On this episode, Matt speaks with Senior Executive, Board Director, and leader in Cybersecurity, risk management, and regulatory compliance, Chris Hetner about cybersecurity and the newly-proposed SEC cybersecurity rules. With over 25 years of experience in the cybersecurity space, Chris has served in roles including as Senior Cybersecurity Advisor to the Chairman at the SEC, Managing Director of Information Security Operations at GE Capital, and SVP Information Security at Citi.
Today, Chris talks about understanding the proposed cybersecurity rules, defining materiality, and the importance of focusing on cyber-resilience. Where does the Cloud come into it? Hear about the cost of cyberattacks, the core risk exposures, and Chris’s formula to personal growth.
· [02:47] Chris’s proudest moments.
· [10:00] The new proposed rules.
· [14:26] Defining materiality.
· [23:56] Bridging the language gap.
· [32:14] Focusing on cyber-resilience.
· [35:36] Cybersecurity expertise on the board.
· [41:27] The cloud.
· [45:32] The formula to personal growth.
· “Ransomware extortion is relatively insignificant relative to the overall cost of the event.”
· “You can’t outsource the risk.”
· “Realize that you’re not always the smartest person in the room.”
· “We don’t know it all, and we never will.”Comprehensive, full-stack cloud security
This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. And now, your host, Matt Chiodi.
Matt Chiodi (00:14):
Cybersecurity and Resilience. Where do those two come together? If you've been paying attention to what's happening in the United States, earlier in 2022 there was a proposed cybersecurity rule that came from the Security and Exchange Commission. There was a lot of talk in the industry. Therefore I wanted to find the best possible guest, and I thought of none other than Chris Hetner. Chris has been around the SEC as both a special advisor to them; to the chair, and also to the National Association of Corporate Directors (NACD). This is someone who is well steeped in regulatory, but also truly understanding cybersecurity risk as it relates to the business. I can tell you that this is an area that I actually did not know a lot about, and I took a ton of notes during the interview.
Matt Chiodi (01:08):
One of the things as a cybersecurity professional that I've always aspired to do, was to translate the technical to the business. And honestly, I don't think I was very good at it. With this podcast, we really dive into what are the things that a board cares about. You don't want it to just be delivering, talking about the number of patches and vulnerabilities to a board, because they don't really understand what that means from a risk perspective to the overall business. This is one of those things that Chris is going to cover off extremely well. Get your notepad ready and listen as Chris talks about resiliency, cybersecurity, and the recently proposed SEC cybersecurity roles.
Matt Chiodi (01:55):
Chris, welcome to the show.
Chris Hetner (1:57):
Hey, Matt, how are you?
Matt Chiodi (01:59):
I'm doing well. I'm glad you could join us.
Chris Hetner (02:02):
I'm glad to be here!
Matt Chiodi (02:04):
I'm excited to talk to you because I'll be honest, what we're going to be talking about is a lot of cybersecurity, regulatory type of things, and that is not an area that I know a lot about. And I'm super excited to have you on because I know you are an expert in this area. You've got a long accomplished career from your time at CISO, GE Capital and to your time at the SEC as a Senior Cybersecurity Advisor to the Chairman. With that kind of context, I like to start out with digging into people's background; how they got to where they are. And you've done a lot, even if we just talk about the last 10 years, if you had to pick maybe two or three things out that you're really proud of; these are things that move the needle, what would they be? What would you focus on?
Chris Hetner (02:58):
Great question, Matt. Over the last couple of decades we mostly focused on technology risk management and what we now call cybersecurity across the financial services sector. So early on, one of the biggest accomplishments was to achieve some level of hands-on experience in terms of building out cybersecurity programs, hands-on keyboard, as relates to deploying network security technology platforms such as firewalls and truth detection systems. We also focused on sim platforms, building security operations centers for data center operations in support of mostly Wall Street firms. I built out a couple of data centers in the New York tristate area that created a geographical dispersion and diversity for most of the firms in lower Manhattan. And this became even more of a point of focus post 9/11 when companies are thinking about redundancy.
