How much say do risk managers have over cyber risk?

How much say do risk managers have over cyber risk? | Corporate Risk & Insurance

How much say do risk managers have over cyber risk?

By now, cyber risk is at the top of most large companies’ agendas, fueled in no small part by the cyberattacks and cybersecurity failures that today grab global attention and threaten to impact the bottom line.

But while once seen as the domain of the tech geek, cyber risk is becoming far more pervasive – and risk managers need to keep up.

“In the past, I think IT thought it was just their problem. It’s not, it’s everybody’s problem, and we all have to step up. We can all help to bring everyone to the table – that’s part of my job,” said Leslie Lamb, director of risk and resilience at tech giant Cisco.

Organizations are increasingly looking to their risk managers to provide input and assistance with cyber risk, Lamb told Corporate Risk and Insurance.

“I think [risk managers] are being tapped by a lot of different people, including the board. This is a struggle from the board on down, and I do believe that this is an area in which the board, the CFO, the CEO, is going to be tapping risk managers more and more to say – what is our risk here? How do we start to look at this?” the risk head said.

But in order for risk professionals to provide effective advice to their organization on cyber, they need to first understand the risk across the board. The best way to do that, according to Lamb, is to make strong connections with contacts across the business who can help risk managers get under the skin of their organization’s cyber risk.

“Reaching out to their CISO or IT experts is a good step in the right direction – they should have lunch with them sometime, and start to understand it from their perspective and what they see,” she said.

“I think starting to engage with other members of other business units that have that exposure, like HR, and starting to increase their engagement more and more is key,” Lamb went on to say.

In her own role, Lamb said that over the years she had made a conscious effort to reach out to “every single business unit” in Cisco, which has been beneficial for understanding the cyber risk each segment faces.

“That has helped us to engage more deeply with them, and to understand the risks from their perspective,” she said.

Overall, while interest in cyber is growing there is still not enough being done by firms to protect themselves from the exposures that they face.

“Cyber threats are outpacing security investment – I don’t think people are investing enough in their IT security,” Lamb said. “Maybe it’s because they don’t understand it well enough, maybe it’s because they think what they have done in the past will work – it won’t, they have to keep pace with it.”