Sometimes timing is everything. On Thursday I was speaking at the WeDo Worldwide User Group 2017 in Lisbon, and the overriding theme of my presentation was so simple that it can be easily summarized: we must embrace fear as the primary motivator of investment in risk and assurance. On Friday a computer virus called WannaCry spread like wildfire, infecting thousands of organizations across most countries. It spread fear as well. Now is the time to exploit that fear in order to bolster your budget.
The motivation of WannaCry’s authors can also be simply stated: criminals want money, and they will exploit any systematic weakness in order to get it. That contrasts neatly with our role, which is to: identify and eliminate the weaknesses that ultimately lead to the destruction of value. If you want a more narrow definition of our role then I will politely disagree with you. It is not good for you if you diligently deal with weaknesses A and B, when weaknesses C and D are much more potent, and lead to much more harm. The more you can address the worst risks, the more valuable you will be. That is why I believe functions like revenue assurance, fraud management, operational risk management, credit risk, data protection, and security should all be coordinated under the supervision of a Chief Risk Officer, who in turn reports jointly to the CEO and to the Board. Then we will be able to manage the work done across our businesses in a way that will prevent the emergence of unanticipated weaknesses.
It is often said that our functions should report to the CFO. I believe this is wrong. Having the CFO oversee risk is a temporary, stopgap solution. It reflects the historic immaturity of our businesses. The telecoms industry should evolve to the point where a telco without a CRO seems as foolish as a bank without a CRO, or as naive as a telco without a fraud management team. CFOs have plenty of work to do, without being expected to oversee all kinds of risks too. Raising finance and being an accountant is hard; we should not expect CFOs to understand the detail of new technology, manage supply chain risks, and grapple with the implications of privacy legislation as well. It would be better to have the CFO joined by a new colleague who works with the other c-level execs to address the risks they should all manage, whilst having the seniority to challenge them when they fail to address them adequately. The same can be said for CTOs and CIOs, and other C-level executive apart from the CEO. But CEOs also have too much to do, and not everything reduces to risk management. That is why CEOs should be bolstered by a Chief Risk Officer who can provide a second opinion, based on independent data, about all the risks being faced by the whole executive team, assessing their relative priorities and the ways the risks connect to each other. Departments like RA and Fraud Management have important data, and should be empowered through a straightforward line of supply to a CRO whose primary role is to act upon that kind of data. We need to invest in risk mitigation all the time, so our businesses should employ a c-level executive who optimizes the investments in risk mitigation.
I believe the most ambitious, most capable of you should ultimately seek to be promoted to the role of CRO (and perhaps to be the CEO after that). It is the most natural progression of responsibility for individuals like you. Most of us already collect data from all across the business. To do our work well requires an understanding of systems and operations that cuts across silos. Who else starts with a better education of how to see risk as a whole? Who is better able to connect the detail of operational performance to the big picture of its actual and potential impact on the bottom line, on customers, and ultimately on the share price? If I wanted to train a new graduate in the hope they will become the telco’s future CRO, I would begin their education by getting them to work in fraud, revenue assurance or security. Or better still, I would have instill a management development program that forces prospective future leaders to rotate around these crucial risk-related functions, so they understand them all.
Some may want to focus on WannaCry being an attack from an external source, and to divide the work of risk mitigation according to whether the driver of the risk is internal or external. I believe this is misguided. There are no purely external threats, apart from the most severe kinds of natural disasters. All other dangers exist because of weaknesses within our businesses, many of which we are blind too. WannaCry exists because of the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems. If the NSA had revealed the exploit sooner, then fewer computers would still be at risk. But WannaCry has also been successful because patches have not been diligently installed by many organizations, and some still rely on unsupported operating systems like Windows XP. As the world becomes increasingly complicated, so it becomes futile to try to blame failures on internal or external matters only. The greatest shocks tend to involve a mixture of both the internal and the external. And whilst WannaCry is the product of criminals, it is inevitable that some criminals will work inside our businesses too, or will seek to collude with our staff. Risk drivers sit on a spectrum from wholly internal to almost wholly external. There is no significant benefit, and many drawbacks, when drawing an artificial dividing line and constructing barriers that prevent all the risk and assurance staff from dealing with every threat, whether the source is mostly internal or external.