Chris Hetner (04:06):
That was a key component in my career, and I advise many students whether it's in high school or undergraduate degree programs that are looking to pursue a career in cybersecurity. Develop that muscle, pick a technological platform, whether it be programming or application security. In my instance, it was deploying network security infrastructure devices. Therefore it was mostly a Cisco Power Network that we had, and we had about 500 firewalls on management, and truth detection systems. Also, packet analysis, working what we call the stack in terms of layer 1, 2, and 3 of the OSI model and building that as a foundation. Getting comfortable with that technology. And then from there you can either continue down the technology path or you can shift to more of a program related role.
Chris Hetner (05:10):
Which is kind of the second portion of my career where I was running information technology risk and information security, what we now call cybersecurity across some large banking platforms. I spent five years at Citigroup running technology risk and cyber for their corporate investment bank. And this is very closely aligned to regulatory requirements given the focus they had on whether it be the OOC, the FED, or the FDIC Large Global Bank. And with that, you develop a new set of capability as a cybersecurity professional, because you've really got to understand how the business operates and really get in tune with profit generation, what risks they're willing to take. And also, understanding how they expand the business through mergers, acquisitions, and the integration of information security into their business process.
Chris Hetner (06:10):
Then you start to unpack where the most prevalent risks or threats are going to manifest, and how do we apply defenses and controls in such a way where the business shows an appreciation.
I did that hands-on business risk cybersecurity programming during my time at Citigroup, then I switched to GE Capital where I was the Global CISO, leveraged many of those learnings through Citigroup. And GE Capital was about a 500 billion financial institution comprising a commercial bank and a consumer banking platform. We operated across 60 countries, about a hundred thousand employees, and tens of thousands of suppliers. I always joke that's where I lost all my hair as a global CISO. There it was a continuation of the intersection of information technology and the treatment of cyber risk and business risk to drive resiliency. However, the other facet of that role was, now that we're under the supervision of the Federal Reserve Bank, we've got to make sure that our programs and our policies run consistently across the globe. And within the two week period, we had about 40 fed examiners moving into our headquarters. That created a whole new set of muscles in my career around the appreciation of cyber intersection with business risk and resilience and regulation. And then the third, which was most of my time spent within the US government, where I was working as Senior Advisor to the Securities Exchange commission chair; the chair's office. I worked directly under Mary Jo White and Jay Clayton, and levelled up how we think about cybersecurity across the United States Securities market, which is about a 60 trillion market. Which is again, tens of thousands of firms.
Chris Hetner (08:22):
How do we inform our policies, rulemaking activities? What do we think about examination prioritization? How do we think about enforcement actions if an institution violates or doesn't meet certain requirements? And most of that work that was leading was underpinned based on leveraging threat intelligence, whether it be from the commercial sector or from the intelligence community. That is understanding where you have pockets of systemic risk, learning from our examinations and our evaluations of how well these firms are operating. And then, working across other agencies such as DHS, US Treasury, FBI, and the intelligence community on creating a consolidated approach. This is where you're consistently bringing in data to help suppress some of those risks. And driving what we call financial services resiliency to make sure that we're able to recover in sufficient time.
Those are kind of three big strokes throughout the last couple of decades. And, now I'm back in the private sector, and kind of pulling it all together in the boardroom community. I kind of think about my role now north of the CEO. We work very closely with the CEO of companies, the boardroom and on pulling this all together, which actually aligns very nicely with the new regulations that will be coming down the pike from the SEC and others.
Matt Chiodi (09:57):
Okay, let's talk about that. From a regulatory perspective, I think here in the US in March 2022, there was a new rule that was proposed, and then there was a whole flurry of discussion in the industry. Give us a summary of what was actually proposed.
Chris Hetner (10:14):
What's proposed is a build upon, or, I would say anchored on what we delivered in 2018, which was what we call the cybersecurity disclosure, interpretive guidance. And it was exactly what it is, it was guidance. It wasn't a hard fast rule, but what's being proposed now is to take many of the principles that I was responsible for back in the prior chair's office and level it up to now become more of an enforceable rule. It's viewed through the US court systems as strength and requirement. It creates further strength in terms of class action, litigation and holding executives accountable. The core components of this new requirement is 1, determining the incident's disclosure within four days based on materiality. Therefore once the incident happens, you have determined materiality, and then once you determine its material to your business, you've got four days to disclose.
