Cyberthreats and the corporate CFO

26 November 2014

Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security, originally European Network and Information Security Agency (ENISA), provides insight into the extent of emerging cybersecurity threats, and how the modern CFO should respond in a climate of disruptive technologies and innovative ways of working.

Finance Director Europe: To what extent do you find the jargon of cybersecurity a barrier to getting the attention of the C-level executive?

Udo Helmbrecht: We have known about cybersecurity and discussed it for a long time. Still, the impact and consciousness of cybersecurity is limited. So, why have we not been more successful? One reason is that we are speaking in 'code' about cybersecurity. We speak in technical terms. This does not evoke emotions in people. We do not reach out. Our words do not trigger those in power to react. So, consequently, we must change our language. We must adapt to the audience. This is the A-Z of communications. We know we have to do it in order to actually achieve an impact, and change the minds and hearts of people; to make them act on cybersecurity issues. So we know the theory, but much more needs to be done to make this happen.

By and large, we need to simplify and speak of cybersecurity in simple terms. We need to better realise that we are speaking to people, about people and about changing behaviour. Cybersecurity is not about technology - it is about people and the economy. In the end, it doesn't matter how many reports we write about cybersecurity. What matters is how we communicate these report we write. We have to sell them to media, politicians and decision-makers. We have to understand it is not a technological product we want to sell, but a change of behaviour and thinking at all levels, from the company executive directors and employees to citizens who expect to have access to all their services and tools they use. So, we need to repackage cybersecurity, and sell it in a different manner.

Another reason why cybersecurity has not come further yet is that we have not articulated the return on investment and, indeed, sometimes it is admittedly hard to calculate this. So businesses do not always see cybersecurity as a competitive advantage. They do not want to act until it is in crisis mode. But this is about to change, and those who adapt to this fact will become the business leaders.

As a former CIO yourself, how do you find the current relationship between CIO and CFO? Are CFOs today more IT literate and the CIO more financially astute?

I have to say that my impression is that the CFOs are now better at understanding the inherent cyber-risks, whereas the CIOs have not perhaps taken up financial skills as much. But then, the needs have been focused on the CFOs picking up the necessary cybersecurity skills first.

If you look at organisations where you have the CIO reporting to the CFO, the CFO will be very much in the loop. If you look at other companies, the CFO sits on the budgets, so they have final responsibility. So if the CFO is in discussions with the COO about how to invest with regard to risk management, regarding your assets, the CFOs are aware of this, but the bottom line is that there's always room for improvement.

CFOs and C-level executives in general have the greatest access to the most sensitive information. How cyberaware do you find these senior executives today?

Increasingly, cybersecurity is becoming an issue that C-levels are aware of and need to have knowledge of - at the least, they should be aware of it. But, there is still room for improvement on knowledge on this issue. Cybersecurity is a natural element of any serious management course these days. The key matter here is, again, to communicate better.

For those that haven't invested so much in cybersecurity, what approach should CFOs consider in mitigating risk and driving greater awareness within their company?

The CFOs should have global control for the expenditure of IT and infrastructure. They should be accustomed to talking about the management of data, information and interruption of the business. So a proactive involvement with the IT department is important. At the same time, the CFO should continue to do established, common-sense risk management strategy and approaches, as the right risk assessment combined with the right responses can solve many challenges today. The CFO should also make sure with the IT department that the cybersecurity policy and other related policies are aligned with each other.

Tell us more about the bring your own device (BYOD) phenomenon and potential security issues this presents. What are the solutions?

In the past few years, we have seen a lot of BYOD, where vast amounts of data is accessible everywhere, but perhaps not secure. Gradually, IT departments have had to deal with this and ask how to manage the surge of young staff for flexible, individual solutions, while maintaining a security policy for the organisation, or how can you cope and manage so many platforms with the knowledge and resources that it requires.

