Interview with Andy Watkin-Child, Cyber Risk Management Specialist

Andy Watkin-Child is a global thought leader in cyber risk management who has delivered 1st and 2nd line cyber risk management across 5 continents, for leadership teams across Financial Services, Media and Publishing and Engineering and Manufacturing.

He acts as an independent trusted, experienced adviser to leadership teams and boards and has built and led both the 1st and 2nd Lines of defence for cyber, as a CISO and Group Vice President of risk management. Andy has also worked with Financial Services regulators to oversee cyber risk across Europe, the Americas and Asia.

He is one of 140 people to hold a place on the UK Chartered Security Register, recognised by the UK Government’s Centre for the Protection of National Infrastructure (CPNI).   Most recently, Andy led cyber, technology and continuity risk management globally for Santander. 

Martin Smith who leads the Digital and Technology Practice within Consulting Solutions recently sat down with Andy Watkin-Child to discuss how organisations can manage cyber risk, the skills gaps they face and what value can be generated when managing the risks.

 

Is cyber security a problem for technology leaders or is it a problem for the combined board?

Cyber has evolved considerably over the past 15 years and is, without a doubt, a problem for the combined board due to the direct impact that attacks have on the balance sheet. Whether it be countries hacking countries, data breaches as a result of data theft, or states and governments being held to ransom, such attacks are frequently reported and have many more media column inches left to fill.

Conservative estimates show the worldwide annual cost of cybercrime to be at least US$600bn. As well as being a well-run criminal activity with financial motives, it is also used by countries as a geopolitical weapon and, if cybercrime were to be a country, it is estimated that it would have the 13th highest GDP in the world.

Financial impact to the top and bottom line is significant, with the NotPetya attack of 2017 classed as the most devastating cyber attack in history. It demonstrated that cyber-attacks have a global reach and direct impact on companies, ravaging a range of businesses from shipping ports and supermarkets to ad agencies and law firms at a global cost estimated to be anywhere between US$4bn and US$8bn.

It is also important to note that the regulatory environment is changing rapidly. The UK ICO has issued intentions to fine British Airways (£183m) and Marriott Hotels (£99mn) for their data breaches in 2018, an action that will not only impact them financially, but also from a reputation standpoint. There is growing evidence that share price is affected in the aftermath of a cyber-attack, with credit rating agencies running programmes to evaluate the impact of cyber security on credit scoring.

As a society we are living in the 4th industrial revolution where data is a commodity – the reason why hackers exist. We consume huge amounts daily, with companies dependent upon technology platforms to create, transmit, store and use across a range of functions including finance, human resources, sales and marketing, manufacturing and logistics. The interconnected nature of companies makes data and information critical to its operation, thus it is the responsibility of every board member to be managing and securing it appropriately.

The 2019 edition of the World Economic Forum’s Global Risks Report positions data fraud/theft and large-scale cyber attacks at numbers 4 and 5 respectively, taking their place alongside extreme weather events, failure of climate change mitigation and major natural disasters. It cannot be ignored.

 

Managing cyber risks requires a focus on cost. What business value can be generated when managing these risks?

Quite rightly, companies should look at the value created by running any cyber-security initiative. I put cyber into a mixed bucket of regulation, customer services, brand / reputational damage and damage limitation, all of which are difficult to quantify in terms of cost-benefit.

As the fines and remediation costs stacked up by victims of cyber-attacks demonstrate, the cost of fixing issues prior to an incident far outweigh the cost of managing the fall-out post incident. Rewinding to the Yahoo/Verizon deal in 2017, it is a fact that Yahoo shareholders lost out on $350m following the tech and telco giants agreeing to drop the acquisition price as a result of Yahoo’s data leaks in 2017.

The average direct cost attributed to a cyber-attack is up for debate, but what isn’t is that the figure is significant. Companies such as Maersk and Merck reported significant losses following NotPetya (US$300mn and US$800mn respectively), and in March 2019, a separate attack on Norsk Hydro cost the company a reported US$45mn.

In short, managing cyber risk can generate value to any company and, above all, secures the balance sheet. It won’t stop a hacker from trying to attack you, but it reduces the probability of an incident having a significant impact on your business when they do. Often the benefits realised are those you don’t see, rather than those you do.

 

There seems to be an ever-widening skills gap in the cyber space. What can companies do to protect themselves?

There is a significant skills gap across the cyber landscape, and it must be addressed urgently.

With cyber attacks becoming more sophisticated, companies are starting to appreciate that they need to go that ‘one step further’, so it’s no surprise that security professionals are highly sort after. Indeed, according to an investigation conducted earlier this year by the IT security group ISC, there are c. 3 million cyber roles open and unfilled around the world.

The reason for this skills gap boils down to, in my view, three things; the increasing demand for specialist skills, insufficient compensation and benefits on offer; and a lack of understanding re cyber threat at Board level. If the Board don’t understand, in detail, the potential harm to their business, then they are not going to sign off on the investment required to protect themselves. If the investment doesn’t come, the skill-shortage continues, and the gap widens. It’s a vicious cycle.

What’s essential is that the Board ‘understand’ the threat posed, and this is where partners like Sheffield Haworth can assist, tapping into their extensive networks and providing access to those few cyber experts who can educate.

Once the issues facing Board are articulated in full and appreciated, I would advise decision-makers to engage consultant expertise to sit at the top table, giving an independent view on strategic / preventative measures and assisting with the build and creation of the future state. They should also invest in the design and rollout of in-house training, accreditation programmes and apprenticeships, with the action being to ‘grow their own’ experts, planting the seeds and nurturing the next generation of cyber leaders.

As a final measure, they should initiate conversation with government bodies, highlighting their concerns, and look to establish working partnerships to combat the talent shortage. A reference point for such work can be traced back to the US and Barack Obama’s presidency, when he established a tie up between the US Government and Silicon Valley in order to bridge the talent gap.

 

There is complexity associated with cyber security.  What does the board need to know to be able to manage the risk?

Cyber is a complex risk to manage, with plenty of evidence to suggest that it places a considerable amount of stress on the balance sheet. In general there are at least 12 security domains (access management, obsolescence, third party supplier, regulatory, network security / vulnerability, patch management etc) that a company should focus on to manage the risk, putting in place the necessary governance structures to provide effective oversight and provide a reasonable level of assurance that they have the appropriate controls in place to both investors and shareholders.

In summary, the board have a responsibility to manage cyber-risk. Below are some simple steps that Chair’s and CEO’s can take, putting in place plans that allow a business to adequately manage the threat posed:

  • Accept that cyber must be managed as an enterprise-wide business risk, not a technology one.
  • Understand that cyber-attacks have a broad impact across the balance sheet. Impact brand, sales, reputation and regulatory, implementation and remediation costs.
  • Document and secure the ‘corporate crown jewels, ask the question “What are our critical data and systems, where are they located, and how secure are they?”.
  • Embed clear governance and reporting of Cybersecurity Risk Management Oversight.
  • Keep abreast of, and strive to foresee, the ever-evolving regulatory environment in relation to data and cyber security.
  • Create an emergency-response plan so that the business is set-up to respond effectively should an incident occur.

 

If you require specialist expertise to help your business navigate the risks around cyber security or to help identify where the skills gaps are within your organisation, please contact Martin Smith on m.smith@sheffieldhaworth.com or call him on +44 (0)7507 602746.

Share this

Sign up to our Newsletter Mailing list


Get in Touch

For more information on any of our news articles

Contact us