Chris Hetner (11:24):
Now, materiality can take from a week to months to determine the size of complexity. And the new chair and the leadership there understand that there's a lot of complexity with that. The other piece of the role is the traditional blocking and tackling of a cybersecurity program. You must have a written cyber security policy, you should have the board-level engagement in terms of understanding where those key risks are. The policies and procedures around incident reporting should be kept. You can't just be like, we're just going to fly blind when an incident occurs. It should be documented, codified and ratified by the enterprise's risk management organization. And then there's another component of the rule that talks about "board level expertise".
Chris Hetner (12:22):
To what extent do you have a cyber expert on the board? Or if not, how are you addressing cybersecurity in the boardroom? Is it by the dedicated committee? Or are you hiring an outside expert? How are you ensuring that you have that level of competency in the boardroom that's being addressed from a cybersecurity standpoint and disclose exactly how that would how that would occur. The other dimension, I would say, beyond the incident requirement for disclosure is what I would call "left of boom", which is disclosure of your cyber risks. So it's analogous to go visit the cardiologist and say, hey, we just did a cardiac scan to detect calcification around my core arteries, and I found 80% blockage in one of my arteries. To me, I view that as a fairly material risk, thank God, I realized the heart attack but that's probably something that needs to be addressed through treatment. Whether it be medication, stint, diet, exercise, or stop smoking, etc., use that type of material risk, flip it or apply that cyber lens to your organization and also understand it. It needs to be understood through the lens of what we call "unaddressed cyber risk". This means that you've got technology debt, you've got employees that have heightened administrative access, and maybe you're operating in a geographical region that will likely present risk. Think about how that risk is being addressed and how you are disclosing that as part of your flow up into an engagement with the enterprise risk management organization and the board of directors. Those are the broad stroke areas that's really contained within this role. And then I could talk about a little more detail in terms of how that's unpackaged.
Matt Chiodi (14:25):
When I read what was proposed, one of the things that stood out to me was, and you mentioned this as well, which is the word material. Is there an accepted definition of what would trigger that?
Chris Hetner (14:38):
Well, keep in mind materiality is a fairly legal term, so it's written by lawyers in the SEC. And I could tell you from the rule and what's been written about this the public listed companies contained within the proposal listed companies are required to report, again within the four days, once an incident is deemed "material". And the material determination is influenced by a couple factors. Number one is, what's the impact on the business? For example, a hospital that realized that a ransomware event is going to look different than a ransomware event impacting the manufacturer, it's a little different than a data breach impacting, let's say a bank or financial services firm. Therefore it has to be very business specific. Two, what's its impact on its operations? If you're a publicist company and you have a ransomware attack, your manufacturer takes down the core portion of your ability to produce products and suddenly you have potential for business interruption. You're unable to produce a product, which means that it's going to impede on sales. Which leads us to the third component, which in our opinion, in the legal community and in what we'll call in the accounting community; if you look at the accounting principles, it's really an impact on the financial condition of the firm. And this is what we call the “so watch factor” aka materiality.
The financial condition is really about impact to specific factors, and I can actually walk through some of the types of costs and adverse consequences that companies may incur or experience as a result of a material cybersecurity incident. Thinking through for your audience, if you've got a cybersecurity program and you have a series of incidents that occur perhaps on an hourly basis, or a daily basis. My concern with the cybersecurity industry, where we stand now, is the current ecosystem, whether it's on endpoint detection, all the way through security operation centers or security monitoring. These are largely focused on technical level threats which are used to inform measures to inform risk. Therefore this could be like, "Hey, I've got an IP address moving laterally on my network that's abnormal, or I have a user that accessed the system at midnight that shouldn't be accessing the system. Or we've seen some points of network telemetry that seem abnormal." And the problem that we have with the current ecosystem, is it still lacks the ability to apply what we call business operational financial context to the cyber threats.
