Providing the “Re” in “Rethinking Cyber Security”

“Cyber security is not an IT issue. It’s not even about security, per se,” says Andrew Morrison, Principal in Deloitte’s Cyber Risk Services Practice. “It’s a risk issue.” I caught up with Morrison after Black Hat 2018 to get his insights into how corporations need to rethink their fundamental approach to cyber security. This is the mission of the 3,400 people in Morrison’s organization.

“Cyber security is not an IT issue. It’s not even about security, per se.”

In Morrison’s view, cyber is a risk that needs to be managed. Cyber can no longer be just a service line within a business. The business itself needs to focus on being secure, vigilant and resilient.

Andrew Morrison, Principal in Deloitte’s Cyber Risk Services Practice

If anything, security is part of an even bigger picture. Cyber security—and threats—are an inescapable element of digital transformation. “All organizations are becoming digital, Morrison argues. “A bank is basically a tech company with banking services. A hospital is a health-oriented tech company, and so on.”

He then adds, “It’s really like the fourth industrial revolution. First, we had steam power, followed by electricity and computers. Now, we have hyperconnected and intelligent businesses. It’s incredible, but it’s also a security challenge. Boards are becoming much aware of their role in ensuring the durability of business in this environment.”

Digital transformation increases risk exposure. That’s an inevitable consequence of the paradigm shift. Deloitte’s approach is to guide the board and the broader organization through the security and risk management issues that arise with the transformation process. “Where is your perimeter?” Morrison asks. “You’ve had an exponential increase in nodes. Where does your entity end and another’s begin? The answer is not as simple as it used to be, that’s for sure.”

He shares, “You can also make things a lot worse as we push access to information. A network designed for sharing, which is wonderful, is a network that is at odds with security. You can have a lot of unintended consequences.” As an example, he cites recent accidental security breaches in the US military caused by fitness tracking devices worn by troops. As he puts it, “A generation ago, we worried about computer bugs. Now, there are 100 microphones in the board room I’m sitting in right now. Each is connected to the network.”

“Start with your customers. The market is looking for someone who will be the best steward of its data. Is that you?”

What’s the best way to start the rethinking of security as a risk issue? Morrison recommends taking a market-level view of the issue. “Start with your customers,” he advises. “The market is looking for someone who will be the best steward of its data. Is that you? Do you exercise an appropriate standard of care with your customer’s data? If the answer is ‘maybe,’ then you have work to do, work that goes far beyond the IT department and cybersecurity itself.”

The goal should be to differentiate through strong security technology and policies, e.g. identity management, SIEM, threat intelligence, backup and recovery and so forth. Deloitte approaches this work by pairing risk management professionals with cybersecurity and regulatory experts. All three disciplines necessarily join together to put the client on a good cyber risk footing. “From there, we work on security by design,” he says. “Going forward, you have to factor cyber risk into any system or business process you’re contemplating.”