For too long we have been promising that investments in risk and assurance are a way to get more money than the business had before. We have been reinforcing the expectation that the business is already losing money, so we should be employed to reverse what went wrong in the past. That is a good message if you only want to correct historic mistakes. It is a terrible message if you want to avoid the Sisyphean nightmare of repeatedly addressing leaks after you discovered them. We need to sell ourselves as the people who prevent the leaks before they occur, which means never allowing weaknesses to occur. In this respect, we can learn from our colleagues in security. Fear is their friend. They do not need to show what has been stolen, destroyed or undermined in the past to explain why they should counteract future dangers. The patch should come before WannaCry hits your system, not after you learn what a ransom will cost. The benefit of security cannot be usefully measured as a reduction of actual historic losses but only by developing a keen awareness of what is at risk when security is inadequate. Respect is due to every person who works in the many specialisms covered by the risk and assurance umbrella. However, we will not get that respect unless we ditch the arguments about historic leakage being some guesstimated percentage of revenue, and instead refocus on what might be lost in future. Fear is our friend, and we should embrace it.
Ironically, my Thursday evening meal was spent in conversation with a former telecoms employee who is now a senior manager at a very well-known mobile security business. He confirmed what I had heard elsewhere about Chief Information Security Officers (CISOs) being appointed at a rapid rate, and then receiving sharply increased budgets. Having a CISO encourages investment, just as increased investment encourages the appointment of a CISO to manage it effectively. Many CISOs are dealing with WannaCry right now, and new CISOs will be appointed because of WannaCry. I believe should follow the example of CISOs, and also anticipate a further step by ensuring security is tied to risk and assurance more generally. The work of the CISO should become a major component of the telco CRO’s remit.
My dinner partner was very kind when we discussed my earlier presentation about using fear as a motivator for increased investment. I had highlighted how shocks and scandals had recently led to 15-20 percent drops in the share price of several big telcos, and he felt these incidents also illustrated the need for increased expenditure on security. This encourages me to believe that similar arguments about human psychology can be applied across several domains. Whilst security functions currently do the best job of using fear to motivate an increase in budgets, we all need to ring the alarm bells about the severe and complicated conjunction of increased dangers to our business. Consider the following:
- The ever increasing expansion of networks, where the cost of accessing those networks keeps falling;
- An explosion in the number of networked devices, thanks to the internet of things;
- Massive increases in the speed of networks;
- Increased connectivity also leading to greater reputation risk due to the speed and unpredictability of bad news being spread via social media;
- More and more layers of technology that sit on top of each other, where each layer can possess its own vulnerabilities and flaws;
- Businesses continuing to move from the ‘real’ world to the cyber realm, and the accelerated transition to a cashless society; and
- A skills gap as it becomes increasingly difficult to educate or recruit sufficient numbers of specialists to diagnose and address all the multitudes of potential weaknesses.
This combination of factors should lead every privately-owned business to fear, and to do more to protect shareholder value. And private enterprise cannot rely on governments to do all the heavy work, as proven by the decisions made by the NSA.
Fear is our friend. It will motivate an increase in the expenditure on activities that matter to you. So you should embrace fear, and exploit bad news like today’s WannaCry headlines. Do not allow the focus to become too narrow. Use WannaCry as an example of why the business has much more to fear than ever before, and why we need a broad range of risk mitigation and business assurance strategies to prevent the catastrophic falls in the share price, the extraordinarily bad headlines, and the shocking scandals that increasingly plague telcos. There are many ways to join the dots when dealing with weak authentication controls, error-prone billing, inadequate credit checks, lax online security, poor processes to handle internal fraudsters, and all the other weaknesses that should equally concern everybody working in risk and assurance, irrespective of their job title. Money is lost when those dots are joined together, whether that occurred because of accident, malicious intent, or some combination of the two. We need more money to prevent seemingly isolated dots from being increasingly joined in future. So we should use fear to obtain the resources we need to properly the protect the business.
For those of you who missed it first time, here are those slides I presented about fear as a motivator for increased investment in risk and assurance.