Axio Board member and former CEO of BP, Bob Dudley, recently sat down with experts at Accenture for its 2022 OT Cybersecurity Virtual Summit. Sharing his experience, Bob discussed lessons learned in cybersecurity, the continued challenge of cyber resiliency, and the crucial role played by C-Suite execs and board members in this space.
In today’s cybersecurity landscape, the risk posed to critical infrastructure by cyber criminals is everybody’s problem. When asked what he sees as the most significant worry “keeping CEOs up at night,” Bob first referenced major cyber breaches over the past year, including JBS and Colonial Pipeline, and his time as CEO of BP after its major 2018 -breach. Cyber is an operational risk and has the potential to impact the entire viability of an enterprise or company, he noted. For a long time, cyber was viewed as a technical problem for someone like a Technical Solutions manager to solve. But today, it’s being seen more and more as a top business risk and needs to be treated as such. Not only with management teams but all the way up to the board of directors. This is a sentiment on which we’ve built our platform here at Axio.
Though many C-Suite executives have taken some time to “wake up” to this challenge, increasingly, the implications of a breach are spurring a more serious dialogue and commitment to cybersecurity across industries. “Things have really changed a lot in the last five years,” Bob notes, “but even more in the last six months to a year.” Large data breaches have continued to raise concerns about operational continuity and the safety of our critical infrastructure. We’ve seen global shipping giant Maersk reduced to using personal emails to offload harbored ships, and we’ve seen Saudi Aramco reduced to using fax machines to trade oil. With JBS and Colonial occurring most recently, these attacks have escalated the need to understand associated financial implications. The only way forward is to leverage tools that can quantify risk and let senior management and boards know what their critical assets and business processes are.
When asked how things have changed from his time as CEO to being on the other side of the chair as a board member, Bob noted that business leaders cannot rely on everybody else to solve the cyber problem. It will come right to the desk of the executive team and boardroom. In the past, most companies would conduct a cyber review once or twice a year using a stoplight dashboard to “make [the board] feel better.” However, boards need to be much more involved, and cybersecurity should be included as a standing item on every company’s risk committee. Without breaking the bank, tools like Axio can quantify top financial risks for board members. With cybercrime, it’s impossible to have every angle covered, but risk quantification can help non-technical business leaders identify the processes and assets that are critical to determining the financial impact of a breach.
For more information on how you can leverage cyber risk quantification to make the right cyber spending decisions as a board member, check out our Axio Leadership Guide: Getting the Board Game Right, which details Axio’s risk-based approach to cybersecurity.