Cyber-Security – A Tautology?

Skarbek Associates hosted a breakfast seminar on Cyber-Security in the legal sector on 21 October at Middle Temple.  Attendees were representatives of a wide variety of law firms from regional offices to Magic Circle.  Guest speaker was Mark Brown from EY, a noted industry speaker on cyber-security.

Discussion focused on the following points:

–  Such was the sophistication, speed and proliferation of cyber-threats it was increasingly unrealistic to expect any compliance regime to give 100% protection;

–  So risk management, rather than risk elimination, was a sensible response.  And this was familiar territory for business.  There was never growth without risk, and the best companies had always been those who managed their risk best.

–  Risks to major firms were still mainly reputational, in loss of brand equity and trust, rather than financial.  But the EU would shortly be introducing a punitive new fines regime.

–  Most companies now ‘got’ the threat, and ‘got’ the risks to corporate value.  This was a reflected in a sea-change in who answered for the cyber-security risk, away from CIOs towards CEOs, CFOs and compliance committees.

–  But – as the economy returned to growth – business was becoming frustrated to hear the same refrain on cyber-security  ‘the answer is no, now what was the question?’

– The fact was that the law lagged behind both technical advances and everyday reality.  And where there was law, major areas were still open to interpretation.   Lawyers and IT experts together could be a toxic mix.  Both operated in binary worlds – yes or no, black and white, legal and illegal.  They were not naturally comfortable ‘playing in the grey’ and could combine to impose systems which throttled crucial business needs.

–  Highly rigid cyber-compliance regimes were also of questionable value in themselves – they were brittle and quickly obsolete.  A more flexible, overlapping approach was needed.  An army could always knock down a wall, but might become lost in a forest.

Mark Brown said: ‘I don’t think that Cyber-Security is the right name, or the right concept – it is now about Cyber Resilience enabled by risk management – balancing business needs against reputational risk in areas where technology is always ahead of the law.  Corporate law may be a strategic sector of the UK economy, but its behind the game, both in advisory and in its own internal practices.’

Paul Heugh, CEO Skarbek Associates, commented:  ‘Economic growth means embracing risk.  Current cyber-compliance regimes are failing on two counts – they paralyse companies and they still don’t do the job.   Managing these new risks requires flexible but resilient corporate cultures.  Culture based on values, empowerment and responsibility rather than tick-boxes and blame’