JLT cyber leader calls for 'attitudinal shifts' toward risk

A visiting cyber specialist from London has urged tech chiefs to focus on “internal collaboration” and treat potential cyberattacks not just as an IT security risk, but a strategic business one.

As part of JLT's cyber series awareness program, Sarah Stephens, JLT head of cyber, content, and new technology risks, will visit Sydney, Melbourne, and Perth to meet with the federal government and private-sector organisations over the next two weeks, and discuss significant issues within the Australian security landscape.

“The role of the CIO – whether or not the security part of the organisation reports into the CIO or is working together and they report into operations – is as an integrator of disparate parts of the business,” Stephens told CIO Australia ahead of her three-city tour. “With respect to cyber security, we’ve seen a huge shift in attitude over the last five to ten years in terms of thinking through the ability to prevent every attack, and prevent every bit of data exfiltration and (be) much more focused on how can we work together to get to a place of better resilience for the organisation.”

Stephens said the policy of reforming cyber risks as a strategic business risk and the attitudinal shifts go together with risk becoming increasingly high-profile within many organisations, as she noted that CIOs have become more involved in the evaluation and purchase of cyber insurance.

“Even as recently as five years ago, we would go into a meeting with the CIO and the risk manager and they’d meet for the first time there,” Stephens told the tech website. “The person who’s in charge of managing the overall risks of the organisation hadn’t met the person who was in charge of information systems – and that’s crazy in an environment where most businesses are completely reliant on technology for both business continuity and growth.”

Stephens noted a greater shift in the attitude on the part of the CIO, who is now aware that there's no quick solution to cybersecurity and that there needs to be collaboration with multiple stakeholders within the organisation, including a risk-management team, to achieve resilience.

“Oftentimes, after the CIO and risk manager had met for the first time, the CIO would be really defensive about being questioned,” Stephens said. “They would say, ‘It’s not possible that anything could get through the security perimeter that we’ve set up, and our systems are completely bulletproof.’ But we’ve seen this attitude totally change to recognising there’s no such thing as 100% security.”

CIOs have now come to recognise that collaboration involves a mix of management and prevention from both a technology and human perspective, as well as a bit of residual risk transfer from an insurance perspective, the cyber expert told CIO Australia.

Source: Insurance Business