Perspectives Podcast Episode 31: The Rosetta Stone of cyber security

Jennifer Beaudry

Welcome to Zurich Canada's perspectives podcast, where we stay connected with our partners and employees through conversations with guests who are experts in their fields. We deliver market insights and thought leadership to bring information relevant to you, our listener. I'm Jenn Beaudry, Head of Communications at Zurich, Canada, and your host today. As October marks Cybersecurity Awareness Month we are excited to have Dan Elliot, Principal of Cybersecurity Risk Advisory at Zurich Resilience Solutions Canada join us today for a stimulating discussion on how to translate cyber risks into business risks. With more than a decade of experience in the industry, Dan shares practical approaches and communication strategies to help you mitigate your cyber risks and minimize their impact. This is a conversation you don't want to miss. Dan, thank you so much for joining us today, before we jump into the discussion, tell us about your background, and the three themes you're going to dive into today.

Dan Elliot

Sure, well thanks so much for having me. To give you an idea of kind of my background. I've been with Zurich for a year now. Prior to that, I spent 15 to 20 years in the security intelligence community in Canada, the last six of which was with CSIS. So, at that time, a lot of what I was doing was looking after those large-scale country threats that I now look after and am concerned about in the private sector. The three things that I tend to deal with most frequently in this space and what I find most interesting to talk about, as challenges are really the evolving nature of the threats, how quickly the threats move, how quickly the technology moves, and how quickly the jargon and acronyms move with it, which adds some complexity to it. And from that, I find that there is a challenge among cyber professionals to really communicate at the baseline and all those changing and evolving things to non-technical executives and board members. And when I say non-technical, I'll say non-technical in a cyber stance, because one of the errors that a lot of us make is assuming that all of those other professionals don't have technical capacities of their own, which are really complex. And then the third thing that I spend a lot of time with which is much better news is on the remediation side, how can we get better? How can we communicate these ideas clearer, and work more collaboratively?

Jennifer Beaudry

What are some key cyber terms and concepts that we should be familiar with in bridging the gap between cyber and business risk?

Dan Elliot

That's a very challenging place to start. And I'll give a bit of background. Last year there was a large-scale survey done of C-suite executives across North America, it was something like 1500 or 1200 executives. And in that survey, they found that more than a third of those interviewed found, quote unquote, basic cyber terms like malware, phishing and ransomware to be confusing. When I speak to cyber executives, these are not technical cyber terms. When I speak to non-technical executives there's mixed reviews. So, I think it really depends on where your baseline is as to what complex or technical term needs to be. But I would say the biggest things to begin understanding, and it's communicating within your team within your organization, is how you define cyber risk. Because if you can't define that type of risk, it's going to be very difficult to try to mitigate or build a program around it.

Jennifer Beaudry

Dan, there's a lot of terminology and you mentioned a few things that maybe we might not all be super familiar with. For those new to the world of cyber and might not be familiar with some of these terms. Can you provide a brief overview of key cybersecurity terms and concepts to help inform today's discussion?

Dan Elliot

Thank you for calling me out for using my own technical jargon. You are 100% Correct. CISO is not yet a very well-known term among the business community. I hope it will be someday. The CISO is the Chief Information Security Officer. Ideally in the organization they are the C-suite member who is in charge of cybersecurity, they do not have the same role of a CIO, the Chief Information Officer who’s in charge of all of those information related metrics for the organization usually both IT and security, which sit in slightly different houses. The few other terms, I guess I've jumped into as examples that I'm happy to give an example of. Phishing is a term that is used very commonly in the media now, but is basically the concept of somebody sending out messages, emails, pretending to be somebody that is trusted for you or your organization, either asking you to divulge secure information, or asking you to click on something or open something that would allow them into your organization. Ransomware, which is becoming a well-known term for the wrong reasons, is the notion of holding your data or access to your systems for ransom, in exchange for money, Bitcoin, whatever they're trying to trade these days. And the idea behind it is they use often use malware, which is a code-based application, could be a virus could be other malicious code that is embedded or launched in your network in your system, which either allows them to steal, exfiltrate data and information, or allows them to encrypt or corrupt data within your system.

Jennifer Beaudry

That's super interesting. So, we are starting to understand that cybersecurity terms can get lost in translation, as there is historically a language divide between IT and organizational leaders, can you further break down this communications barrier for us?

