Assessing the Cybersecurity Challenge for Consultants: In-conversation with Marcus Troiano

By Tom Koor posted 01-15-2018 13:35


After many years and many billions of dollars of spending, the cybersecurity problem is getting worse, according to a May 22, 2017 Harvard Businss Review article:

  • Cybersecurity is not just a technical problem. Economics, human psychology and many other disciplines play a part.
  • Cyberspace rules are different than in the physical world. In the physical world there are borders, geographical areas where police, courts and governments have jurisdiction. In cyberspace, there are no borders. A threat can come from anyone, anywhere in the world, at any time.
  • Legal and policy frameworks are lagging.
    1. What the role of governments vs private sector?
    2. What is the role of regulators?
    3. How can people around the world be held accountable for their actions? 

Marcus Troiano will be presenting at the February 6, 2018 Governance Special Interest Group meeting in Toronto. Marcus is a Cybersecurity Strategy Advisor with a focus on providing innovative solutions to the complex security challenges his clients face. He has led and delivered cybersecurity strategy development and transformation projects for leading organizations and governments in Canada, the United States, Latin America, and Europe. 

Marcus is based in Toronto, Canada, and is a Principal Consultant for Mandiant, a FireEye Company, the leader in helping organizations respond to, and proactively protect against, advanced cybersecurity threats.

Marcus was interviewed by Tom Koor, Chair of the Governance Special Interest Group on January 9, 2018. Tom has been a strategic advisor for 30 years, with Ernst & Young, Accenture, and Koor & Associates.  He has helped CEOs, boards and the C-Suite think through and execute fundamental changes such as acquisitions, divestitures, reorganization and business model transformation. 

Why is cyber security important to boards and to the consultants advising boards? 

Cybersecurity is a major risk for all businesses and can impact: reputation, finances, confidence in the brand and even the ability to stay in business. The board needs to understand the significance of the risk and ensure management is taking the appropriate steps to prepare for and respond to the risks.  In fact, they have a fiduciary duty to do so. Any consultant advising the board should understand how cybersecurity fits into the mix. With the impact as high at it is, cybersecurity needs to be a top consideration for the board, management, and their advisors. 

What are some common misconceptions boards and management have? 

There are 6 major misconceptions:

  • “We’re not a target. Why would we be a target.” In fact, every organization and individual may be a target.
  • “we don’t have significant ”  Every company has information which is critical if it were stolen or simply made unavailable due to ransomware.  There is also the potential to disrupt company operations or even endanger lives.
  • “Cybersecurity is an information technology issue.” Technology is only part of the problem and only part of the solution. A variety of people and management processes need to be examined in the light of “faked” emails, “faked” websites, and other social engineering threats.
  • “The state sponsor hackers would not be interested in a company like us.” State sponsored hackers are attacking a broad range of companies, organizations, government seeking not only to obtain a variety of information (such as intellectual property and political information) but also to spread misinformation. There are lots of criminals targeting both large and small organizations seeking large and small amounts of money.
  • “Security means being able to keep the hackers out.” You cannot assume 100% chance of keeping hackers out. You must assume they can get in.  Therefore, you need to be able to determine if hackers have broken in and have a response plan ready.
  • “A breach takes place over a very short period of time, perhaps a few seconds before something bad happens”. A hacker may be in your systems for a year, getting to understand your management processes and information assets, before taking action. 

What is the best way to select and work with a cyber security consultant? 

You need to select a consultant who has had actual experience preparing for breaches, dealing with and responding to breaches. The consultant needs to understand the full breath of cybersecurity, not just one aspect be it: technical, board processes, etc. Cybersecurity is far more than just a compliance issue. The consultant needs to have deep understanding of the hackers in the specific industry and be aware of emerging trends. Larger organizations need to have an internal threat response and intelligence team. 

What are some of the key questions boards should be asking management? 

  • How do you know you have not already been breached? A hacker may have been in your system for the past year. The fact that nothing bad has happened is no proof that you have not been breached.
  • What are the critical assets and management processes you need to protect? A hacker may not just steal something, but either make an asset unavailable (via ransomware) or impact some operational processes e.g. If you provide remote door unlocking for the cars you sell, you want to make sure hackers cannot unlock and start the cars.
  • What is the cybersecurity response plan? Who communicate what information to which stakeholders at what points in time?  If you are a public company, what is the process and criteria for determining if a breach requires a material disclosure? How would you respond to various situations e.g. paying ransom – what if the hacker can harm lives?
  • Do you have the right partners lined up and ready to assist with a response? g. lawyers, cyber-security consultants, etc. 

What can small and medium sized businesses with limited resources do? 

  • You always start with understanding what the key assets are that you must protects.
  • Put your information technology assets (infrastructure and applications) in the cloud. A reputable cloud provider will be able to provide significant technical security. Your company will still need to address the people and management processes. And special attention will need to be given to how you manage access to the cloud, and how you architect your solutions.
  • Also consider outsourcing management processes that are a target, such as payment processing.
  • You need a cybersecurity response plan and have an incident response partner lined to up assist.
  • An outside consultant is key to helping you put the above in place. Larger organizations with large support staff can do far more activities internally, but also require assistance in understanding their threats, and developing their strategy. 

Thank you for you time and insights today. I am looking forward to February 6 in Toronto, where you'll share more insights and engage the audience in discussion. 

For more information on the session, visit: Cybersecurity: How Management and Boards Should Prepare and Respond