Now, IT sections have adapted. In order to increase satisfaction and productivity of staff, we needed to adapt to change and adopt new security procedures. The situation has now stabilised. We must learn from and adapt to such changes in demand. If you apply strict rules, people will just ignore or circumvent them. And then you have not achieved anything. It would only be countering what you want to achieve. Instead, you must adapt.

If you look at social media or social networks, you have services such as the cloud. The question is 'how do you deal with your privacy - your private data - and how do you protect it?'. And if you go to the internet of things, we are now at a point where technology is cheap; it can be connected via IP to the internet. This means you can produce devices - wearable, for example - that can connect to the internet. So, as the technology advances, and it is distributed to the public, the more we have to think about IT security issues.

Of course, the challenge is also that you don't have real solutions on cryptography on a large basis. If you encrypt data, how do you search for this data? There are issues to overcome and it will be some time before solutions are made that can satisfy business demands.

Are you finding cyberthreat levels significantly increasing or decreasing depending on industry, geographic location and size of company? Are specific types of companies better equipped when it comes to managing cybersecurity?

Let us be very clear - cybersecurity knows no borders. That is why ENISA is needed for Europe; to provide a platform to cooperate across the borders of European member states. No other neutral entity can do this type of job; to make the EU member states cooperate at a European level. Then, of course, once we have done this, we can also conduct the EU-US exercise, which ENISA supported in 2011.

Looking now at the profile of cyberthreats, we recognise and underline that certain types of sectors in Europe are more vulnerable than others. We know that the manufacturing sector in particular is targeted. This is not a major surprise. Again, you find many small suppliers here. Size does matter when it comes to facing cybersecurity costs. The SMEs constitute approximately 98% of the EU's economy - they are its backbone. Yet, they lack crucial skills, people and capital to counter professional industrial espionage. This is why cybersecurity should be much higher on the political agenda, and in the minds of politicians in every EU member state since it is very important for the innovations, intellectual property rights and the economy of Europe.

If you look at the classic IT security triangle, you have confidentiality, availability and performance - whatever that means to an individual sector or industry. Power plants or industrial plants, for example, can more easily get connected to the internet the more the world is connected. That means you have to have a strict separation between core plant issues where you don't have production systems connected to the internet and those that are - so there are more security measures here. And if you go for green energy, smart city, smart energy or smart meters, then you connect more devices to the internet. When changing to a more internet-dependent infrastructure, you need more resilience and security.

How has your experience as CIO of an insurance company and president of the Federal Office for Information Security (BSI) in Bonn helped you in your current role?

I have learned a lot from my previous professional experiences, which I bring with me to this role. From the private sector, I gained valuable business acumen and management style, which I have inserted at BSI and at ENISA.

At BSI, I managed a big public body, which, by being an official body in the service of citizens, has a lot in common with ENISA. The international dimension was also quite present at BSI. So, that gave me a good insight into how the EU and the member states operated, and the key actors in cybersecurity, before I started at ENISA.

You have been with ENISA for five years and ENISA is now ten years old. How have you seen the organisation evolve? What is the current focus? How do you see ENISA evolving over the next decade?

We are currently discussing our future visions for the coming decade. But what I can say so far is that we are looking at how Europe must embrace cybersecurity as a business opportunity. We should consider how we can become the best in cybersecurity, and work together more. Why is there no 'cyber-airbus project' in Europe, where we pool the available resources to offer, for example, social-media services with EU data-protection laws since people do not like, for example, Facebook, Twitter and other US-based companies, legal frameworks.

The new European Commission president Jean-Claude Juncker has clarified that his top priority for Europe is to provide a single digital market for prosperity and growth. So that sets the political agenda for the next five years. Then cybersecurity is the foundation upon which the EU's economy will rely for jobs and growth.

As for the agency, ENISA will deem it necessary that we become slightly bigger, stronger and have an expanded mandate, to be able to match the expectations of the citizens and society. The cross-border dimension of cybersecurity calls for more cooperation and a stronger ENISA. We can already see a big increase in requests for assistance by the member states to ENISA.

Can you please tell us a bit more about the ENISA and Europol collaboration?

