopefully bring some ideas to the audience.
Monica Verma 2:31
Lovely. Thank you for coming on the show today Mark, really an honor as well. Let's just start maybe by defining what a cyber risk and why is it really important as a part of risk management for an organization today.
Marc Vael 2:52
First of all, cyber risk: it is important, but it's very subjective. Because everybody has a different perception of what risk in cyber means and what the different components of it are. But in view of the fact that more and more media are reporting on a more frequent basis about incidents or things that have happened in cyber and on The Internet with organizations, large and small, people are concerned. Especially executives get more and more of these questions about the topic. And actually, I follow the World Economic Forum - the Global Risk Report- it's been the 15th edition this year. And again, cyber attacks and cyber risks are high up in the agenda of all the risks combined, that people are, you know, aware of. And so in that sense, it is difficult to grasp it, because everybody of course can have a different perception. And having that a little bit more objective is a challenge. At the same time, you have to be neutral about it. And I think that's going to be the biggest, I would say challenge for security people, but also for people who will do risk management in organizations to make sure that they grasp the idea that they're complete, but that they balance it towards the reality.
Monica Verma 4:17
Right. I mean, you touched upon something really fantastic, because this World Economic Forum Global Risk Report that comes every year, I actually have been following it for last many years now. Absolutely big fan of it because you really understand how cybersecurity, technology, critical infrastructure are on the top high, both with regards to impact and likelihood if we see the last couple of years from the report. So then it's actually a really fantastic thing that you bring up, because my question really is now: what is systemic risk? Because we have been talking more and more in the last years about cyber risk can be a systemic risk, and rightly so. Because of the global risk, it's not just about losing some money for organization, it's way more than that. So what's your systemic risk and how and when can cyber risk be a systemic risk?
Marc Vael 5:12
I define systemic risk as a risk in a complete breakdown in the complete supply chain, so in the entire system, so all individual parts crumble, and all the dependencies are revealed when this risk is exploited. So in that sense, it's something that also shows unexpected consequences of a cyber risk. But systemic means it can be sudden; it can be unexpected; and the likelihood can build up over time. It doesn't have to be a big bang, it can be really crawling. And the impact is huge. And it covers the complete supply chain. And it produces, in some cases, large failures in systems.
Monica Verma 6:02
So to exemplify, that if the economy of a country and then also due to that maybe the global economy gets affected, due to a cyber attack, if that happens, if a cyber attack can bring the whole national economy and global economy to it's feet.
Marc Vael 6:20
Yeah, it's if your critical infrastructure is touched, we have a kind of an attack or a risk that reveals itself, and it brings down a complete environment in that country, then you could talk about the systemic cyber risk, and especially if it's cyber related, like an attack on the financial system, or on utility system - or on the healthcare system. Yeah. So and that can have ripple effects. It starts maybe in one sector, but then it has ripple effects across other sectors. So that's what we call systemic cyber risk. Yes, correct.
Monica Verma 6:57
Fantastic. So what is actually cyber risk exposure? And why should companies care about it?
Marc Vael 7:02
But the exposure is a little bit linked to, you know, the element of what is the perception of that group? But also, what is their reaction to it? What are the current counter controls that are in place, and for me, cyber exposure, is that vulnerability. But it's more than just the exposure search; it's also the level of countermeasures that are taken. And if there are a huge number of them, then that cyber exposure is limited. If there's only a few, and they've left a lot aside, then that cyber exposure can be huge. The only problem is: it's not visible, you don't see it. It's not a physical thing, you only see it, it's digital. And that's for me the biggest element of explanation to do to people who are not aware of it, they don't see it. So that's, for me the biggest element in cyber exposure. And then it is connected to that, you know, analysis versus reality. And I think that's important. So that cyber exposure is always there. Risk zero does not exist. We all agree on that. But you have levels of where do you want to accept a tool, what point -and I think the biggest of the most important element here is- make it visible. So make that invisible world a visible one; To make sure it's understandable, is the biggest challenge for people who are not 'technology aware' or not have the same skill set; And three, then make them decide on different scenarios, not say, putting them against the wall and say "you have to do this because we have no choice". That's the ultimate scenario. But it's not nice. And it shows a lack of preparation to show that you've not done 'alerting' or 'preventive information' enough when you do that. And I've seen people being fired over the fact that they pushed management and executive levels against the wall with no option, that you only had one option, and that's bad. So for me, it's a very complex matter of bring it simple, down to earth to people, and making sure that they who are authorized to take decisions, take those decisions.
