Rachel Ratcliff, Senior Managing Director at Stroz Friedberg, an Aon company
Digital Forensics & Incident Response and Engagement Management
- Guyton Cochran, CFO of Southwire
- Brad Herring, CFO of Shift4 Payments
- Mike Dixon, CFO of Focus Brands
- Glen Peters, Global CFO of Trimont
GETTING THE INVESTMENT RIGHT / HOW TO PRIORITIZE THE SPEND ON CYBER SECURITY
- It’s impossible to have it all right so it is important to identify and focus on key threats
- Important to focus on training for everyone in the organization from leadership all the way down
- New hires are required to complete compliance training within the first week of work; a total of 20 hours of which at least 50% is security related
- Significant training and quarterly campaigns around phishing
- Think like a threat actor
- If an employee clicks on a link in phishing exercise, they will receive an automatic message for additional training; further actions are taken if multiple violations in a 2-year period
- From a data breach perspective, PCI regulates and sets industry standards
- Ransomware is different and must plan differently
- Seen a shift in spend from protection of financial assets to a more proactive approach to business interruption and ransomware protection
- In recent years, realized cyber security needs to be on the same level as safety in his organization
- Phishing exercises focused on both emails and texting
- You think you are prepared until you realize you’re not
- Important to understand how to properly utilize the tools and technology and integrate them into day-to-day business processes
- Payment processing highly regulated by PCI
- Highly aware of both internal (employees) and external (vendors) threats
- With vendors, need to look at source ranking, level of access, control access points, internal controls
- Difficult to put your finger on the right spend related to cyber
- Important to educate yourself 1 level down
- Create a trusting relationship with IT through offline meetings without executive team to understand real threats and identify roots of problems
- IT reports up through him
- Important to decide in advance who has the power to declare a disaster and implement disaster recovery plan in the event of an attack
- Will you need to take the company down? If so, how do you do that? And what problems may you encounter when you bring the company back up?
- Important to have strong programs and assurances that perpetrators are not in your back-ups when you go to restore
- Management cohesion is key as well as the ability to make quick decisions
- Important to engage with reputable 3rd parties who can help you understand how best to prepare against an attack
- Most of the changes made around cyber security have been related to process improvement not necessarily tools and technology
- Important not to have a false sense of security when it comes to cloud-based storage
- Approach to cyber security needs to align with business objectives; IT team needs to be viewed as a facilitator and part of the solution rather than a deterrent
- Disaster recovery plan needs to contemplate 3rd party suppliers and customers; know the realm of any potential attack
- Balance between insurance vs. front end spend is important
- Insurance companies are beginning to close the gaps in business interruption coverage and not cover cyber unless on a separate cyber policy
- Quarterly reporting at board level and once a year conduct deep dive in a specific area related to cyber security
- CSO runs the playbook to help improve the plan
- Roleplay around who has the power to make certain decisions in order to dissipate some of the tension
- Don’t have the capital to stay current against all threats so have to outsource and ensure service level for vendors is at top end of the game; always track KPIs and monitor reporting
- A detailed approach to new vendor management including reviewing financials, business management, insurance coverages, and security profiles; Security will trump a vendor’s functionality
- Takes time to establish rapport with IT
- Finance and IT are no longer referred to as a cost but as an investment
- Security committee report distributed monthly and quarterly meetings with the executive team to review outcomes and talk about what’s next
- PE firm also has a separate IT / cyber security board
- Things that are core to business stay in-house
- Threat actors are always 1 step ahead so you want to make sure any outsourced monitoring devices and tools are also staying 1 step ahead and quickly make changes if they aren’t up to speed
- Reviews vendor list and risk profile of each
- Understand how the organization interacts with vendors in terms of access points, data flow, and controls
- Public companies are disclosing cyber risks in quarterly reports; important to take note
- Read your business interruption policies
- Quarterly presentation to the audit committee and cyber is always in top 3 risks; recently added new board member from Google to provide additional expertise
- Protection and prevention outsourced
- Most have moved to cloud-based storage
- POS systems usually focus on functionality but also need to contemplate cyber security
- Quarterly meetings with executive team and annual 3rd party security audit which is presented to board
- When involved in an attack, egos are involved but you need to be realistic and quickly assess the risks
- Challenge yourself to think through how you would respond in those situations and expect to deal with very sophisticated threat actors
- Rules and regulations are there to guide you through a data breach
- Act quickly and be prepared to take action to backstop systems
- In the midst of an attack, did you call the FBI?
- Yes the FBI was notified
- Engaged a firm that advised on how to communicate through the dark web and develop stall tactics so you can properly assess the potential impact of the attack
- How do you balance the investment between the maintenance of systems and future development?
- Transparency is key – ask the question where are we on patch updates?
- Have offline conversations to understand IT position
- Make sure there is a process in place to escalate any issues
- How are bitcoin and blockchain changing your industry?
- Until there is wide adoption at the consumer level, don’t expect this to be an issue
- Security measures in place to make sure it doesn’t get too big too quickly
ABOUT THE SPEAKERS
Guyton Cochran, Jr. currently serves as CFO and EVP at Southwire Company, family-owned and one of the world’s leading manufacturers of electrical wire and cable. Cochran is responsible for Southwire’s overall financial and strategic management, including the company’s financial reporting and long-range business planning. In addition, Cochran oversees all aspects of information technology, security, data, and analytics for North America’s largest wire and cable company.
Brad Herring is responsible for all financial elements of Shift4 including accounting, financial planning and analysis, cash management, and tax. Prior to joining Shift 4, Brad was the CFO of Elavon, one of the world’s largest merchant processors. Prior to Elavon, Brad served as the CFO for the Digital Banking group at Fiserv and held various leadership roles at Equifax.
Mike Dixon joined FOCUS Brands as CFO in March 2016, bringing with him more than 25 years of corporate finance leadership and public accounting experience in the retail and food service industries. Mike previously served as President and CFO for Ignite Restaurant Group, Inc., leading financial and other key support functions for the 350-unit, multi-branded restaurant company. Prior to Ignite, Mike held the position of Senior Vice President and Chief Financial Officer for Pinkberry, Inc., where he helped streamline the company’s business development plan and accelerate system-wide sales with a robust franchised growth model.
Glen Peters is responsible for overseeing all financial and accounting services for the firm worldwide. He serves on the firm’s Global Advisory Council and Operating Committee as a member of Trimont’s senior leadership team. He also serves on the firm’s Pricing, 401K, Credit, and Compensation committees. Prior to joining Trimont in 2017, Mr. Peters’ career included senior finance roles at T5 Data Centers, Dewberry Capital, Lend Lease Corporation, and Price Waterhouse.
The program was moderated by Rachel Ratcliff. As Senior Managing Director and the head of Stroz Friedberg’s Dallas, TX office Rachel leads a wide variety of engagements, including data breach/incident response matters, complex digital forensics investigations, security risk assessments, and cyber incident preparation and preparedness. Rachel leads and manages the Engagement Management group within Aon’s Cyber Solutions and serves on a number of executive committees within the firm. Rachel joined Stroz Friedberg in 2009 as a Vice President of Engagement Management.