Recently, we were allowed by the member states in the council and by the European Parliament, as stated in our new regulation, to cooperate more with Europol, which is the operational body for chasing cybercriminals.

ENISA can support it with our technical expertise and know-how, and we can learn from it. So, it is a win-win situation where we exchange knowledge to step up the fight against organised cybercrime. And recently, we formalised this in a more specific, strategic cooperation agreement. ENISA is part of the Europol's European Cyber Crime Centre (EC3) Programme Board and the EC3 is respectively part of ENISA's Permanent Stakeholders Group, which advises me as ENISA executive director on the yearly work-programme priorities.

More concretely, our cooperation with Europol includes elaboration of situational reports, and exchange of specific reports resulting from strategic analyses and best practice. We support each other in strengthening our specific capacity building through training and knowledge exchange, to safeguard network and information security at EU level. And they participate in the ENISA 'Cyber Europe' cyberexercises as well.

Since the CFO is the guardian to the most confidential information in a company, what risks does this pose from a 'cyber' perspective?

Indeed, the CFO must have sufficient knowledge of the cyber-risks for the business to be able to act upon this in an adequate way. This means to support the necessary technical measures and financial needs, which the IT department should provide, as much as possible. If the CFO also has an actual interest in cybersecurity, then that's even better.

We have good methods for risk assessment and management, so it's important on the C-level that you discuss the risks and potential damages, and if the CFO is the right person to really say what will be the damage to the company if this happens - what risks do I take and how much do I invest? For example, Bosch has an insurance company that insures for €1 million, yet Bosch has to pay up to €100 million in IT security risks. What we see is that the insurance sector is starting to offer cyber-insurances, so it's typical business for the CFO to look at what their assets are, what the risks are and what to invest.

What needs to be protected? It's often a blend of intangibles like data, intellectual property and IT infrastructure. What is the priority?

The priority depends on where the company's core business and core clients' needs are. Often it ends up being a mix of the three. But we know that it also varies between big companies and the SMEs.

In this context, mainly the SMEs need far better protection. Major companies usually have reasonable policies and realise the absolute need of cybersecurity; they have their own governance structure - exactly what the SMEs lack. They lack people, skills and funds to address the cybersecurity issues.

So the challenge is that you have to find the balance between what you keep in your own company, and how you control your core business, and what you outsource and bring into the cloud. So with this, you can find a business model that secures your core business.

If you put data into the cloud, you have to be sure of the supply chains and service-level agreements (SLA). If you have healthcare data, there are regulations that don't allow this data to cross borders. If you have financial supervision in EU member states on the banking or finance sector, then what regulation do you have in the state; what obligation do you have on the finance or banking companies?

If you're a cloud-computing provider, you have to be sure what data-protection plan they have; the IT security measures they have; where the computer centre is stored; and if there's a third or fourth party behind. It doesn't help you if you have, as a UK company, a cloud-computing company in France and, through its supply chain, data stored in China. This is what we don't want.

We'd also like to look at prevention strategies like embedding security, breach-response considerations and the need to set up call centres to handle stakeholder concerns. We all know that the insider issue has emerged as a major concern in the past couple of years. It is not new of course, but as some protection systems have become better, the risk of the insider gaining access to more information than before has become very clear. The Manning and Snowden cases are just two examples for the US military of how data breaches due to internal information access can have vast consequences.

So, again, we need to be crystal clear that cybersecurity is about people, not technology. The weakest link in technology is the human. Companies do not see how a single employee can fail to comply with security policies and put an entire organisation at risk. Yet, what you need to do is not write more policies; you need to change the actual behaviour and obtain a "buy-in" - an understanding by each employee that they have a role in this.

What is the importance of reputation as a consideration in the cybersecurity discussion?

Cybersecurity today is about your company's reputation, since so much of your data and business is online. Protecting your brand and reputation is crucial. This may sound simple, but the number of attacks that go undetected for so long, in combination with the increasing cyberattacks, should sound alarm bells for CEOs to seriously step up their game.