Chris Hetner (17:47):
As I would advise your audience, and how I advise boards of directors on this topic is to contemplate these costs due to a business interruption, such as decrease in production, delays in product launches, contemplate the payments to meet the ransomware, or the extortion demands. And by the way, ransomware, extortion or payment on the ransom is relatively insignificant relative to the overall cost of the event. One of the points listed in the proposed rule is, what are the costs around remediation? Such as stolen assets, or information, perhaps it's in intellectual property, or perhaps it's R&D that you spent tens of millions of dollars on to keep it protected within the four walls of your company to inform a new product release. Now, an adversary has syphoned that data and suddenly your IP is now public domain. Now, that puts you in a severe disadvantage, and if I was a shareholder, and I know that you as a company are producing a product that's differentiated, which means that your market share is going to increase, your stock value is going to increase, and suddenly it's open domain. That could represent some problems in terms of depreciation of value, but there are also other costs, like remediation to systems, replacing systems. And what if you have to create incentives to retain customers or business partners in order to maintain those relationships post incidents? And then of course, you have the "cyber protection cost" which is where I spent a couple years in the insurance industry, where you've got increased premiums and the cost of making the organizational changes. The deployment of additional personnel, third parties, training employees, engaging third party experts and consultants, these costs could be in the tens of millions of dollars. And then of course, you know, let's just call it as it is, what about the loss of revenue from whether it be an intellectual property theft, or whether it's your inability to produce widgets that are going to be sold. Unauthorized use of proprietary information is extremely lucrative for adversaries, particularly within certain countries that repurpose intellectual property for their own agenda. And then, some of the work that I've been kind of aligning to recently is, understanding the litigation, legal risks, regulatory actions, and these legal costs could be in the billions of dollars. And in fact, I won't name names but there was a healthcare company and a consumer product company, and both had a business interruption event this calendar year.
Chris Hetner (21:01):
And both companies realized a hundred million write down as a result, and that was like completely disclosed prior. Therefore, it's that type of enumeration of what those cost implications are that have either direct or indirect financial costs that can negatively influence the balance sheet of the company. And again, Matt, my concern is the CISO cybersecurity community, their security operations centers are ill prepared with the tooling, the analytics, and the expertise to help inform some of these decisions. And then you've got a four day clock that starts to determine materiality. I think this would be a wakeup call to action for us to level up our tooling in order to deliver this business in a financial context.
Commercial - Matt Chiodi (21:54):
Prisma Cloud secures infrastructure, applications, data and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs in a unified agent framework, users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development, you can scan infrastructure as code templates, container images, server less functions, and more, while gaining powerful full stack runtime protection. This is unified security for DevOps and security teams. To find out more, go to prismacloud.io.
Matt Chiodi (22:41):
The items that you mentioned, I took some notes because a lot of the stuff is not stuff that I've been close to in my career, but the impact of the business, these are the things that when I've worked in security programs, the programs themselves in terms of the reporting that we do upwards was always, like you said, very technically focused. For example, the vulnerabilities outstanding, how long is the meantime to remediation, and all those very technically focused metrics.
Matt Chiodi (23:09):
It sounds like you're saying that from a board perspective, and then as I guess it relates to the proposed rule, that the board is probably not interested at all in those number of vulnerabilities, but they really want to understand just what the impact to the business is. And I guess my question to you is, you're right, most tools that I've worked with over the years are, again, technically focused. They don't have insight into the business. In fact, this is one of the things I've seen, even when teams have gone out to make a proposal for saying something like, "Hey, this is why we want to make a seven-figure investment into this security tool." And then someone says, well, "What's the ROI on it?" And then they're like, "Ah, you really can't show the ROI of a security tool, except we get that whole debate." Therefore my question for you, Chris is, this is what boards are actually looking for, but it seems like the language that most cybersecurity programs, quite frankly, that I've been a part of, don't speak that language. How do you bridge that gap?
Chris Hetner (24:10):
Yes, it's an area that I've been squarely focused on, and quite frankly, I struggled with while I was in the CISO role for GE capital. The metrics that we were delivering and we still see this being delivered to your point of a very tactical nature. They need time to recover, and it's basically blocking and tackling such as patch time, remediation deployment of specific controls and authentication measures. You pick a program, you receive the funding for the program, and your goal is to go from zero to a hundred percent over a quarter over to another quarter. And so what we're seeing now is, again, with the SEC ruling, and even if you take a step back, the global economy; the cost associated with cyber is just astronomical.
Chris Hetner (25:05):
Some studies suggest through the World Economic Forum, for this calendar year the cost of a global economy is 6 to 7 trillion. And that is expected to grow in the order of 10 trillion over the next five years. Therefore, this is becoming increasingly a systemic risk across our society, and across our economies. It's becoming an economic exposure, and with that the boardroom and the C-suite and the regulators are going to require the delivery of this context in terms of what I call the sew-on factor. If we indicate these examples that I enumerated before, the potential cost and damage that can stem from material incidents and to the extent that you're a small company that have been targets of cyber-attacks so severe that the company may go out of business as a result of it.
