Interview: Stroz Friedberg’s Seth Berman on risk management in a digital era and the information security riddle

Organisations are facing a growing number of challenges in managing the risks and responsibilities of doing business in a digital era and Stroz Friedberg is one of a growing number of companies that provides the investigations, intelligence and risk management expertise to tackle these issues. We interviewed Seth Berman, executive managing director and UK head of Stroz Friedberg to find out more about information security, the intricate world of compliance and data management.

How has information security changed for companies?

Adversaries are becoming increasingly sophisticated and even the best computer security can be breached. Significantly, any business, irrespective of size, is at risk from internal and external threats. Business leaders are gradually starting to recognise the importance of such threats but there is a long way to go before we have a universal understanding of an individual organisation’s ability to combat and recover from an attack. Complacency is not an option and it is important to carry out regular threat assessments and provide training to determine vulnerabilities. Organisations must also create contingency response plans to address and minimise the consequences of a breach in case, despite their best efforts, one were to occur.

What are the new and emerging threats and how can these be reduced?

The reality is that there are many types of incidents and a broad range of potential perpetrators, both from within and externally, which could lead to different types of loss. The fragmented nature of cyber risks, exemplified by opportunistic criminals and disgruntled employees at one end of the spectrum, with nation states, or terrorists, or anarchists at the other, means organisations are having to engage in a game of cat and mouse, where the adversaries metamorphose with increasing regularity.

Combating cybercrime requires a clear strategy. It is critical to have senior-level commitment to tackling such risks, which must be backed by a focus on corporate governance and the development of a culture of vigilance. Organisations need to be prepared with a response plan in the event of a breach and conduct regular audits of their security systems. This will identify areas of potential weakness and best practices.

What impact could a data breach have on a business?

A cyber security incident could prove catastrophic. A combination of financial, regulatory and reputational harm is not unusual but there is a direct correlation between an organisation’s ability to recover and the pre-incident investment and preparation. One British company is reported to have lost £800m in revenue following a state-sponsored cyber-attack but the impact is rarely limited to a financial loss. We have seen numerous examples of reputational harm, class action lawsuits, business continuity failures, regulatory action and damage to customer confidence in the wake of such incidents.

Why do so many organisations find compliance such a challenge?

For compliance to work, it has to pervade operations. Though an increasing number of companies have given significant thought to the issue and have good policies in place, there are few signs of a corresponding drop in companies that get into trouble due to compliance failings. The reality is that drafting a good compliance policy is only the first step in creating an effective program. Breakdowns happen because of the lack of or inappropriate training or poor implementation and insufficient oversight of a compliance program. In some cases, these issues may be related to the culture of an organisation but compliance is not exclusively about culture. It requires systems and processes in place that will ensure people are empowered to make the right decisions.

Stroz Friedberg has recently launched a compliance app. Why?

Navigator allows us to expand our services to help clients enhance their existing compliance programmes to reduce the risk of company failure. It does this by making compliance policies come alive through instant access to interactive information. From corporate hospitality and bribery, to gifts and money laundering. Navigator provides real-time answers to questions about relevant policies and automates the approval process. This gives employees direct and efficient answers to their compliance requests, from a desktop or smart device. The benefit for compliance and risk professionals is that the compliance approval system can now be automated, allowing data-driven decisions to be made, for example, relating to training or internal audit. There are also potential efficiencies in terms of annual compliance audits, subpoena compliance and regulatory inquiries.

What is the role of smart devices in supporting compliance?

The technology really puts compliance in the palm of hands of individual users. It’s a real benefit and can help remove the barriers that all too often keep staff from reviewing and using compliance resources at the critical moment when their failure to do so can be so devastating. Research by Gartner suggests that 70 percent of mobile professionals will conduct their work on personal smart devices by 2018, so a greater degree of operations and compliance work will migrate to such platforms. In parallel, the regulatory environment is increasing in complexity, enforcement is being tightened and companies are looking for solutions that can make it easier to educate employees, track compliance and manage specific processes.

How does the compliance app tie in with Stroz Friedberg’s other services?

Laws and regulations governing corporations around the world are growing more stringent. We are also witnessing a greater focus on enforcement and clients want to ensure their employees have the tools and guidance to comply. They are often introduced to us when they need advice in preventing incidents, investigative services or post-incident assessment work and our compliance work is very much a book-end to our other services. Navigator offers the framework long sought by clients looking to strengthen corporate governance at all levels of their organisations.

What are your top tips for safeguarding compliance?

The main thrust of compliance will have to come from the top down but too often, organisations fails to address how the policy work for front line staff. However, even a perfectly written policy that is legally accurate and correct in 99 per cent of cases, will sooner or later lead to a breakdown between that policy and its implementation. The challenge is, therefore, to make the policy work operationally, which is very different from making a policy that sounds good. Implementing a new policy requires effective and innovative training, as well as operational tools to ensure that the culture of compliance pervades the organisation.