Monica Verma 9:25
Right. I mean, you touched upon some very important critical points here, which one could say are the success criteria, basically the way to implement an effective cyber risk management. Because I've spent many years now implementing Cyber Risk Framework as a part of Enterprise Risk Framework in the companies that I've worked either in as a head of risk management or in my CISO role. And for me, it's natural, but there are so many organizations that we see even today, where cybersecurity risk management or cyber risk management is not considered as an enterprise risk. And this whole integration part is quite critical, I believe. But companies still struggle with that in the other part of it, which was communication. So what recommendations would you give for organizations that are maybe SMBs? Or don't really understand how can they integrate cyber risk into enterprise risk? And how do they communicate better?
Marc Vael 10:25
Yeah, you touch there on a very important element that this is just part of a complete analysis on the enterprise risks. And that's always important to see the bigger picture, not just focused as a silo, or as a topic, and not leaving out financial risk or strategic risk, or, you know, innovation risk or other risks that are external risks, or internalist. So it's part of the enterprise risk management picture, one. Two, it is important because if you align in that approach, you can use the same quantification models in terms of likelihood and impact in current controls. But having that measurement across the whole organization -or the whole industry for that matter- aligned, will help decision makers to really say, A, measuring it at the same scale is important -I see often that the language and the scaling is different, or people don't understand the scale, and that's already the biggest flaw, if and also the biggest recommendation for CEOs to really explain what this risk is an essential doesn't determine the Enterprise Risk, that's the risk manager or the Risk Officer. So having that communication with the Risk Officer, if there is one for SMBs, it is the managing director or the owner of the organization, who can then be advised or guided into that unified scaling, and make it simpler, not 20 grades, but between four to six grades maximum in likelihoods and impacts and in current controls, and give your opinion, not just by one person, but by stakeholders involved. So if you have multiple people, the more people you bring into the room, the better you have a, you know, an overview of what everybody thinks. In my experience, if people can do this anonymous, this voting, you have the best results, if you do it in plain discussion, the person with the biggest power will kill everybody else's opinion. So having that accurate measurements and scaling in place, defining what you mean and doing it objectively. And it's a difficult job, you have to exercise it and be open for that feedback on Oh, I didn't understand it. So I think I didn't understand it. That's not good. So having a clear cut show. And also, if you define it, another recommendation is: make sure that the risk is scoped clearly, what is high risk versus critical, or versus medium or low. And a lot of our evaluation sheet show: low, medium, high critical. But what does the difference mean between the critical and the high? It has to be tangible. So examples help here. And using examples of what happened in an industry or in you know, a competitor or supplier company, or even a customer can make it more realistic for the person who has to, give an opinion on that cybers.
Monica Verma 13:25
There are two things that I want to follow up on what you're saying now, because I think they're quite critical for the audience to understand. One is the whole tangible objective part of it. I usually do a lot of like public speaking as well in talks. And what I do when I talk about cyber is quantification. My interests are usually a punch line that I use, which is the risk I took was calculated. But man, I'm bad at math. The reason being, that's usually the punch line every time I start with talking about risk qualification, because we have been doing risk identification in the finance sector and for other types of risks, financial risk, organizational risk, so other enterprise risk for many decades, this is not new. But when it comes to information security -when it comes to cyber security- this is something that people don't want to touch. They're so scared of it. And so two questions there one, if you can explain a bit to the audience, why is cyber is qualification important? What's the value of it? Why should they care about it? And to what would be some recommendation and tips for how they can do Where? without too much overhead?
Marc Vael 14:38
Yeah. I'm a big fan of keeping it simple. Don't come with the when I lecture on cyber risk, and I give them the whole overview of risks. It's depressing for a lot of people like "whoa, so many risks, how on earth am I ever going to manage that?" So try to cluster it in groups, is an important element to make it a little bit more understandable. Also translate that risk to a business impact or to their world financial supply chain procurement, HR. Another element, of course is then making sure that you have this prioritization that you see that the group anonymously has voted. Now with these voting tools, it's very easy to do that. You have this kind of scattered diagram, but you see that the trend is that most people they're slow, or, and then you see that the majority of people have voted for this. And that's important, and the other people learn. And if there's one odd one out, you don't want to, you know, break the anonymity. But if somebody wants to say why he or she is the odd one out, they can do that, and maybe then they can revert to their voting position, but having that prioritization and that, I would call it trying to objectivy: Why's this? The subjective feeling is important. And finally, also make sure that the end result is something that people say: "Oh, this is very concrete as a list, but now we have to create actions to make sure that the risk becomes solved". And unfortunately, as always, one of the options we have to take into account is, as we mark, it's very nice that we accept the risk. So we will not this year do something about, we feel comfortable unless something would happen that would change our mind. I am a firm believer that the people who have to make the decision, feel backed up by stakeholders. And they are behind saying, okay, in view of all the fact that you give me any information, this is what we do. So making that end result, that focus is very important.