Chris Hetner (26:11):
Therefore we really need to start to think about the direct and indirect financial cost to the company. And in the boardroom, my role with the boardroom as the National Association Corporate Directors is, we have about 20 or 5,000 members. And on an annual basis, we produce a number of surveys, everything from ESG to transparency, to ethics to governance principles. Cyber is always top three, and I'd say on average, in the last three and a half years, 70% of the boardroom community continue to assert that they don't understand what's being delivered to them in terms of cyber risk. There's too much uncertainty. And I've witnessed this while sitting on dozens of boards as an advisor over a quarterly basis. And what we've decided to pursue is, how do we bring something that's more business context?
Chris Hetner (27:20):
What if we bring a level up, top-down analysis as to where the most material threats are going to manifest for this specific company that would have a material financial harm using a loss analysis. Which is very similar to how the cyber insurance industry operates, or the insurance industry as a whole. And we call this an annual expected loss analysis; it's a compass, which basically says based on your business profile, based on historical activities, as well as how effective you are as a security organization, and you could pick the framework, whether it's CIS, NIST CSF, or ISO. Pick the framework, but have an indication as to where you are from a maturity standpoint, and blend that into how the risk transfer markets think about where those annual expected losses are. Now you've got a compelling story with the boardroom, and it's really about the financial exposure relative to those material threats that are going to have the most material impact to the financial condition of the company.
Chris Hetner (28:33):
And then more importantly, to what extent are you deploying capital investments and deployment of tooling in order to intercept those threats? We launched this summer over the NACD and we actually had a hard launch during the NACD summit in October, the NACD cyber risk reporting service powered by X Analytics. And we looked at a wide range of tooling and capabilities, and this was everything from outside inventors to scanning tools, to network telemetry vendors, and to open source models where you do Monte Carlo simulation. Everything that we brought into the tent failed to deliver the efficient and sufficient insights. So our view on this is the true arbitrator for cyber risk management are the risk transfer markets. Therefore this analytics platform was built on the back of the cyber insurance industry, and again, it helped to provide directional guidance and compass as to where to deploy capital in order to suppress that risk.
Chris Hetner (29:40):
And the opening (Inaudible 30:03) with the board is, you're a company of this size, you have this many assets, this many employees, and you operate in these countries. Here's where you are from a maturity standpoint, because invariably a company has some level of security assessment, whether it's from a PricewaterhouseCooper or a regulatory assessment, they're assessed to that. And we're able to back that into where those most likely threats are going to occur. And again, here's the range, you've got a hundred million in unaddressed cyber risk. It can manifest into these quadrants or tranches; ransomware, business interruption, and intellectual property is an exposure to you. And based on these core risk exposures, here's where you should start deploying capital. Maybe you're under invested in response time, and maybe if uptime is most critical, then maybe you should be investing into quick, fast, and efficient recovery from ransomware. This is where you've got pristine copies of data that are kept offline and are able to recover.
Chris Hetner (30:50):
You'll be amazed how many organizations don't take this risk-based approach to deploying investments in cybersecurity. We have one company that had a ransomware event, and they are in the consumer manufacturing business. And when they looked at their policy from an insurance standpoint, it was designed to protect against personal identifiable information loss. I questioned the risk manager and the CISO; I asked, "Who thought of this policy?" And they said, "Well, we just kind of thought that was our biggest risk." The reality is that you guys are down for 48 hours and it's going to cost you about 25 million. The policy in reality should have been constructed to address the downtime, or for the outage. Therefore, again, it's aligning those budgets and those resources to suppress those risks in a material way.
Matt Chiodi (31:47):
In November of 2022, there was a Harvard Business Review article that you authored with Dr. Kerry Persson. And one of the things I pulled out that I think fits really well with what you just mentioned was it says "Most organizations we've studied focus on cyber protection rather than cyber resilience. And we believe that is a mistake." You mentioned the word resilience, where does cyber resilience fit in with, let's bring this back to what's coming down the pike with this potential SEC ruling. Where does that fit in? Because you're right, I think that even thinking through the different organizations I've been through, there's probably been one or two that had any focus on resilience.
