Inside the Cyber Risk and Opportunity Landscape

Edna Twumwaa Frimpong

Inside the Cyber Risk and Opportunity Landscape 

Listen to Episode 82 on Apple Podcasts

Guest: Ariel Evans, founder and CEO of RiskQ, Executive Cyber Security Chairperson at Pace University's Seidenberg School of Computer Science and Information Systems, guest lecturer in entrepreneurship at Hebrew University, Tel Aviv University, and others.  

Hosts: Dottie Schindlinger, Executive Director of the Diligent Institute, and Meghan Day, Senior Director of Board Member Experience for Diligent Corporation

Summary:

In this episode of The Corporate Director Podcast, hear from digital expert Ariel Evans as she takes us inside the current cybersecurity risk landscape, discussing what boards should be doing to stay up-to-date and how companies can adapt in the future.  

In This Episode:

  1. Journey to Cybersecurity: Evans shares how her background led her to discover her passion for cybersecurity.
  2. Addressing the Challenge of Cybersecurity Oversight: Evans discusses and shares insight into how boards can better leverage their roles to oversee cybersecurity effectively. 
  3. CISOs on Boards: Evans talks about the importance of increasing the number of CISOs in the boardroom and shares practical steps that boards can take to do this. 

Journey to Cybersecurity

Evans briefly touches on her background and how that led her into cybersecurity as a career path: “I started out as a nuclear physicist and migrated into information technology after spending a few years working on magnetic resonance pulse sequences. I really enjoyed information technology. When the birth of the Internet became the general means of doing business, we quickly saw there was a lot of misunderstanding about what security really was in this new world. And so I came into cybersecurity through governance, risk and compliance on Wall Street." 

Evans continues: “Coming into cybersecurity as a woman is interesting because there's not a lot of us. Meanwhile, the ways that businesses were looking at things were very check-the-box oriented, and coming into cybersecurity from a governance, risk and compliance angle was new for me. But it also led me to see that there were pieces of the puzzle that were missing. I love a challenge, and I was intrigued. So, I became a CISO to learn more about this world of cybersecurity in business. And that was sort of baptism by fire, meaning that the job is really tough, It's 24/7 and 365 days a week, and it's not often a very appreciated job.”

“Most businesses don't understand how valuable their CISOs are from the most part, and the CISOs usually burns out after about two years, because they're overburdened with the amount of work. And they're not supported from a budget perspective. What really caught my eye about being a CISO was the business aspect. The business is beholden to the CISO in many respects, and depend on that person to have the right information.” - Ariel Evans, Founder and CEO of RiskQ

Addressing the Challenge of Cybersecurity Oversight

Evans gives insight into how boards can oversee cybersecurity: “Directors and officers have a fiduciary duty to protect the business assets. That's their role. And in the last 20 years, there's been an evolution in digitization: In 2001 10% of the business was digital. Today, it's well over 85%. The last time they measured it was three years ago, and if it was over 85% then, it's probably closer to 90% now. So if you're not looking at the protection of the digital assets, there's a gap in your ability to execute those fiduciary duties."

She goes on, “Another thing the board should be very keen on is cyber insurance. We see most companies are woefully underinsured by tens of if not hundreds of millions of dollars. There are a lot of reasons for that, but one of them is because the brokers don't know how to tell you how much to buy. But the issue for the board is that cyber insurance is a risk-transfer mechanism that we use, in the case of a data loss from a breach, a ransomware event or any other type of cybersecurity incident that we need to have an extra layer of protection from so that we have a way to transfer that risk over. We don't see enough understanding of what those limits should be. It's called limits adequacy."

“There are some pertinent questions that boards need to ask themselves, such as 'What are the riskiest assets of my business?' If you asked five board members that question, you will get 25 different answers. But that should not be the case; we must be on the same page. There is the need for objective metrics which are financially quantifiable”- Ariel Evans, Founder and CEO of RiskQ

Increasing CISOs on boards

Evans then discussed the importance of having former or CISOs in boardrooms: “Cyber is not the boogeyman, cyber can actually be your best friend. Cybersecurity can help your company be more valuable and sustainable in the event of a cybersecurity incident. If you look at it from a cyber risk perspective, with quantifiable metrics, you can easily understand it and even embrace it. And you can get ahead and put your company in a much more lucrative, valuable position if you do so. Ideally, the company will be worth more money and have more confidence when something goes wrong that they have the right people, process and tools in place to be able to handle it.”

Also in this episode…

Evans shares her take on how boards are likely to change a decade from now: “I think that 10 years from now, the level of artificial intelligence that we're going to be able to apply in this area will be game-changing. This will also create less of a dependency on being able to communicate information to the board as a middle-man. For boards themselves, it will result in greater confidence in the information, and the ability to sleep better at night knowing that your assets are protected, if we're able to automate as much of the entire process as possible together.”

Resources from this Episode: