An interview with James Lam, Director at E*TRADE Financial, and Chair of the firm’s risk oversight committee, offers some timely advice for an era when cybersecurity has risen to the top of the agenda in the boardroom – and offers a good rationale for a FAIR-minded, quantitative cyber risk approach by board directors. Lam’s interview appears in the Winter 2018 C-Suite Magazine from Equilar.
“Our digital strategies are meant to increase long-term profitability and enterprise value,” Lam says. “We would measure that in economic terms. But what is the cost of risk, including technology, operational and cyber risks? We should likewise measure that in economic terms.”
Lam has some pointed criticism of cyber risk management as now practiced, heavily driven by cybersecurity frameworks such as NIST CSF and ISO 27001.
“The average CISO at a large company has more than four dozen security vendor relationships. Maturity models always produce an answer that says more – add people, add systems and add processes. But is more always better? Directors are rightfully concerned about program effectiveness and overall preparedness (output) not just program maturity and control components (input).
“These frameworks do not fully meet the needs of the board…Directors are also concerned with key issues that are not addressed by NIST, including alignment with the overall business strategy, cybersecurity risk policy and risk appetite, cyber risk quantification, and overall cybersecurity program effectiveness.”
The article wraps with these five cybersecurity trends that Lam sees playing out in 2018:
- “Cybercriminals will launch blended attacks that are increasingly more sophisticated, audacious and consequential.”
- “Corporate executives and directors will face new regulations with more stringent standards for governance, privacy, security, and disclosure.”
- “In terms of risk management practice, cybersecurity will be more integrated into ERM.”
- “Directors will demand much better cyber risk reporting from their CISOs.”
- “Advanced technologies and tools will be developed to help companies measure, monitor and manage their cyber risk profile….Cyber risk quantification models will be developed and implemented to measure value-at-risk (VaR) on an ongoing basis…[to] help companies monitor their cyber risk profiles, evaluate the cost effectiveness of security controls and determine the economic value of cyber insurance.”