At a recent Banking CEOs and director’s forum in Sydney, a CEO shared what keeps him awake at night. Not surprisingly, the two single biggest issues in his eyes were
“the availability of IT systems and Hackers.”
The availability of IT systems did not come as a surprise and the fact that he was concerned about a security compromise, was not a surprise either. What did surprised me however was the choice of word he used to describe his security concerns – Hackers. The CEO did not use the words data breach, security compromise, or financial or reputational risk – yet that’s all we use as Cyber Security Experts or as an industry.
He used the word hacker, to him it was personal and emotive. A faceless person, a dark character, of flesh and blood with a mind that is unpredictable, a character that exudes uncertainty and is skilled and capable to cause a single catastrophic event. A threat actor that needs to be eradicated.
One word embodied so much for this CEO.
In this mindset, the goal becomes stop the hacker, simple right? In theory, yes, in practice, if only it were that easy. We know that with all the security technology available to us, this remains near impossible on cost alone.
The discussion then moved on from stopping the hackers to mitigating the risk in the form of cyber insurance – let’s not worry about doing all we can to prevent a breach, rather let’s make sure that should something occur, we have insurance to cover costs associated with data recovery.
Sadly, there is no insurance to cover reputational risk to your brand or the fact that all your customer data was stolen. It is almost impossible to quantify in both direct and indirect costs for years to come.
What I did take from this experience is that attacks on organisations are just as personal as attacks on you or me.