• United States




Accenture managing director talks IoT risks and cyber insurance

Mar 30, 20164 mins
CareersCSO and CISOInternet of Things

Kevin Richards is a managing director and leads Accenture Strategy’s North America Security Centre of Excellence.

Credit: Thinkstock

Kevin Richards is an information risk management adviser with over 24 years of experience in information and cyber security, business continuity, and enterprise risk management. Richards’ expertise ranges from risk analysis and program design to information security and business continuity program development and leading practices. Working with large multi-national corporations, as well as the United States Department of Defense (DoD), Richards provides an array of technical and practical perspectives on building and protecting an organization’s critical information assets.

1) What are the three biggest risks that the IoT creates?

The Internet of Things can mean many things, depending on the circumstances.   For purposes of our discussion, let’s define this at the macro level – “Connected everything.” In that context, a number of risks need to be acknowledged and managed. 

First, as companies, their machines, their people and their ecosystems of partners, providers, customers and even competitors become more connected, the security of data as it is created, captured and transmitted across the Internet of Things grid is increasingly complex. Connections and potential for its exploitation need to be understood and acknowledged upfront.

[ MORE Q&As: Aetna CISO talks about threat intelligence and enterprise risk management ]

Second, as data flows upstream and downstream, there’s opportunity for unknown and unintended data exposure. Management needs to recognize.  

Third, organizations need to acknowledge that they can only defend what they can define. Risk models need to be enhanced and recast, recognizing that the landscape is very different and that it is constantly shifting. Our current risk models need to be enhanced to truly answer this question. Highly related, we also need to consider cyber resiliency of IoT – where capability, effectiveness and maturity also have a direct impact to risk. Ultimately, we’ll need to solve for both risk and resiliency.

2) What are the things that you look for in a cybersecurity consultant?

As you might expect, cybersecurity consultants need to be bright, innovative and knowledgeable about cybersecurity. Beyond that, we look for team members that are able to tie technologies to business processes and can look beyond a control catalog to articulate valuable business outcomes. And finally, we look for people that are creative and passionate about cybersecurity consulting. Accenture’s goal is help our clients better protect themselves from the growing cyber threat. Our security consultants are on the front lines making that a reality.

3) What were your biggest challenges in moving from a midsized consultancy, like Neohapsis, to a global consultancy like Accenture?

It has been very exciting and rewarding to be part of Accenture. The scale and deepness of Accenture’s relationships with its clients is truly special. From a day-to-day perspective for me, however, there are a lot of similarities between my roles – helping clients understand their cybersecurity exposures, helping business leaders enhance the effectiveness of their security program, and proving thought leadership that addresses demand concerns. We work hard to build team cohesiveness to allow our larger team to build very strong interpersonal bonds.

4) What are your thoughts on cyber insurance, fad or here to stay?

My sense is it is here to stay, but will continue to evolve. The desire to transfer risk has been around for a long time, and that’s not going to change. Unlike other areas of risk, we are still in our infancy on being able to define quantitative and material cybersecurity impacts. Unlike other risk areas, cybersecurity is still building the actuarial data to provide underwriters with the tools they need.

[ Q&A: Deloitte’s Global CISO: authentication to become behavior based ]

As a new discipline, there continues to be opportunity to further shape actionable and binding cybersecurity risk guidance. In the physical realm, insurers understand flood plains and fault lines and have specific building codes and documented expectations that insurers publish for building in these areas. As an industry, cyber insurance has more work to do to build the models and collect the evidence to inform expectations.

5) The question you yourself would like to be asked… What’s the role of the CISO over the next 10 years?

I see the role of the CISO and the role of cybersecurity as being more important now than ever before. As a Board level and C-suite priority, cybersecurity has risen to the top of the agenda. With that, the successful CISO has to move much closer to the business *and* stay on top of the latest threats and technologies. Much like corporate counsel guides the legal agenda for a company, the CISO needs to take that same level of command toward the cybersecurity agenda. Implicit within that, however, is that the CISO needs to move beyond broad generalizations and techno-acronyms and engage the business leaders in a pragmatic effort to improve corporate marketability, increase sales, and improve efficiency.


Over twenty years of experience as an information security professional, serving in executive and senior management positions, in the US and the UK. My responsibilities have included the development and implementation of global information systems security management programs aligned with NIST CSF, ISO 27001:2013, elements of the NIST 800 series and HIPAA/HITECH. Also, I have created new corporate risk programs including the formation of a board level Risk Committee. Implemented new vendor management programs to track the compliance state of our key vendors and data holders with HIPAA/HITECH and PCI DSS. Completed the requirements, testing and installation of a state of the art security information and event management (SIEM) platform with IBM’s QRadar and ArcSight. Also, completed the requirements, testing and installation of two vulnerability scanners, IBM's QVM and Nessus. Developed an information security awareness program which included annual training for all staff.

Served as Chairperson of the Communications and Public Relations Project Group of Interpol's European Working Party on Information Technology Crime, as well as advising their Wireless Applications Security Project Group. I am the former, the President of the United Kingdom and Bluegrass chapters of the Information Systems Security Association (ISSA), also editorial advisory board of the ISSA Journal. I have attended numerous courses on cybercrime and white collar crime through both the Kentucky Department of Criminal Justice Training and the National White Collar Crime Center.

It has been my honor to receive an ISSA International Fellow (2015) and the International Information Systems Security Certification Consortium, Inc. (ISC)^2, President's Award for service to the information security community (2002 and 2004, 2009).

Lastly, I hold a Master of Science in Information Security from Royal Holloway, University of London, a former senior instructor for the (ISC)^2 CISSP CBK seminar, MCSE and BS7799 Lead Auditor.

The opinions expressed in this blog are those of Richard Starnes and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.