Monica Verma 16:49
So we'll talk about the scaling, right, because you're talking about your low, medium, high, very high critical and so on. One way to be a bit more objective about is to take into account all the or to the best extent possible, obviously, the loss value, the financial impact that it would have, whether it is starting from the direct losses, it gets a cyber attack happens, or some kind of indirect loss due to fines or recovery and all these things, right. So that's one tangible way of doing it. But let's take an example and a scenario where you're saying public sector and health sector for example, right? Their top risks are usually, this is a generalization, but not everybody would be but usually the first priority would always be health and life. So like life and death, that's literally the first risk that they would have. The second would be more in terms of patient doctor confidentiality, patient data, data leakage, preventing data leakage and so on. And then probably the third risk would be a financial loss, obviously, I mean, ultimately, they also care about the finance. For organization like that, why should they care about risk quantification? And how can they quantify what is the value that risk quantification being brings for such an organization?
Marc Vael 18:10
Well, I think what you given the example is indeed the, I would say the strategic risk levels were the three strategic important elements, which are without any discretion, but within each of these categories, you have a lot of subcategories. And for example, take medical equipment, more and more medical equipment gets connected to the internet, or to you know, networks. Where's that sitting? Is that in category one, two, or three, I would argue in all three of them. Because the medical equipment can be hacked. So you can manipulate that, that it sends the wrong data, or it gives the wrong dosage, for example, the patient confidentiality, it capture a lot of information because the medical information or the cap, the equipment will lock, which patient is now in front of this machine or is getting the service from that medical equipment. And finally, financially, yeah. If damaged records could be sold. For example, yeah, for example, or suppose that the hospital works with a third party, and that third party has all the security and all the privacy, but that third party subcontracts to a subcontractor who can't even spell the word security. It who will have to explain it to the government, the subcontractors, I don't think so. The supplier maybe, but it's usually the hospital who remains accountable for an owner of all the information and all the decisions. It's their decision to work with that supplier. It's their decision to review or it's their mandate to review that supplier. And we've seen incidents in the past by which that aspect of accountability is extremely important. I'm always interested to see how long is that supplier, a supplier for that organization? In that hospital, in that company, for the government, in the government every four to five years, you have to revisit it. I worked for seven years of the government. And I found it really fascinating. And it has value to, after a certain period of time, four or five years say, we have to redo this exercise to find out if this organization is still the best for the services that we need now. Not five years ago, but now and then you come into the element of legal aspects or contractual issues. In 2018, we had GDPR, five years ago, when supplier selected there was no GDPR. So how does it influence the selection process of your suppliers of employees in training? so mature organization in terms of cyber risk management have a process in place in which automatically they include this in the procurement? So procurement is sometimes seen as the people who try to bring down the price and just do some legal thing? No, they're very valuable like every aspect in organizational procurement is important because they can help you pinpoint what are the privacy risks? Have you reviewed the security risk, and make that already visible before you even selecting just like financial risk? Is this supplier sustainable financially for the next five years for significant investments? So finance is there to I mean, the CFO sits on the procurement board, just like the risk of social B, and security and privacy. Sure.
Monica Verma 21:27
I mean, there's a couple of things that you mentioned here. One is about maturity, helping the organization be mature. And then one thing that you said before, and you mentioned, even now, what the risk officer is somebody who's probably in SMB, probably an owner, are in a better position, probably a dedicated Risk Officer. And one of the things that I've had challenges with in some immature. It's like my litmus test, if I want to test if an organization is somewhat mature, I mean, there is like, obviously, it's a subjective way to do it, but somewhat mature in terms of risk management. And my question to them is, who is the risk owner? What are your thoughts on that? What kind of challenges have you seen organization? What I'm saying, does it make sense to you? Or what are your experiences with that?
