teissTalk: Quantifying cyber risk at Board level

teissTalk Host Geoff White was joined by Paul Lewis, Senior Director of Cloud Security, Elsevier; Simon Mair, Head of Information Security and Data Privacy, Brewin Dolphin; and Brooks Wallace, VP Sales EMEA, Deep Instinct.

Views on news
The Facebook outage has been a lesson in business continuity and concentrated risk. It turned a benign configuration challenge into a blackout, where security controls prevented recovery. Although news of FB using angle grinders to access their server cages hasn’t been confirmed, it’s symbolic of the challenges self-sufficient processes combined with a single point of failure can present.

Facebook employees were denied entry because their entry passes linked into the same information security systems as the rest of the infrastructure. The outage can be seen as a low probability but extremely high impact (black swan) event. (See also the Carrington event)

Communicating cyber risk to the Board
Three-quarters of those in the chat room said they have conversations about cyber risks with their boards. The average time allocated for CISOs to explain threats is thirty minutes. CISO’s need to face up to the fact that the risk they are to alert the board to is only one of many. There are also plenty of other, operational types of risks. The most typical question CISO are asked by the Board is “Are we secure?” But it’s hard to give a straightforward answer to this as “it depends”.