Accenture managing director talks IoT risks and cyber insurance

Kevin Richards is an information risk management adviser with over 24 years of experience in information and cyber security, business continuity, and enterprise risk management. Richards’ expertise ranges from risk analysis and program design to information security and business continuity program development and leading practices. Working with large multi-national corporations, as well as the United States Department of Defense (DoD), Richards provides an array of technical and practical perspectives on building and protecting an organization’s critical information assets.

1) What are the three biggest risks that the IoT creates?

The Internet of Things can mean many things, depending on the circumstances.   For purposes of our discussion, let’s define this at the macro level – “Connected everything.” In that context, a number of risks need to be acknowledged and managed. 

First, as companies, their machines, their people and their ecosystems of partners, providers, customers and even competitors become more connected, the security of data as it is created, captured and transmitted across the Internet of Things grid is increasingly complex. Connections and potential for its exploitation need to be understood and acknowledged upfront.

[ MORE Q&As: Aetna CISO talks about threat intelligence and enterprise risk management ]

Second, as data flows upstream and downstream, there’s opportunity for unknown and unintended data exposure. Management needs to recognize.  

Third, organizations need to acknowledge that they can only defend what they can define. Risk models need to be enhanced and recast, recognizing that the landscape is very different and that it is constantly shifting. Our current risk models need to be enhanced to truly answer this question. Highly related, we also need to consider cyber resiliency of IoT – where capability, effectiveness and maturity also have a direct impact to risk. Ultimately, we’ll need to solve for both risk and resiliency.

2) What are the things that you look for in a cybersecurity consultant?

As you might expect, cybersecurity consultants need to be bright, innovative and knowledgeable about cybersecurity. Beyond that, we look for team members that are able to tie technologies to business processes and can look beyond a control catalog to articulate valuable business outcomes. And finally, we look for people that are creative and passionate about cybersecurity consulting. Accenture’s goal is help our clients better protect themselves from the growing cyber threat. Our security consultants are on the front lines making that a reality.

3) What were your biggest challenges in moving from a midsized consultancy, like Neohapsis, to a global consultancy like Accenture?

It has been very exciting and rewarding to be part of Accenture. The scale and deepness of Accenture’s relationships with its clients is truly special. From a day-to-day perspective for me, however, there are a lot of similarities between my roles – helping clients understand their cybersecurity exposures, helping business leaders enhance the effectiveness of their security program, and proving thought leadership that addresses demand concerns. We work hard to build team cohesiveness to allow our larger team to build very strong interpersonal bonds.

4) What are your thoughts on cyber insurance, fad or here to stay?

My sense is it is here to stay, but will continue to evolve. The desire to transfer risk has been around for a long time, and that’s not going to change. Unlike other areas of risk, we are still in our infancy on being able to define quantitative and material cybersecurity impacts. Unlike other risk areas, cybersecurity is still building the actuarial data to provide underwriters with the tools they need.

[ Q&A: Deloitte’s Global CISO: authentication to become behavior based ]

As a new discipline, there continues to be opportunity to further shape actionable and binding cybersecurity risk guidance. In the physical realm, insurers understand flood plains and fault lines and have specific building codes and documented expectations that insurers publish for building in these areas. As an industry, cyber insurance has more work to do to build the models and collect the evidence to inform expectations.

5) The question you yourself would like to be asked… What’s the role of the CISO over the next 10 years?

I see the role of the CISO and the role of cybersecurity as being more important now than ever before. As a Board level and C-suite priority, cybersecurity has risen to the top of the agenda. With that, the successful CISO has to move much closer to the business *and* stay on top of the latest threats and technologies. Much like corporate counsel guides the legal agenda for a company, the CISO needs to take that same level of command toward the cybersecurity agenda. Implicit within that, however, is that the CISO needs to move beyond broad generalizations and techno-acronyms and engage the business leaders in a pragmatic effort to improve corporate marketability, increase sales, and improve efficiency.