Today we bring you a recent exchange between CCI’s CEO, Maurice Gilbert, and Chris Furlow, President of Ridge Global, an international risk management firm. Mr. Furlow is a risk and security consultant and speaks to audiences around the world on cybersecurity and broader resilience issues, and we’re pleased to share his insights on …
Maurice Gilbert: How did you start your career in cybersecurity?
Chris Furlow: Just after 9/11, I served as Director for State Affairs in the White House Office of Homeland Security. With the images of the collapsing Twin Towers still fresh on everyone’s minds, the focus was understandably on threats in the physical domain. But there were individuals in the White House and across government who had been working to counter evolving threats in cyberspace for some time – most notably Howard Schmidt. Howard served as a cyber and critical infrastructure advisor to President Bush and would later serve as cyber czar under President Obama. Howard recently passed away, but he was a pioneer.
I recall one White House meeting I had with Howard to discuss cybersecurity with a group of state officials. It was probably 2002. At that time, many of these leaders viewed cybersecurity as something futuristic. There was little or no understanding of the interdependencies that existed between the digital domain and physical worlds. And even if they understood the connection, cybersecurity was viewed as someone else’s responsibility. It was through interaction with Howard and other trailblazing men and women that I learned the scale and criticality of cyber and was drawn to it. It has been a part of my risk management perspective and work ever since.
MG: Who helped shape your views?
CF: Howard Schmidt, of course. In terms of cybersecurity, you could have no better mentor. And Governor Tom Ridge. I have had the privilege to serve under Gov. Ridge at the White House after 9/11, during the stand-up of the Department of Homeland Security and in the private sector as a risk and security consultant for many years. He has always had a mindset focused on collaboration. Forget turf. Tear down stovepipes. Share information. Collaborate. As DHS Secretary, he spoke of the homeland security enterprise as being national — not just federal. That meant that we had to have federal agencies, state and local government and the private sector working together if we were to effectively counter 21st century security threats. We would be wise to apply many of the lessons from the stand-up of the homeland security architecture to cyber challenges today. As Gov. Ridge would say, “we’ve seen this movie before.” Leaders in both public institutions and corporate organizations must have this approach if they want to reduce risk.
MG: How do you stay current on cybersecurity issues?
CF: Cybersecurity is part of our day-to-day client work at Ridge Global. We advise C-suite leaders, boards of directors, CIOs, CISOs and risk officers on enhancing their readiness, whether it is cyber risk or any hazard. With the scope and speed of threats today, it’s not just about risk management — it’s about being more agile. Technology has its role, but that sometimes provides a false sense of security.
We find that the way a company addresses the human aspects of security and cybersecurity makes the most significant difference between a company that is resilient and one that may wallow in disruption. Decision-making is key, so we help leaders with governance, training and exercises for the C-suite down to every employee as may be needed. The perspective we get from this work allows us to see where gaps occur in companies across sectors. So our clients get the benefit of leveraging the mistakes of others to help them avoid similar situations. Additionally, I chair the Cyber Leadership Council and serve on the National Security Task Force of the U.S. Chamber of Commerce. It’s where national security and economic security policy converge on a peer-to-peer, cross-sector basis. The regulations you deal with operationally start at the policy level. If you’re not monitoring those activities as a security leader, you may get blindsided by the operational impacts and associated budgetary consequences.
MG: What are some of the significant issues facing CSOs and Risk Managers today?
CF: The threat surface has expanded greatly. What used to be viewed in the context of perimeter control — guns, gates, and guards — now includes the cyber domain, which has no borders and no fences. Actors from around the world can steal, disrupt or destroy from thousands of miles away. And you still have to deal with the impact of natural disasters, accidents, etc.
But there is another kind of “threat” that has emerged. On top of trying to manage security operations, you have proliferating regulatory regimes. No one understands this better than compliance leaders. I saw a recent fact sheet from the Internet Security Alliance. It said that security leaders spend about 40 percent of their time and 30 percent of their budget on compliance. First, as any CSO or CISO will tell you, compliance does not guarantee security. Regulation has its place, but government leaders should consider potential unintended consequences. Security professionals should not be put at a disadvantage by over-prescriptive regs, because we all know the bad guys don’t play by the rules.
MG: What do you believe is the optimal reporting structure for the CSO and why?