Chris Hetner (32:33):
Yes, it's a great question, and we're starting to hear resilience ring through the community within the boardroom, within the enterprise risk management community, and within the cybersecurity community. And what we're trying to achieve here is let's get out of the 'right of boom'; which is we're always responding to incidents, suppressing, and putting out fires. Let's try to move 'left the boom' where we're identifying those threats that represent the most material impact, and we're proactively communicating with the chief financial officer. The folks that hold the purse strings to ensure that you're deploying capital in such a way that maintains business resilience. And when we think about resilience, the analogy could be, if we have a 48 hour outage as a result of downtime across these systems that support these business processes, you put that forward to the enterprise risk team. You make sure that you have legal risk, the business owners involved, and you make some decisions around, is that acceptable? And if the answer is no, then let's talk about an acceptable level of downtime. The answer may be, we can operate without this capability for 12 hours, and it would only cost us maybe a couple million dollars relative to our billion dollar spend or our billion dollar exposure. Whatever it may be, it's getting to that calculation as to where you are relative to the broader exposure. And then from there, you back into it, and think, if 48 hours is not acceptable, let's now move the needle down to 12 hours. Now you've got a differential, and that's where you're going to build in your resiliency plan. You're going to make sure that if the business interruption event occurs all of your capital deployment, your backup plans, and the way you recover data are all aligned to maintain that resilience strength.
Chris Hetner (34:43):
And if you don't have the support from the people in the organization and you don't have the right technology deployed, then that is going to unfortunately impede your ability to maintain resiliency. And so that's really about having that transparent type of conversation, and bringing in the business operational financial context to the exposure, and then getting the support from the enterprise risk organization, or the board. Once they say this is not acceptable, then we can accept maybe 20% of the risk, but 80% needs to be addressed. Okay, then let's talk about how to transform the way we operate our business, and let's talk about the deployment of technology. Let's reevaluate our supply chain exposure and dependency. And these measures in the steps are eventually going to achieve some level of resiliency.
Matt Chiodi (35:36):
Okay, let's go back to, I think its proposed item 407, which is where it would require companies to annually disclose in their proxy statements for their annual meetings of shareholders. Or their cybersecurity expertise for the board of directors, if any. On this specifically, we've been talking about resilience, and we've been talking about the need to actually speak business language. And I have a couple of questions, if this is going to cause public companies to seek more cyber experience directors for their board, how do you think as an industry, we're going to bridge the gap? Where, again, you have a lot of CISOs that are very technical, they maybe came from a network security background, right? They came up building firewalls, and so they have a very technical view of the cybersecurity world, and yet you're talking about the things that may end up in this SEC rule, which today are just guidance. However, when it becomes like, no, you have to do these things, how do we bridge that gap with cybersecurity leaders? Where do you start? What should we be doing as an industry and as leaders if we aspire to that someday, how do we get from being really good technically to being able to speak in a way that's actually consumable by the business?
Chris Hetner (37:01):
I have a viewpoint on that particular portion of the rule in that, it's impossible to fill every boardroom with cyber experts that are capable of understanding the completeness of business risk or regulatory risks. Or all the risk factors and the governance factors required to become and maintain an effective board member. The NACD does a good job at delivering an annual certification process through board readiness training, and they have various domains that companies and individuals should pursue if they aspire to be a board member. However, again, cyber is only a sliver of the entirety of what it means to become and maintain as an effective board member. The other facet of this is if you don't have the expertise dedicated to the board. You can augment it using a supplier or we'll call it an outside advisor. There are plenty of folks that are retired CISOs that have 25 plus years of experience in industry. Who perhaps have that business acumen and experience that can be delivered through some type of outside capabilities? And we're seeing this as a push because to give up a board C2 cyber expert is very precious because again, you can't be the proverbial 'one trick pony' around understanding the technology. The other dimension to this which is kind of a negative consequence of having the "designated CISO" sitting on the board is, what I've seen is it continues to advance the ineffective communications in terms of delivering technology jargon into the boardroom. And so what happens is you have technology experts, and cyber experts on the board. You have the CISO reporting up to the board, and it becomes a one-to-one conversation. And what I've observed is, once that agenda item is surfaced, the entirety of the board checks out, and you're not achieving proper governance because, again, you want to have the entire board locked in. They should be understanding these risks, because it can't be up to that one individual.
