Andy Watkin-Child is an internationally renowned cybersecurity and risk expert, who acts as our advisor of cybersecurity and risk. A 20-year veteran of cyber security, risk management and technology, Andy has held international leadership positions in first and second lines of defence for a number of large companies and is a Board member of the Security Institute. He is founding partner of Parava Security Solutions – an independent cyber security risk management advisory firm – and The Augusta Group, a US based advisory company.
He sat down with Rebecca Hopkinson, Howgate Sable’s client director and head of cyber security and risk management, to discuss the cybersecurity landscape.
RH: Thanks for joining me, Andy. Can you give us a snapshot view of what’s happening in cybersecurity and risk management around the world right now?
AWC: The issues around cybersecurity and risk management have been growing in impetus in recent years, but in the last 12 months or so they have really amplified because various Governments and governing bodies, as well as banks and insurers, have started to lay out their plans and guidance for cybersecurity risk management affecting businesses all over the world.
U.S and EU regulators have started to develop cybersecurity risk management regulations and enforcement programs. Regulations that require companies that trade with the U.S and EU, require access to U.S capital markets or manufacture digital products or services supplied to the EU or U.S to implement cybersecurity risk management. U.S agencies are also developing regulatory enforcement programs that are focused on cybersecurity regulation and compliance.
The cyber insurance industry has been evaluating how it manages cybersecurity risk. Increasing premiums, reducing coverage and as an example, Lloyd’s of London – one of the biggest B2B insurers – has recently changed its policies to clarify that it will not pay out where a nation state is behind an attack. This naturally presents a huge worry to organisations and has prompted action among many.
RH: What, in your opinion, are the biggest cyber risks facing businesses?
AWC: Cyber has become a national security risk and an offensive weapon of choice for hostile states – cheaper, easier to run and equally as affective as kinetic warfare. No matter what sector your business, you will rely on a digital infrastructure to manage it and, sadly, most organisations defences have not generally kept pace with developments in hacking. We must not forget that NATO reaffirmed cyberspace as a domain of operation as far back as 2016.
Businesses can be crippled by a cyber attack. They can be taken offline for months, reverting back to pen and paper approaches and in the meantime losing their competitive edge. They can lose data – and in doing so, risk the Information Commissioner (or similar body outside of the UK) heaping criticism on them. Legal battles can continue for years following an attack. The reputational impact can be colossal, but the physical impact of loss of digital infrastructure even more so.
RH: You mentioned hostile states; is this the only risk?
AWC: Hostile states are certainly a considerable risk, but nation state hackers are just one group. Hackers include Nation State Proxy’s, Cyber Criminals, Hacktivists, terrorists and script kiddies. These groups have different motivations and look for different outcomes that are not always about money. $Lapsus – a hacking group of between 16 and 21 years old – successfully attacked Microsoft, Nvidia, and Samsung on Okta in early 2022. But the biggest threat by far, however, is from ransomware. Ransomware involves a hacker gaining access to systems, encrypting your data and demanding a sizeable ransom fee for the encryption keys to release it – which they invariably do not provide.
RH: Are there particular sectors which need to focus on upping their cyber defences?
AWC: All sectors need to be aware of the risks of cyber attacks and should be investing in developing a thorough cyber security approach, led by a CISO-type role (Chief Information Security Officer). Typically, this has fallen to IT teams to resolve but actually it requires a different skillset. Cyber security and risk will naturally work closely with IT, but its importance is of enough significance that it needs a dedicated team to strategise and oversee its roll out.
In terms of sectors, any business operating in defence should have watertight cyber security. So too should ‘mission critical’ firms such as those in infrastructure, energy or financial services. A cyber attack at a business like this would be a very serious matter indeed – it would undoubtedly lead the news agenda for months, and would cause substantial damage to the business’ home nation.
RH: What should the CISO role encompass?
AWC: A successful CISO will have a combination of technical and business skills, the proposed EU and U.S cyber regulations will require them to have risk management experience and be able to support boards manage and report cyber risks to regulators. It’s important that this person has an up-to-date understanding of the risks to the business and the technical know-how to see how these can be prevented. But a CISO also needs to speak the Boardroom language and be able to demonstrate the importance of the work.
Doing cybersecurity effectively is rarely cheap, so Boards will need to be bought-in in order to fund it. That’s where a good CISO makes all the difference – there’s little point in having someone in a cybersecurity role if they cannot convince a Board to invest in it properly.
RH: What’s next for cybersecurity – what do you predict the next big trends and changes to be?
AWC: Cyber regulation, regulatory enforcement, international cooperations and a move towards cybersecurity risk management are the biggest changes ahead. I’ve been working in this sector for 20 years and it’s only recently that I am starting to routinely see CEOs, NEDs, Chairs and so on proactively asking about what needs to be done. Until now, I’ve been the one banging the drum – now people are starting to seek out advice and make changes.
Legislature should not be underestimated; when the words national security and cybersecurity are mentioned in the same sentence then it’s time to pay attention! Where the US and EU go, the UK will almost certainly follow and businesses would be well advised to get ahead of the game now.
The Bank of England said just this month that cyber attacks are the single biggest risk to the UK banking system. This summer, Norges Bank Investment Management CEO Nicolai Tangen said he was more worried about cyber attacks than the changing markets. These are just two examples of the well-respected voices airing their concerns about the impact of a successful cyber attack.
Andy acts as an advisor to Howgate Sable’s clients and is available to them to discuss their needs. Please do get in touch with your contact at Howgate Sable to arrange a discussion, or contact us here.