Q&A with Steve Durbin, Managing Director, Information Security Forum
Today, Steve Durbin, Managing Director of Information Security Forum, stops by to share his insights on coming shifts in compliance given a host of ever-increasing cyber risks. Steve offers his thoughts on some of the prickliest business and regulatory risks and a bit of guidance on how organizations can manage them.
Maurice Gilbert: How did you get started on a career in security and compliance?
Steve Durbin: Quite by accident – my career has tended to focus on working in or with fast-growth organizations; I was at Gartner for a number of years and built out a global consultancy business there, I worked at EY with some great fast-growth, entrepreneurial companies and my interest has always been in trying to anticipate evolving and emerging challenges that businesses must deal with to be successful. So, I came to security very much from a business perspective – my background is in marketing and business growth – and viewed it as a fast-growth area that was still relatively immature but would be going through explosive change in the future. So far, that has certainly proved to be the case, and given the changes in the roles of chief security officers and, increasingly, chief compliance officers, I have found that my business-based approach and experience continues to position me well to assist business leaders in anticipating emerging trends and looking at how they might deal with them in a practical manner that supports the strategic growth of the business.
MG: Who helped shape your views?
SD: Too many to mention – I have always been a fan of entrepreneurial leaders, irrespective of the size or scope of the businesses they lead. Similarly, I have an aversion to purely following the “teachings” of one individual; it’s far too limiting in today’s business world where some of the best ideas actually come from the youngest and freshest employees or people that you have the good fortune to meet, sometimes by chance. I recently got some great insights on communicating security challenges from a Boston cab driver, for instance; my sons give me practical insights into how technology is used by millennials; the simplest of casual conversations can sometimes cause a lightbulb moment that makes me think “so that’s the answer, lets try it and see if it works.”
MG: How do you stay current on ethics and compliance issues?
SD: I have the great fortune of working with and meeting, often on a daily basis, many of the smartest – and most overworked – professionals in this space. At the ISF, we are constantly challenged by our Members – many of which are Fortune multinationals – to come up with insights into how these issues affect global business, and that obviously requires both currency in the issues and a pragmatism to approach the issues with a solution-led perspective and approach.
MG: What are some of the significant issues facing Chief Compliance Officers, Risk Managers, etc.?
SD: Some would say there are no shortage here! For me, I think there are two. The first is the ever-increasing burden that compliance is placing on an organization. Cyber is an emerging space, and with it comes emerging legislation, which can generate an enormous burden for a multinational business just in terms of remaining current, let alone compliant. One that jumps out at the moment would be the EU’s General Data Protection Regulation (GDPR). Getting a business in shape for the GDPR is a massive undertaking for most businesses since it requires a complete understanding and tracking of all data related to an EU resident across the enterprise, including third parties, before you can begin to think about compliance. And that leads to the second issue for me, which is just how do you remain current and compliant? There are still only 24 hours in a day, and business have finite resources to dedicate to these issues.
MG: How do you see the Chief Compliance Officer role evolving within the next three years?
SD: Well, one thing that is for certain is that the role will continue to evolve. I do see a need for specialization and an increase in collaboration with other business leaders. And if we think about that for a moment, that may well lead to a ring fencing of audit vs. business-based compliance, if I can put it that way. So, increasingly, I believe that compliance will need to focus on helping the business to deliver the strategy in a very practical manner. Cyber is all pervasive – it touches every part of the business, and compliance will need to follow. I am thinking in particular here of working with business departments on risk and compliance management and employee education, and I’m not talking about an annual compliance “test,” but in the day-to-day evolution of an individual’s role – perhaps working with marketing departments in providing guidance on what can and cannot be communicated. This is all in addition to the day job, which involves remaining current on relevant laws and regulations, monitoring compliance with them and alongside internal policies and so on. I see Compliance Officers necessarily needing to become well-rounded business professionals, with very high communication skills, able to translate strategy into delivery with colleagues whilst providing constructive insight into how to achieve the business goals in an increasingly compliance-focused world.
MG: What do you see as the greatest business risks facing companies today?
SD: The risk of being left behind, of missing the next great business opportunity. We are becoming risk averse in business, and we are being driven there by an increased compliance focus which, if interpreted incorrectly, is stifling free thinking and entrepreneurial business practices. To be successful today, a business must be agile; it must take risks, and I think too many business leaders are being encouraged to run their businesses in a risk-free manner. Of course, it is understandable when every mistake is examined in minute detail and is increasingly met with a coach full of lawyers and litigators, but we need to recognize that a cyber-enabled business is one that is founded on risk management.
As soon as you cyber enable a company, you are managing risk – risks from ransomware, risks from an overdependence on the internet for business transactions, risks from cybercrime, from automated misinformation and from legislation which, whilst sometimes well-meaning, can create more potential problems than they solve – I am particularly thinking here of requirements for the collection and storage of vast reservoirs of data by communications providers which provide an Aladdin’s cave of opportunity for a cyber hacker or criminal looking to expose an organization’s secrets. The assessment of these risks, the management of these risks and the determination of an appropriate and effective way of achieving the most appropriate risk posture for a business in light of these and other risks are key.