Chris Hetner (39:38):
And you're not able to deliver, unfortunately, the materiality decision, which is really about the alignment of cyber and technology risk to business operations and financials. Therefore you have to have this balancing act, and perhaps if you are a critical infrastructure operator, a top 20 banking institution, you would probably want that dedicated individual or perhaps an outside expert to augment some of that capability. However, the conversation needs to be wholesome enough where the entirety of the board can enact proper governance. And again, if technical conversation continues to persist, unfortunately that's not going to address resiliency because the board's not going to allocate dollars and funds. And this is because they are not going to understand how the risk is impacting their business, and it's not going to achieve the objective of what's stated within the SEC rolling. Therefore, you can have that cyber expert keep the conversation offline when it comes to technology, and keep the metrics that are tactical in nature in the appendix of the report, but make sure that once you come into that boardroom, and whether it's reporting to the audit committee, or to the risk committee, that you've got the entire of the board locked and loaded and engaged on this conversation.
Matt Chiodi (41:10):
The proposed rule would also require companies to disclose a lot of different facets of their cyber security policies and procedures. One of the things I believe I pulled out was, for example, other procedures for overseeing the cybersecurity risk from the use of a third party service provider. This is where I see cloud coming into the conversation, where you mentioned also critical infrastructure operators. I don't know if the three large CSPs are designated as critical infrastructures yet, but certainly for many businesses that are operating the majority of their computers there, they would certainly consider that. And so, where does the cloud come into all this?
Chris Hetner (41:54):
The supply chain dependency and the cloud is part of that view on where enterprise risk can be impacted as a result of the dependencies on these third parties. Earlier on I mentioned the types of costs and adverse consequences that companies may incur or experience as a result of cyber risk or incidents. Apply that same list to your supply chain and make sure that you have a solid understanding of, 1, where are your suppliers? What level of support are they providing? Are they a core cloud provider, or is it an outsource operations center; outsource call center for instance. Whatever that supplier service may be delivering it needs to be tied into your enterprise risk management function. And this is because the industry doesn't view suppliers any different than an internal capability.
Chris Hetner (43:04):
All you're doing is outsourcing the capability, but you can't outsource the risk. And in the instance of the large cloud service providers, where it gets nuanced you've got everything below the hypervisor level. We'll call it the data centers, for instance, the physical assets of these operators. They're typically evaluated through some level of standardization or some level of audit, and there's almost like a trust factor there that you've got to lean on. They're operating their core infrastructure, and their redundancy in such a way that it's meeting certain requirements, whether it be power, or anything else on, for instance network redundancy. However, once you step above that hypervisor or the core infrastructure of the cloud provider, then it becomes your responsibility in terms of the management of the data and the ability to apply different types of controls.
Chris Hetner (44:13):
I've seen many cloud providers even offer additional cybersecurity services beyond just the core native. And unfortunately those aren't well understood, and many companies don't buy or level up their cybersecurity capabilities because they just inherently think that because they're in the cloud, it's inherently secure. However, the reality is that if I'm doing, let's say, an upload or throwing up an instance for an online accounting capability for my business into AWS or any other cloud provider, they offer baseline security, but those aren't inherently configured. You have to deploy those configurations no differently than if you were to build an instance inside your organization. Therefore be mindful of the connectivity between cloud providers and supply chain as part of your organization and as a part of your enterprise risk. And if an incident occurs or unaddressed cyber risks exist, and it's in the third party ecosystem that has to be part of your disclosure process.
Matt Chiodi (45:32):
Okay, let's switch gears, when it comes to personal growth, what's the formula that works for you?
Chris Hetner (45:40):
It's being your own critic and it's constantly evolving in cybersecurity and other facets of being an executive, and a wholesome individual. Never stop, continue to learn, and be humble to realize that you're not always the smartest person in the room. Listening is in my mind the most important communication skill. My theory is if we're having a dialogue with an individual or a bunch of individuals, you know 70/80% of my time should be listening. And this is versus telling or advancing my agenda. And like I said, continue to evolve and realize that we don't know it all and we never will. And this is an evolving complex space that needs to be tackled using full transparency, risk-based approach, constant evolution and learning.
Matt Chiodi (46:49):
Well, Chris, those are some awesome words of wisdom, thank you for sharing today. Thank you for talking about a lot of these things and I learned a lot in this podcast. Thank you so much for your time, and thanks for coming on the show.
Chris Hetner (47:21):
Awesome, Matt. Thank you!
Thank you for joining us for today's episode. To find out more, please visit firstname.lastname@example.org.