Dan Elliot

Sure, there are a few things that I think lead to the problems in this and lead to this perceived barrier in communication. I will first say that I do believe that there is a barrier, but it's more psychological than it is real. I don't have a psychology background, all the training I received was during my government time, but I'll start off with these three real leading pieces that are causing a lot of the problems from my perspective. And the first one is cognitive dissonance, which is the notion that people believe I don't know it now so I never will be able to learn it, I never will know it. And I start calls very frequently with technical and non-technical leaders and find a non-technical leader saying I'm going to let my CISO my IT director, whomever lead this call, because I don't understand any of this mumbo jumbo, nerd speak tech jargon, whatever language they want to use to describe it. They're giving themselves an out a reason to back away from it and it makes it easier and more comfortable in that moment but it prevents them from being able to get better at it and better communicate those risks. The second thing I find is stereotyping. There's an idea that this is an IT problem. The IT guy has this figured out the IT guy or my cyber guy has all the answers. And we stereotype it as a very complex IT problem that I don't have a stake in, I don't need to help solve, again, provides a quick out today, but prevents the opportunity to help fix the problem tomorrow and in the long term. And the last one, and I'll reverse it, because it's not all on the side of the non-technical professional is what is broadly hedged under something called authority bias. And this is those ITM cyber professionals that get into this loop, where they know if I'm the only one that understands these things, if I'm the only one that knows how to put this together, I'm never going to be expendable. I'm going to be here for as long as the technology stays. And if I speak in complex jargon, or using acronyms, it's very comfortable for me, but it also gives me an authority on those subjects. So those are really the first three that I think lead into a lot of these problems and make it very confusing for non-technical professionals. I love to call it the tyranny of jargon because whether it's the recipient feeling this is too complex for me to understand, or the sender making the message complex on purpose or accidentally. It creates this language that nobody outside the circle can understand and can speak, and therefore can't participate in the solution.

Jennifer Beaudry

Building on what we've learned so far. How can those who are not IT experts learn to speak the language of cybersecurity? What techniques can bridge the communications gap between IT professionals and C suites or boards of directors?

Dan Elliot

That's a great question. And it starts to get into those solution focused options. The first thing I think that's important is building a common lexicon. What I mean by that is starting to look at our own language, outside of cyber professional areas and our language within the cyber professional areas in finding commonalities and areas that overlap. For example, something like a “SIM” - SIEM, which is a dashboard used by cyber professionals to be able to track all of the information in feeds coming in. Risk professionals use their own dashboard in RIMS. And these things have common purposes, Common uses, and we can build commonalities in what we're doing, so that we can better understand each other's world. The other thing that I would suggest, and I don't know who's going to start this off, but somebody needs to do it, buy the other side a coffee, it is does not have to be formal meetings initially, have an informal meeting between you, the risk manager and you the CISO and sit down and discuss, what are we working on right now? What are the risks or the concerns that we have front of mind? And what are the challenges we're having in mitigating or reducing those risks, and begin just having a

conversation. You'll get into a point where it becomes part of formal meetings where you can discuss cyber risk on a formalized basis. And I think when you get to that point, you can start to expand it. But it needs to begin with an understanding and time spent in the same room. The last thing that I really think can start today, to improve this situation is an alignment of metrics. When I talk to a lot of cybersecurity professionals, they have the challenge of aiming for zero, they will go up to a board and be almost expected to present to say we have had zero successful attacks this month, can I have more money so that we have zero attacks next month? And the board or the executive or whoever they're reporting to will say well you were successful this month, and we spent this amount of money, why do you need more, and it is very difficult to continue to race to zero while asking for more. Further than that, it's really difficult to define a successful metric around zero, whereas all other areas of the business are focused on growth, advancement, expansion. So, until we can really focus on aligning the metrics within the cyber program with the rest of the organization, or at least relevant areas of the organization in business units, it's going to be very difficult for them to run alongside.

Jennifer Beaudry

Dan, you mentioned earlier, this myth or this challenge that risk managers or non-technical professionals can't understand cybersecurity fully. Why do you think that this myth exists?

Dan Elliot

I think it's a self-fulfilling prophecy and I walk into a room of risk professionals, and I've asked them about their own technical language. I did this a couple times this year at talks I gave, where I asked if risk professionals felt that they had a technical jargon and technical language, and more than half the room felt that they did not. I asked them about terms like risk tolerance, risk appetite, risk capacity, and ask them if they felt those are technical concepts. They again did not, but I've been in rooms with CISO’s, who did not understand what those concepts meant, and couldn't differentiate between them. So, we get into this situation where we believe that our language is simple and normalized and the other groups language is technical and complicated. So, I think it's a pattern. We've created this pattern where I don't know it today, I really know my own language, my own role, my own job description…somebody else knows that stuff so, it's very easy for me to excuse myself from those conversations. I would say we have to get to a point, and we can very quickly of trying to work to understand what the other side is talking about and again, it's through building a common language. And my favorite is using analogies. If you find a way to describe what's a technical concept for you, in an analogy that everybody can understand, it's going to be very easy and it's going to sink in with the audience, it's going to sink in with the person you're speaking to.

Jennifer Beaudry

So, putting these learnings into practice, how can we build confidence through understanding dialogue and engagement.

