Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catherine shared her insights on current cybersecurity issues, related third party risk management challenges, and board dynamics concerning information security.
The article, which is slated to appear in the publication in March, will feature insights from Cathy along with leaders of cybersecurity practices in global consulting firms. Here are four high-level cybersecurity trends Catherine covered during her discussion with Consulting:
1. Resiliency is a primary focal point: Even companies with the most advanced cybersecurity practices are likely to get hacked. As a result organizational information security programs are focusing more on resiliency and business continuity activities. “Prevention remains critical, and companies continue to strengthen policies, improve the technologies they have in place, invest in training, and adopt best practices,” Catherine said. “But we’re just not at a point where we can stay ahead of the bad guys. When a breach occurs, companies need to have a set of incident response, crisis management and business continuity protocols in place. Boards want to know how quickly the company can handle the breach and get back up and running.”
2. Continuous monitoring is crucial: More companies are investing in improvements to continuous monitoring processes and supporting technologies. These capabilities help bolster prevention and incident-response capabilities. “We’re seeing a strong drive toward continuous monitoring so that when a breach occurs, a company can quickly identify, isolate and address it,” Catherine pointed out.
3. OT-IT convergence requires more attention: The convergence of operational technology (OT) and information technology marks an important and rapidly emerging risk-management area (it’s also a topic that features prominently in the upcoming 2019 Shared Assessments Summit). “Boards and C-suites are increasingly looking at the convergence of physical, cyber and operational security,” Catherine told Consulting. This integrated view of risk management is necessary because more adversaries are breaking physical barriers to hack into organizational information systems. As OT-IT convergence attracts more attention, companies with mature third party risk management programs are applying more scrutiny to risk management practices within fourth and fifth parties (i.e., the technology and services providers that their vendors use).
4. Cyber attackers move beyond financial motives: While the hacking of financial data remains a top concern, bad actors and other adversaries also target other data (such as intellectual property) for financial gain, to inflict reputational damage, or to sow chaos. Think of a cyberattack by a nation-state that strikes an electric grid, hospital system or the elections process in a rival country. “Many companies primarily focus on protecting financial data,” Catherine added. “But you have to take a comprehensive view of the organizational data that could potentially be targeted and then understand how that fits into the third party risk management as well as the broader context of enterprise risk management.”