Risk Management
Managing Cyber Risk for Under-Pressure CISOs
Overworked CISOs are struggling to deliver the cybersecurity results their organizations expect. Fortunately, there are concrete and practical ways they can make their lives easier—while managing cyber risk effectively.
CISOs face a perfect storm of challenges. The enterprise shift to unbounded IT environments is driving the need for new cyber risk management approaches. So is the upsurge in generative AI. Multiplying threats seem to have unlimited scalability, but cybersecurity budgets and teams do not. And the C-suite and corporate boards are asking more questions about enterprise security posture than ever before.
It's no surprise many CISOs say they’re overwhelmed by the expectations placed on them. How can they ease the strain while successfully managing threats, prioritizing risks, and raising the visibility of cybersecurity throughout their organizations?
Season 2 of Trend Micro’s #MondayMinutes video series aims to answer those questions and more, tackling the challenges faced by today’s security leaders. Each short, insightful video hosted by Trend Micro’s Andrew Philp looks at a different aspect of the security landscape, pulling in perspective from executive experts and special guests.
Here's what you’ll find in Season 2:
E01: Aligning Risk Management to Cyber Risks and Exposures
Ransomware grabs headlines and provokes corporate anxieties but it’s hardly the only threat CISOs need to address. That’s why Trend Micro Global Chief Technology Strategy Officer David Chow advocates taking a holistic view of cyber risks.
Being holistic means looking at all potential vulnerabilities associated with people, processes, and technologies. The goal is to create alignment between an organization’s cybersecurity posture and its overall risk management approach, putting cybersecurity into strategic terms that boards and executives understand. Since no business has unlimited financial or human resources, David explains the holistic approach also requires smart use of tools to boost capacity and scale up cyber defenses.
E02: C-level Visibility Into Cyber Risks
Singapore’s ST Logistics has a significant government customer base, making reliable cybersecurity an absolute necessity. Eric Sim, the company’s Chief Technology Officer and Chief Information Officer, draws on ST Logistics’ lessons learned to shed light on how CISOs can make risks more visible, prioritize resources, and spread cybersecurity awareness throughout their organizations.
Learn about the company’s structured approach to classifying and prioritizing risks, and its emphasis on continual monitoring and reporting. If there’s one mantra inspired by this discussion, it’s visibility, visibility, visibility: the more that’s seen, the more can be shared—up to the highest levels of corporate decision-making.
E03 (Part 1): Impacts of Privacy Data Breaches
A single cybersecurity event involving private customer data can wreak havoc on a company’s brand reputation, damaging trust and credibility in ways that are enormously difficult to come back from.
Trend Micro’s David Chow discusses some of the bottom-line impacts of private data incidents including market share loss, stock price declines, and customer churn as buyers seek more reliable service elsewhere. That’s not to mention the regulatory fines that may be levied or the obligation, at least in the U.S., for breached companies to monitor potential harms to customers for two years—at their own expense.
E03 (Part 2): Impacts of Privacy Data Breaches – People, Process, Technology
David Chow shares his thoughts on what CISOs can do to mitigate the risk of privacy breaches, noting that with the right security tools and capabilities and a culture of cybersecurity awareness, businesses can prevent breaches from happening in the first place.
In this ‘people, process, technology’ approach, the people/culture piece requires training, reinforcement, and a commitment to accountability. Process-wise, it’s important to assess new capabilities before they are deployed and communicate transparently when issues occur. It’s also essential to have the right security technologies deployed to support a zero-trust framework.
E04: Zero Trust – Balancing Adoption and Practicality
Is zero trust realistic? Hani Arab, zero-trust PhD candidate and CIO of Australia’s Assetlink, says the answer is “yes”, explaining that zero trust does not insist on any one specific implementation but rather provides a strategy for organizations to follow—rooted in the principle, “Never trust, always verify.”
Hani runs through the five pillars of zero trust and talks about the ways each organization’s risk tolerance will color its specific zero-trust approach. Tailoring zero trust to a company’s unique needs requires assessment so that CISOs can base their decisions on complete knowledge of the assets they have to protect and the liabilities they face.
E05: Artificial Intelligence – Maximizing Potential, Minimizing Risk
Edwin Hernandez spends a lot of time thinking about AI in his role as Division Technology and Strategic Executive at MIT Lincoln Laboratory. He believes the healthcare sector is uniquely positioned to pioneer a truly global AI platform because of the worldwide scale of available datasets—but not without comprehensive cyber risk analysis and cybersecurity approaches to ensure data privacy.
AI cybersecurity starts right at the training stage, taking care to ensure a machine’s learning datasets don’t include private or sensitive data that could be exposed accidentally as it starts to generate outputs. Edwin recommends adopting a strong, well-defined, end-to-end cybersecurity framework for AI that aligns with industry standards and regulations.
E06: Sailing Through Economic Headwinds in Cybersecurity
Just as the weather doesn’t always respect couples’ wedding plans, global economic conditions aren’t always sympathetic to the need for cybersecurity. Mick McCluney, Trend Micro Technical Director for Australia and New Zealand, and David Chow discuss how modern, mature extended detection and response (XDR) technologies can help enterprises do more with less in times of ‘economic headwinds’, when pressures are high to control costs.
XDR’s data analytics, case management capabilities, and opportunities for automation speed up cybersecurity tasks and support unified cybersecurity approaches for much-needed cost efficiencies that are especially important given today’s cyber skills shortages. Strategic use of managed services can further help strike the right—and affordable—balance between automation and human expertise.