Marc Vael 22:17
Well, there are some famous cases globally, in terms of if something happens, and you see how companies react and who they fire basically, if it goes wrong, but I, I had this training on corporate governance, with the training for how to be a director in the board of directors. And for me, it was an eye opener, and I really recommend everybody if you have the opportunity to follow up training on being a director at the board of directors. Having that training, then you for me, it wasn't an eye opener in the sense that the ultimate accountable or not even the C suite, they had the board of directors, the Board of Directors has the ultimate accountability for the organization in 90% of the cases and they drive and select, you know, who the CEO is. They talk about strategic committee, renumeration committee, the nomination committee, the audit committee now, do they need the risk committee? Maybe they need an innovation committee? Yes, that would be nice. But the board drives the aspects that are key for an organization. Now for an SMB, it could be you had the owner with his family, for example, that can be the owners. But there's always the ultimate accountable. And I say to people, if you don't know who it is, it's very simple. It's the one who can decide to sign the budget or the contract. That person is the accountable. That's the one who could decide for that budget. And that can be a CFO can be a CEO can be a CIO. But I have rarely seen in my career, I've encountered three people who are seaso, on the executive committee, three. So saying that the CEO is responsible or accountable is a little bit far fetched if you're not in that inner circle of decision making with the accountability. So for me, it's not hiding behind it is just saying, look, I can only be accountable for things that I'm accountable for. For example, in my situation, I am authorized to sign GDPR a punishers. And contracts for you know, that was authorized by the CFO to me. And we review that on a regular basis just to make sure it's still fits and the but only for GDPR not for legal for GDPR. And I'm comfortable this because I understand it. I know what the responsibility is. And it's the delegation power that they can do. But the accountability remains with the people who can officially decide, and sometimes it's a seizure, but it has to be delegated. And I don't know if that's always the case. As I said, I've only encountered three people in my whole career. Who have that authority?
Monica Verma 25:03
makes a little sense. I mean, when you are managing the risk in the business level, and it's the business, that's owning the service that you're talking about when it comes to cyber risk is rarely, it really makes sense to put the ownership of the risk of Morales, and not at the business owner in itself. And also, depending on how higher you go, and the point that you make is very correct with accountability, somebody who has the authority to sign a budget or say yes or no, for these kind of decisions at that level, would you recommend maybe top two or three types of metrics that CEOs can use for reporting cyber risk to the business or the management?
Marc Vael 25:52
It's a good question metrics is something that's have a lot of books about it. Most of them are not good. They're talking about holistic metrics, but not really going detail like, okay, these are the metrics, we really want to challenge. I myself have 27 of them that I follow. But if you ask my top three, I could give traditional very, I would say, ordinary examples, you know, like the policy compliance, and how compliant or how many exceptions you haven't have to do, or the superuser access compliance. But those are very ordinary, or even, like security incidents, how many scooters do we have? For me? Those aren't metrics, but they're quite ordinary, because everybody feels that Yeah. Okay. What is interesting are the following three, and just three out of the seven, meantime to resolve. So you have an incident, how long does it take between the time you found out and it's actually resolved, and then the meantime, for a quarter or for a month? That's an interesting metric. Second one would be phishing attacks, success. So you have your simulations within your organization? How many people click on the link, fill it in? Because that's an indicator of something else? And that those are interesting metrics. And the final one, I would suggest is the number of security incidents reported, you know, it reported not the ones that you found yourself that they came to you, right? Yes, but those are indicators that are in my dashboard that I follow up, of course, there's also driveline one, like, how many, how many euros? Did we lose this month on cyber incidents? Well, if it's zero, that's good. And as long as zero, nobody, but it's important to have that euro amount as well. So again, in matrix, it's treat you have ordinary metrics everyone thinks about, but I would focus on those three as kind of look at that. See what the especially the trends, how does it behave over the last year? But indeed, they're not that many good books about security metrics. I have colleagues who struggle with that same question, that it's the holy grail, or what's the ultimate security dashboard for Cisco? Well, that would be an excellent item for your podcast for the next season? Absolutely.
Monica Verma 28:10
Fantastic, thank you, I think we should do really an episode just on the metrics that would be lovely. And I love that you added the psychology aspect of it, because a lot of the cyber risks and also cybersecurity aspects involve the psychology and the human element. So that's fantastic, lovely, lovely, lovely. Before we just run off, can you just say, recommend one book to our audience?
Marc Vael 28:32
Well, as you see, I have a lot of books in my my desk. But there's one that I found very interesting, that I've read in one day, without stopping is this one, the darkest web from journalists, Arlene Ormsby. And it's about three parts about the dark, darker and darkest web. And it gives me some insights on scenarios that you say: okay, this is really confirmed. But there are scenarios that are not confirmed. And that's also good. So, but it's a really fascinating book. It's by a journalist. And it's based on real facts. So it's a story that she tells with all the threat she got, and so on, but definitely, highly recommended on the list for this upcoming season. The darkest
Monica Verma 29:16
Well, thank you. Lovely, such fun conversations. Mark, thank you so much for coming on the podcast show today. It was lovely having you on the show and talking about all the important aspects of cyber risk. That was today's episode of We Talk Cyber with Monica. I'm your host, Monica Verma. I'll be back with more amazing conversations, amazing topics, fantastic guests. So until then, take care, stay safe, and keep tuning in.