Board Advisory: Disruptive Risks & Innovation
Increasing continuity and clinical care services by executing an effective cyber risk management strategy
Challenge
Some key questions that the CEO and board wanted answers to include: what does innovation look like for us? What some of the industry trends we should be aware of? What are the opportunities and risks we’re facing? How do we encourage management to build a culture of innovation? What can we do to differentiate our products that are quickly becoming commoditized? Competitive pressures and changing competitive landscape was the foundational driver for this work.
The need for increased differentiation
Digital strategy and transformation
Disruptive risks
Outcomes - Strategic Value
Working with the independent board chair, we executed on the following:
Board alignment on the need for innovation
Management support, nudge and push
Multiple innovation pilots accelerated or initiated after the learning clinic
Improved guidance offered to management focused on cyber risk related to business strategy
Background - Context: Disruptive Forces Shaping Landscape
Disruptive forces emerging and at work CEO Objective was to begin the process of aligning board members and management officers’ expectations for the needed transformation of the organization. This had implications across the board, for finance, sales, marketing, HR, Legal, operations - every function would be affected. The CEO wanted to motivate the need and some board members didn’t see a need especially since revenues and margins were increasing. However, the competitive landscape was shifting and the CEO and some board members feared that the revenue growth would turn to a sharp decline sooner rather than later. The fundamental question was not if the industry and company was going to face disruptive forces but rather how soon would it have to do so
The CEO and board chair believed a learning clinic would beneficial as a first step in aligning board members and the management officers
Role of the CEO
The CEO played a pivotal role during this engagement, especially at the beginning, by:
Served as a galvanizing force and catalyst for change
Management of board and board dynamics
Board chair participation and engagement in the process
Disruptive thinking; thinking differently
How We Helped
Our engagement with this client was meaningful in three board categories or dimensions:
Learning Clinic
Board development strategy - Education options for further learning
Workshop for management officers
Management Officers Workshop - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.
Learning Clinic - For innovation oversight : In addition to the security operations’ cyber risks of proactive security monitoring, our priority findings also included other gaps in the following areas of asset management, cloud adoption/migration, cyber governance, threat/vulnerability management, data protection, cyber and user awareness training. We developed a strategy with specific recommendations to help close these gaps in order of priority and in accordance with the organizations risk profile and business objectives. In essence, we helped them define what good cyber risk management looks like and how to get there and stay there.
Board Strategy - For innovation oversight : pletion of the risk strategy engagement, our client requested a follow up engagement to execute the priority recommendations we had proposed. The CEO and COO wanted our assistance in executing critical elements of the strategy. These included significant items such as the sourcing, comparative evaluation and selection of a best-fit service provider for them. We also delivered additional cyber risk services such cyber learning clinics, penetration testing, architecture reviews and contract reviews
“We’re very glad that you’re here. We’re getting way more value than we expected”
Lessons Learned
It takes multiple learning clinics to get board commitment
Seek commitment and not just compliance. The difference can be subtle but with significant impact
Don’t wait until you have to build a culture of value innovation. Start when the seas are calm and there are no storms in sight
Outcomes - Business Value Added
Our engagement with this client was meaningful in three board categories or dimensions:
Cost Savings - 10% monthly, positioned for future cloud-related savings
Service Quality - now measured with focus on NPS
Risk Reduction
Innovation Project Pipeline - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.
Artificial Intelligence Success - It’s difficult to accurately estimate the amount of risk reduced as a result of the strategy execution. However, we can provide conservative benchmarks based on industry standards and reports. For example, according to the Mandiant report, the median dwell time (i.e. the time attackers go undetected) for non-ransomware intrusions in the Americas is 12 days. Our client was able to reduce this time to less than 4 hours in during our pilot testing. For ransomware intrusions it’s 5 days.
More than 10 critical strategic and operational gaps in our client’s cyber security posture were remediated, thus reducing the risk associated with these structural elements. These all included significant vulnerabilities that could all lead to material intrusions or data breaches.
Human error drives most cyber incidents as cited by the Harvard Business Review article.
https://hbr.org/2023/05/human-error-drives-most-cyber-incidents-could-ai-help
Approx 88% of data breaches are caused by employee mistakes - we executed cyber learning clinics focused on employees to help reduce the risk associated with the human element of cyber.
A proof point for the effectiveness of our learning clinic is qualitative feedback from employees describing how they stopped potential cyber incidents within the organization but also helping family members avoid falling victim to cyber attacks.
Qualititative feedback and extending to their home life and families with user awareness
vulnerabilities that would have gone undetected were identified and remediated.
Human element contribution to cyber risks; 80% and credentials;
Service Quality - Going from no NPS measurements to actually being intentional about quality. The strategy focused on balancing security and risk management with user experience