Dan Elliot

It's going to take practice, and there isn't a shortcut to be able to do this. I think in the very short term, it's going to happen with things like tabletop exercises. What that means is you get 20 people in a room from the CISO’s team and the rest of the leadership in the cyber and IT department, you get members of the risk managers office and the risk focus leadership in the room, finance, HR, comms, everybody

sitting in there and discussing, what would we do on our worst day. Going through that cyber exercise very quickly shows the people who feel that they are non-technical and may not have a role in a cyber problem or a cyber breach, how essential they are, and how important their role is in those incidents. And I think that will start to build up that understanding in dealing with it and then doing it. The next thing that I think is really useful, is looking at multidisciplinary committees. Everybody loves a committee. So, if you take your CISO of business unit leaders from other areas of the business, and organize together, once you've done those, those ad hoc conversations and started to meet informally, and then formally, you get into a situation where you're speaking about risks, and you're speaking about cybersecurity together on a regular basis, it's a muscle. Once you build up comfort over and over again, it becomes normalized, and you'll build up engagement. And I'll go back one step, the tabletop exercises, one of my favorite pieces of that, when I started doing them, we originally started doing them with very small groups, six to eight people, because that is who we thought was useful to have in the room for those discussions. And the people we were excluding were the next tear down from decision makers. And when we started including them in those conversations, it created two things: one, it created a backup, because what inevitably happens during a real incident is somebody is sick, somebody is on vacation leave, or it's on a holiday Monday or Sunday when everybody is not answering their phone. So, you want an extra person to know what's going on. The second thing it creates is a group of engaged cyber champions, because in each business unit, and then each area of the organization, there is somebody who had to sit through a gamified, or fake version of a really bad day. And they start to understand how their role plays into that, and how it can affect the future of the organization. Its viability, its resilience, its ability to get back up. And I think building that muscle of doing it over and over again and starting to expand the number of people that are involved in those conversations, is really the way to build engagement and understanding in areas of the business you may not have thought would be very engaged.

Jennifer Beaudry

As we wrap up today's discussion, what is your main call to action?

Dan Elliot

Collaboration is key. And if you walk away with nothing else, leave with an understanding that if we continue to work in silos, we will continue to run into problems when real events occur that require all hands-on deck. Cyber incidents, cyber breaches, you know, criminal incidents, whatever you want to call them require all hands-on deck because they're complex, and then involve all areas of the business. Inevitably, on your worst day, somebody will tweet out, yay I don't have to go into the office today because our computers are down. That is preventable. Somebody's going to have to write the notes for your CEO or CIO or whoever's speaking to media, somebody's going to need to deal with it if it's an internal breach, and HR is the person at the helm there. It is all these people outside of their traditional IT and cyber teams that have very important roles on a bad day. And the more that we are all engaged in discussions early, the better we can collaborate, when people's hair is on fire and all of the computers stopped working. So, I think it's important to come together right away, starting informally, and then building up formal processes in order to ensure collaboration works well on a bad day. And I'll say, one quick takeaway that a lot of people are failing to do, unfortunately, is to formally measure, if you don't measure it, you can't manage it. If you don't know where your cybersecurity program is today, how are you going to be able to manage it and improve it and mature it over time. If you're cyber lead,

whether that's an IT director or a CISO, whatever title that the organization has deemed knows what's going on, but the rest of the organization cannot understand that maturity assessment, then you're going to run into problems when you're trying to work together to improve it, pay for it, and mature it. So, collaboration, and measuring are kind of the two key ways that I think you can build a better program and mature without running around at the last minute to solve problems.

Jennifer Beaudry

Dan, thank you so much for joining us today. This was such an interesting and informative conversation to mark Cybersecurity Awareness Month. Any final words?

Dan Elliot

Thank you so much for having me. It's been a great conversation. I know I really enjoy doing this, as do all of my team globally. There's Zurich resilience solutions ZRS has 15 to 20 of us around the globe, who are experts in this very broad field, who come from very unique backgrounds. And we'd be glad to have conversations with anybody who's looking for some assistance or some ideas on how to mature and improve their own programs.

Jennifer Beaudry

Dan, thanks again for joining us today.

Dan Elliot

Thanks for having me, Jenn. It's been a lot of fun.

Jennifer Beaudry

As we wrap up today's discussion, Dan, thank you for sharing your valuable insights on cybersecurity threats and their impact on business risks without using all that technical jargon. For those who tuned in today, we hope you are encouraged to foster collaborative relationships with your organization and establish a common language to reduce cyber risks. We would love to hear your ideas, comments or feedback. So please email us anytime at Zurich.communications.canada@zurich.com Your input is highly appreciated, and we look forward to creating more meaningful content for you in the future. Thank you and take care.

Disclaimer

The information in this audio recording was compiled from sources believed to be reliable for general information purposes and is intended for Zurich clients and business partners. The information contained herein may be useful to you or your enterprise when developing your own policies and procedures. The policies and procedures applicable to your enterprise should take into account the specific circumstances of your business and business environment which is beyond the capacity of this podcast. Any and all information provided is not intended to constitute advice of any nature and is specifically not legal advice and accordingly, you should consult with your own legal counsel. We do not guarantee the accuracy of this information presented or any results in further assume no liability in connection with this recording and the information provided therein. Moreover, Zurich reminds you that the information provided cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate. Under the circumstances. The

subject matter of this recording is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. We encourage listeners to seek additional information from credible sources. Thank you.