Host: Abigail Wilson, Cyber Threat Operations Manager, PwC UK
Guest: Richard Horne, Cyber Security Chair, PwC UK
Duration: 10m 40s
In this episode we’re joined by Richard Horne to discuss how CEOs can reduce complexity and make their organisations more securable. We discuss:
The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.
Subscribe to our podcast on:
Introduction by our host Abigail Wilson: Hi, I am Abigail Wilson, your host for the Cyber Security Podcast from PwC UK, and today I am excited to announce, we’ve just launched our 2021 CEO survey. This is one of the flagship surveys we conduct each year, capturing the views of thousands of chief executives around the world. Now in its 24th year, the objective of this survey is to identify key trends and patterns in the global economy that can affect important management decisions, such as how CEOs are mitigating disruption and ensuring sustainable growth for their organisations.
Unsurprisingly, cyber security has featured as a major concern over the last few years. This year 91% of UK CEOs said they were concerned about the threat that cyber risk posed to their growth prospects, which is up from 80% last year. With what seems like a constant stream of threats manifesting this year, CEOs are right to be concerned about cyber security risk, but what role do they need to play in making their own organisation securable?
Joining me today to help answer this question is our very own Richard Horne, UK Cyber Security Chair. Richard, thanks so much for joining us.
Richard Horne: Thank you, Abigail, really pleased to be here, and thank you for having me on your podcast.
Richard: Abigail, as our survey suggests, it really has risen over the last 12 to 18 months. There are a number of drivers behind that. One driver is just what they are reading in the news, and what they are seeing in the news. Interestingly what other CEOs are telling them about what they are experiencing, and probably the biggest issue that all CEOs and boards are becoming aware of now is that of ransomware. Although for many of us in the profession it has been around for a while, to CEOs it’s really emerged this last 12 to 18 months as a major threat and that threat of disruption to business. And the thought that their business could be crippled for weeks by having no IT, not being able to use any of their IT as a result of a ransomware attack, it is really waking CEOs and boards up to the fact that they need to be thinking about how they would continue as a business and the resilience of the business, which is much more a question that they can grasp and realise they need to deal with, rather than offloading the question of how do we build our defences to the CIO and CISO, that’s one reason.
Another reason is that, in regulated industries, your regulators are really waking up and making this a number one issue, whether it’s financial services, telecoms, right across all the different regulated industries, there is a growing pressure on organisations to really grasp the nettle when it comes to cyber security.
The last reason is, some of the geopolitics, which senior people in the organisations regularly engage with. Some of the issues we’ve had the last few months, particularly December 2020, with the Sunburst attack where we saw nation states using an IT organisation in order to get into their clients, and understanding with CEOs that their supply chain could be a risk to them.
Richard: That’s a great question Abigail, because it’s a change that we are seeing at the moment. Some organisations are further ahead than others, but it is a beginning of an understanding in many organisations that cyber security is not just something you can ask your CIO or CISO to deal with, give me an update every three months, and I will say, thank you very much, have we got enough budget, and send you on your way. It is very much about understanding how the organisation is making itself securable and realising that every decision that gets made around shaping an organisation, whether it’s mergers, acquisitions, entering new markets, launching new products, divestitures, outsourcing, offshoring, all the big decisions that get made in an organisation, they impact the cyber security risk profile. That’s the key challenge that executives are waking up to, that they need to bake cyber security thinking into every decision they make.
Richard: This is a really interesting challenge for many CEOs, a big part of the challenge for organisations is actually the complexity of the organisation. It is almost a fact that the organisation is hard to secure from the start, because it is so complex. One of the things we are talking a lot with boards and CEOs about, is actually the role they play, and the role they have in minimising the attack surfaces, as it were, by simplifying the organisation and looking at how the organisation is structured, to make it simpler, and therefore easier to secure. It is a great time for them to be thinking about it, because many organisations are going through transformations, we have a big move to the cloud, for example, and especially post-COVID, a lot of organisations are looking at how they are structured and how they are going to come out of the period we’ve been through.
It is a great time to be thinking about how we can come out as a simpler organisation, how can you structure yourself as a simpler set of business processes through your supply chain, that is then easier to secure and more securable.
Richard: Again, I would come back to simplification, is the big name of the game as it were. You can think about that in three different areas. One is around business models. Some organisations, if you look at some other more startup type organisations, they’ve got very simple business models, they are very clear what they are there to do, and as a result, they are much easier to secure because their business models are simple. Compare that with big global organisations that have been around for a long time and acquired loads of organisations on their journey. They have multiple activities happening in many different places in many different ways, and that business operating model just isn’t simple, and so therefore a challenge to secure.
The second area is around external partners and thinking about the supply chain. No organisation is totally in control of their business processes, because all business processes at the end of the day are mapped through a supply chain and through other parties, and so looking to simplify that supply chain to make it easier to secure and also more resilient, is a key challenge. The last part is, thinking about internal systems, your IT and technology base, and many organisations are developing their technology base at pace, and increasing their dependency on technology and also looking at things like the cloud migration. That’s where it is really important to think broader than just a lift and shift of legacy internal systems, just sticking them in the cloud, and think that’s job done. It is much more important to rethink the technology bit again, simplify and change the way it has worked, to really use some of the benefits that you can get from the cloud, around securing yourselves in a slightly different way when it comes to your technology base.
Richard: The role of the CEO is one, to set the direction, and two, to set the tone. Setting the tone is really important. As you said, it is a really positive thing to view technology as this is making us more agile, more capable, more able to serve clients in a different way, more able to look after our staff in a different way, and those kinds of things. But the key thing is setting the tone that, as we think about all this change, to make sure we are constantly thinking about how does this change our cyber security risk position? Because all these changes that organisations are going through, they are not, on their own, making things better or worse, from a cyber security perspective, they are just changing things, and you need to change how you think about cyber security, and make sure you are thinking through the implications so that change has become positive in the perspective of cyber security.
Richard: Thank you, Abigail, it has been a pleasure.
Outro by our host, Abigail Wilson: For more on how you can reduce complexity, and make your organisation more securable, visit our website at pwc.co.uk/cybersecurity and don’t forget to subscribe to receive future episodes. See you next time.