E07: Cybersecurity Risk Management: Balancing Risk and Finite Budgets
No organization has unlimited resources to dedicate to cybersecurity, but many today are feeling particularly crunched with finite budgets set against mounting vendor costs. Yet as returning guest Edwin Hernandez remarks: “You can’t afford to have a cybersecurity incident.”
What’s the solution? Hernandez and Trend Micro’s David Chow talk through the importance of having a clear risk-management framework understood throughout the entire organization, making cybersecurity a collective responsibility versus the job of one “cost center” alone. A framework also allows for smart prioritization—knowing which risks really matter, and where investments are most needed. Hernandez also underscores the need to structure organizational budgets so that cybersecurity is an overall priority because, at the end of the day, “You have to invest.”
E08: How AI is Transforming the Cybersecurity Arms Race
Imperium co-founder and CEO Tony Tan takes a realist view of AI and cybersecurity. Yes, generative AI is fueling an arms race between bad actors and defenders, but its unprecedented speed and scale are only good news for security teams confronting an ever-expanding attack surface.
In conversation with Trend Micro #MondayMinutes regular David Chow, Tan talks about the challenges posed by AI-enabled phishing and business email compromise schemes and the looming specter of “dark web ChatGPTs”. Accepting that AI is an inescapable fact of life, and that regulations can only go so far to control it, Tan says it’s up to industry and government working together to establish ethical frameworks for how AI is used.
E09: AI in the Cloud – Strengthening Security Measures in Banking
AI and the cloud are driving a customer-centric revolution in the banking sector—and Cloud Control Management CTO Tanweer Surve is leading the charge at Wells Fargo. In this episode of #MondayMinutes, he talks to Trend Micro’s David Chow about what that means from a cybersecurity perspective.
To take advantage of business-essential technologies like AI and cloud while fending off a dramatic increase in cyberattacks and data breaches, Surve says financial institutions need to combine comprehensive security strategies and good threat intelligence with robust authentication, access control, and data governance practices. Maybe most importantly, banks also need the right people: cyber-aware employees and high-value cybersecurity talent.
E10: Levelling up SOC Performance whilst Reducing Costs
It’s no secret today’s security operations centers (SOCs) have more responsibilities than ever before—and face a growing array of sophisticated threats. Manas Sarkar of Trend Micro reflects on the ways extended detection and response (XDR) is helping SOC teams rise to the challenge.
XDR’s integration of AI and automation has made SOCs faster and more responsive, drawing more data from more sources for a comprehensive cybersecurity view. Sarkar says one of the biggest advantages is XDR’s ability to put that data into context—in his words, to “tell a story” analysts can understand and act on. He also explains how one company used XDR to cut through the noise and isolate five SOC alerts out of a billion raw log files.
E11: The Role of Cyber Insurance in Risk Management
David Chow talks to Trend Micro colleague Vince Kearns about the exponential growth of the cyber insurance market and how organizations can build cyber insurance into their risk management portfolios.
Insurers are raising the bar on what businesses need to do to qualify for coverage thanks to better understanding of cyber threats and vulnerabilities. Companies can treat that as an opportunity to strengthen their risk management practices—for example, by developing detailed incident response plans. Kearns touches on the benefits of breach coaches, the growing importance of digital forensics incident response (DFIR) tools, and why every organization should pay attention to the fine print when buying a cyber insurance policy.
E12: Cyber Resilience: Navigating Risk in Government
Having spent years at the vanguard of cybersecurity in the U.S. federal government, Hun Kim is a firm believer in the importance of culture as a driver of strong cyber defenses.
In this episode of #MondayMinutes, he reminisces with David Chow about leading a holistic effort at the Department of Housing and Urban Development to develop an incident response plan, raise employee awareness, put cybersecurity on the radar of the Department’s risk management board, and implement zero-trust principles before ‘zero trust’ was a buzzword. The way Kim sees it, a strong cybersecurity culture reduces risk, and enterprise resiliency emerges from disciplined risk management.
E13: AI in Government – Transforming Processes & Security Concerns
GDIT Senior Director of Emerging Technology Tim Gilday joins David Chow for a wide-ranging discussion of cybersecurity trends in this first installment of a three-part series. Topics include AI-enhanced process discovery and how it can reveal the inner workings of complex processes to identify opportunities for improvement, the accelerating pace of technological disruption, and the threat of unrestricted generative AI applications such as FraudGPT.
Gilday shares his thoughts on how organizations can safely make genAI available to their employees—from training and qualifying users to auditing outputs and looking at alternatives to public large language models.
E14: Securing Sensitive Data in the Quantum Computing Age
What does quantum computing mean for cybersecurity? Guest Tim Gilday resumes his conversation with David Chow to tackle that question based on his knowledge as leader of the American Council on Technologies Quantum Working Group.
Deepfakes and codebreaking are two key areas of concern. AI has already spurred leaps forward in deepfake technology; quantum computing’s analytical capabilities will enable even more accurate simulations of people’s behavior and thought patterns. On the codebreaking front, quantum computing could crack the prime number factorization at the root of today’s strongest encryption schemes. Gilday explains what’s being done to mitigate these risks proactively and says society-wide culture change may be needed to raise the overall level of vigilance.
E15: Cryptocurrency & Blockchain – Balancing Security & Innovation
Blockchain may have lost some of its shine in the last few years, but returning guest Tim Gilday says it still holds tremendous potential to bring greater security to monetary systems, geopolitics, and more.
From identity management to property ownership and financial exchanges, blockchain has much to offer authorities seeking decentralized, third-party proofs of transactions. More effort is needed to solve certain technical challenges related to scalability, speed, and security, but once cracked, blockchain stands to provide a wide range of advantages and enable innovations such as central bank digital currencies.
Next steps
For more Trend Micro thought leadership on cyber risk, check out these other resources: