Cybersecurity Must Be a CEO’s Top Priority, Former Military Defense Expert Tells Risk-Conference Audience
It isn’t a question of if your company’s cyber-security system will be breached, it is matter of when.
That’s what retired Air Force Major General Brett T. Williams told more than 150 business executives and graduate students gathered at the Hilton Stamford Hotel and Executive Meeting Center for the UConn School of Business’ 4th Annual Connecticut Risk Management Conference.
Cyber-security has to be part of a company’s DNA, he said. The CEO and all top executives need to be as familiar with a company’s cyber protection initiatives as they are with the profit margin, he said. Yet, often, they shy away from those important discussions because it is out of their realm of expertise.
“Does your company take this seriously? The only person who can set the appropriate culture and climate is the CEO,” he said. “This is a vital, strategic business issue. They need to ‘dive deep’ and understand it.”
Williams, the conference keynote speaker, served as the director of operations at the U.S. Cyber Command from 2012-14. In that role, he led a 400-member team that was responsible for the global operations and protection of Department of Defense networks. He is now the president of the Operations and Training Division of IronNet Cybersecurity, Inc., a cybersecurity-solution firm.
The April 7 conference, titled “The New Reality of Global Risk,” featured panel presentations on various types of business vulnerability, ranging from emerging risks and trends to the FBI and compliance.
Expert panelists included Brian Neary, vice president and chief operational risk officer for The Hartford; Michael Lagnese, senior vice president of enterprise risk at Synchrony Financial; David Chaves, coordinating supervisory special agent for white collar/complex crimes at the FBI; David Panagrossi, managing partner and CEO of SROcalendar; John Preli, director of regulatory management and data governance for The Weather Co.—IBM Analytics and many other distinguished speakers.
Michael Golden, the former COO and sales leader for a large insurance company, said he thought the program was well presented.
“It exceeded my expectations,” he said. “The speakers and topics were good. It was pragmatic, insightful and action-oriented. It is a wonderful academic and business bridge that UConn is doing. Risk and reward is a topic every executive today is talking about.”
And with good reason. Williams said we live in a world where anyone can go online and take a tutorial about how to hack an ATM. There is a 24-hour hotline for hackers and if you’re not a do-it-yourselfer, you can easily hire someone to pursue an illegal and unethical breach, he said.
Companies worldwide spend $76.9 billion on cybersecurity, Williams noted. If that sounds like a large investment, consider that a major retailer that had an enormous security breach spent an estimated $1 billion to regain data and re-establish trust with its customers, he said.
“Do we just throw our hands up and give up?,” Williams asked. “No. Instead, you have to make yourself a harder target than the next guy.”
A company that is able to assess its biggest vulnerabilities can launch a good defense. Whether the risks are from international hackers or disgruntled former employees, a company must prepare a strong defense, spot breaches quickly (the average company takes 143 days to detect a hack) and prepare in advance for damage control when a problem occurs.
“No one expects you to be perfect. Are you prepared to minimize damage, grow your business and move forward?”
Employee training is also essential, he said. Some 70 to 90 percent of cyber-security breaches occur because a user erroneously clicked on a hacker’s link, he said. In many cases, the solution to a cyber-hack starts before the event occurs.
He left the participants with four key questions:
1. Have you identified your ‘critical data?’
2. Do you know where all of it is stored?
3. Is it encrypted?
4. And who has access to it (including former employees)?
Conference Executive Director Jud Saviskas said he has received great feedback about the conference and is looking forward to next year’s event.
“As was true at last year’s conference, attendees felt that the agenda was jam-packed with valuable information and insight on managing risks, including some risks they’d never even considered,” he said.