CF: Security and resilience are not bolt-ons, but are instead business imperatives in the 21st century. So the role of the CSO — particularly for global companies — needs to be elevated to true C-Suite status and not buried in the org chart. Cybersecurity has illuminated for corporate leaders many of the risk and enterprisewide interdependencies that have existed for years, yet have gone unrecognized. We’ve seen a lot of antiquated models in our advisory work. The CEO of one global brand had projected company growth of 3 or 4 percent. But even a limited assessment showed that they were losing at least that much because of a marginalized security leadership and poor risk management practices. So the CSO should be at the table engaging vertical executives on a peer-to-peer basis to protect people, data, intellectual property, facilities, the supply chain and the brand from an enterprise level. That can help realize savings in terms of minimized disruption, but a more effectively led security and resilience posture can result in greater reliability, which is a competitive advantage in a risk-laden global marketplace.
MG: How do you see the CSO role evolving over the next three years?
CF: As technology advances, cyber will continue to have more and more relevance. That doesn’t reduce the importance of physical risk by any means. In fact, they are inextricably linked, so a balanced approach will be key. Additionally, the Internet of Things (IoT) means that traditional security platforms like cameras, fire suppression and life/health safety systems are also tied to the digital domain. It will make our safety and security programs more efficient, but it may also open-up new vulnerabilities that have to be considered.
MG: How does your company help its clients mitigate risk?
CF: Even if your company takes all the right steps, a truly determined actor such as a sophisticated nation-state or criminal organization may still get through, causing disruption across the business. Having the resources to respond, particularly for small and mid-cap companies, is key to resilience.
Our strategic partnership with Risk Cooperative to offer cyber insurance utilizes an evidence-based underwriting methodology and Lloyds-backed facility that approaches cyber risk the way security professionals would look at the risk, not the way a traditional insurance broker would. It means that we can provide more comprehensive coverage with fewer exclusions. When the process is informed by real, client-specific data, not just actuarial and historic tables, it’s a win for the insured and the insurer. Our specialty is helping C-Suite executives break the risk management molds that are no longer working for 21st century businesses, so our innovative approach to insurance is another implement for mitigating risk and building overall resilience.
MG: What new service offerings do you have in the queue?
CF: A culture of security and resilience is led from the top. But most C-Suite executives serving today didn’t learn about this kind of risk in business school. They learned about financial risk. And for many CSOs, their careers have been centered on physical risk. Hey, it was the 70’s, 80’s, 90’s. It’s no one’s fault. But they find themselves in a hyperactive digital age where attacks can happen by the second and regulators and shareholders are holding them more accountable on cybersecurity. Business leaders are desperate to increase their cyber literacy. One way Ridge Global has done this is by partnering with the National Association of Corporate Directors (NACD) and the CERT Software Engineering Institute at Carnegie Mellon University to create a Cyber Oversight Certificate Program. NACD sets the standard for boardroom practices and this 100 percent online course meets busy executives where they are and amidst their many responsibilities and busy schedules. It is not intended to make them technologists, but it will help them increase their cyber literacy and get a better handle on risk appetite, resourcing and communication with their IT security team. And unlike a traditional seminar, it results in a tangible credential from Carnegie Mellon University that demonstrates a director or executive’s commitment to their fiduciary responsibilities and to cyber oversight. We’ve had CSOs and CISOs tell us that it has been good for them because it has demystified cyber in the boardroom so that they can have a much more fulsome dialogue with their board and can work together to properly address and resource their company’s risk. In an age where some brands throw money at the problem without any real sense of ROI, that is a much smarter approach.
Chris Furlow is President of Ridge Global. Mr. Furlow develops custom risk management strategies and helps clients focus on the enterprise perspective, tying together people, processes and technologies that are often stovepiped in organizations. He has particular expertise in cybersecurity and public-private partnerships for security and resilience. After the 9/11 attacks, Mr. Furlow was named Director for State Affairs in the White House Office of Homeland Security, where he developed the network of state homeland security advisors; supported new state and local intelligence/information sharing protocols; and served as policy liaison to governors on behalf of the Executive Office of the President. He was also a member of the Incident Support Group providing intergovernmental coordination on events of “national significance.”
During the stand-up of the Department of Homeland Security, he was appointed Executive Director of the Homeland Security Advisory Council and led operations of its multidisciplinary public and private sector committees. A former Deputy Assistant Secretary of Commerce, Mr. Furlow is a graduate of Louisiana State University and is a former Senior Fellow of the Homeland Security Policy Institute of The George Washington University. He is a member of the U.S. Chamber of Commerce National Security Task Force and its Cyber Leadership Council, the National Emergency Management Association private sector committee and the Royal Institute of International Affairs (Chatham House, London).
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Maurice Gilbert founded Corporate Compliance Insights in December, 2008 to further the discussion and professional knowledge exchange of important, forward-thinking corporate governance, risk and compliance topics.
Maurice is also the managing partner of Conselium, an executive search firm with core expertise in placing compliance officers, regulatory counsel and audit officers for clients in the U.S., Europe, Latin America and China.
Maurice can be reached via email at firstname.lastname@example.org