MG: What do you see as the greatest regulatory risks facing companies today?
SD: Certainly, the growth in the number of regulations and, sadly, the inconsistency of legislation across jurisdictions. This is a problem for any multinational organization. There are few globally consistent regulations in cyberspace, and this is something that we must move to address. The EU GDPR will go some way to achieving this with its coverage of the privacy rights of EU residents and its truly global reach and implications, but it is just one example. Compliance officers around the world are continuing to face challenges in dealing with ever-changing and growing regulations. the Thomson Reuters report into the Cost of Compliance 2016 estimates that more than one-third of firms surveyed continue to spend at least a whole day every week tracking and analyzing regulatory change. That is down from 2015, but still a significant burden.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
SD: I think remaining current is one of the challenges here, but also understanding the implications of these risks on the business for me is critical. Doing that is, of course, easier said than done, and that is why so much time is taken up in tracking and analyzing regulatory change. That aside, a solid understanding of how these risks could impact the business is essential. And in this regard, there is a need for consistent understanding across the organization of the risks and the role that each and every individual has to play in mitigating such risks. The compliance function is increasingly becoming the arm of change in the enterprise, responsible for ensuring not just compliance at the highest level in the business, but also for making sure that each individual understands the role that (s)he has to play in achieving and maintaining such compliance – and why. Effectively communicating personal responsibility and the role of the individual is the key to turning what is sometimes seen as the weakest link in the compliance link – people – into the strongest link.
MG: How does the Information Security Forum help member companies mitigate risk?
SD: In two ways. First, we produce an annual threat report that looks out two years to provide our members with an emerging perspective of the challenges that will be facing them over the coming two-year forecast period. This is used by many as input into their strategy and risk management activities, often in conjunction with our threat radar tool, and I believe it is increasing in importance. The second area is in our risk assessment approach, IRAM2, which provides members with the ability to identify emerging threats and vulnerabilities, assess the risk, often at a department or even application level if required, and to subsequently put in place a risk mitigation treatment that both addresses the risk and is also in line with the overall corporate risk appetite. Both of these are core tools that can be used to mitigate emerging risks, and we are seeing a definite increase in their application across the global membership.
MG: You recently released Threat Horizon 2019. What do you see as some of the most significant compliance risks that Chief Compliance Officers should be prepared for over the next two years?
SD: The Threat Horizon 2019 deals with three emerging themes: disruption, distortion and deterioration. Whilst the first two deal with issues such as fragile connectivity, an overdependence on the internet and ransomware, along with a loss of trust in the integrity of information upon which we are increasingly dependent, it is the third theme that really is of particular relevance to Chief Compliance Officers.
This theme of deterioration looks at the impact when controls are eroded by regulations and technology. Rapidly advancing intelligent technologies and conflicting demands for both heightened national security and individual privacy will inadvertently erode an organization’s ability to control information. Surveillance laws designed to secure nations against adversaries, new regulations protecting individual privacy and intelligent systems that make their own decisions will inhibit an organization’s ability to protect its assets and people. An organization will need to take steps to manage emerging risks in a complex regulatory and technological environment. However, while many factors will be beyond the direct control of the organization, business, security and compliance leaders can prepare to address these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce that is ready for the adoption of advanced technology in a highly regulated world. Many of these tasks will fall upon the shoulders of the Compliance Officer, whether from a leadership or participation standpoint.
MG: What new service offerings have you recently announced and do you have in the queue?
SD: The ISF is committed to providing our members with timely insight and tools that enable them to understand and manage the challenges that we all face in running effective businesses in a cyber-enabled world. Some of the more recent announcements include our guide to the EU GDPR – we are also running a number of workshops on this for members all around the world – and a new report on threat intelligence. Businesses are constantly making decisions on how to manage cyber risks. Requirements-driven and skillfully crafted and employed, threat intelligence informs these decisions and enables actions that equip the organization not only to react to today’s threats, but also to prepare for tomorrow’s. This report equips an organization to gain maximum value through the effective production and use of threat intelligence, along with the examination of practical considerations (including organizational structures, use of technology, collaboration with partners and outsourcing) for implementation.
But what we have also found is that our members are increasingly time poor, so we have introduced a range of consultancy services which members are able to use as a wraparound to our products to get some of the issues I’ve been talking about – such as the management of risk and the assessment of threat applicability, for instance – implemented and embedded in their organizations. ISF consultancy is all about helping our members get added value from the ISF. Our aim is to come in, do the work and get out as quickly and as cost effectively as possible, having made a positive, quantifiable difference to our members’ ability to operate a world-class cybersecurity function.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.