The Path Toward Cyber Resiliency: A Q&A with CrowdStrike's Shawn Henry

Global cybercrime damages are projected to reach $6 trillion this year, and nation-state adversaries are increasingly leveraging widely-used software suppliers to gain access to networks. The threat of a cyber-driven systemic disruption in the financial sector is so large, in fact, that U.S. Federal Reserve chair Jerome Powell recently asserted that “the risk that we keep our eyes on the most now is cyber risk.”

As the capabilities of adversaries using cyber to cause harm continue to grow, and as companies push the boundaries of digital transformation, it is imperative for the c-suite and boards to oversee the development of effective strategies to manage enterprise cyber risk. Indeed, in this environment, many financial institutions see enterprise cyber-resiliency efforts as an opportunity to gain an advantage in today's ultra-competitive economy - rather than just a mere information technology exercise.

Shawn Henry - the current President of Services and CSO of CrowdStrike, and the former Executive Assistant Director of the FBI's Criminal, Cyber, Response and Services branch - knows all about the threats presented by cyber risk in both the public and private sectors.

As a leader at CrowdStrike, part of Henry's remit is to provide cybersecurity advice to boards of directors and executives in both the commercial and government sectors - on everything from proactive security measures to corporate readiness in the event of a cyber breach. During his time at the FBI, he oversaw global computer crime investigations, including denial-of-service attacks, bank and corporate breaches, and state-sponsored intrusions.

Recently, Henry spoked with Risk Intelligence about cyber resiliency, the role of the c-suite and board in managing cyber threats, public-private cybersecurity similarities and differences, and best practices for cyber-risk identification and mitigation.

CH: Shawn, thanks for talking with us today. People tend to forget about cyber when they are speaking to the resiliency of a business. Why is this completely backwards?

SH: Historically, companies have looked at risks to business aligned to financial impact. They're looking at risks related to liability, to revenue growth and those sorts of things. I don't know that they look at cybersecurity as an impact to their business, but the resiliency of the company is dependent on the integrity of the environment and the availability of the network.

Everything that companies do today - the way they manufacture, the way they sell, the way they communicate and the way they market - requires the network to be in place. Without that network, they are, in many cases, out of business.

So, I think businesses are beginning to pay closer attention to cyber risk. They're starting to recognize the operational impact and the cost to the business if they fail to adequately maintain the resiliency to their business environment.

For companies to be successful in the protection of their data and the protection of their assets, they are going to have to recognize cyber risk for what it is - and, in many cases, it's existential.

CH: I know you offer a significant amount of guidance to boards and c-suite executives. Can you give us some insights into the guidance you provide?

SH: I speak to many boards as an adviser and to educate them on the risk that they face. I engage boards about their enterprise risk exposures and the relevance of cyber threats. Every one of my interactions with the board begins with, “cyber is a business risk, just like any other risk that you face as an organization, and you've got to address it as such.”

I always encourage a dialogue between the chief information security officer (CISO) and the c-suite that's inclusive, rather than trying to find somebody who did something wrong. The board must recognize there will be cyber risk and incidents as part of doing business.

Enterprises have tens of thousands, or even hundreds of thousands, of endpoints and employees. So, somebody will fall for a phishing scheme, lose a laptop, give away their credentials or allow an adversary to enter the network.

The board should set the standard for the enterprise to quickly respond and mitigate the consequences of such an incident. In other words, we can stop an incident from becoming a full-fledged breach.

CH: As a leader in both the public and private sector for cybersecurity, what observations can you share on the differences or similarities across both environments?

SH: It's a great question. When I was in government, the perception was everything on the commercial side is completely different, and that's certainly not true. The fact is many of the same risks that governments face are represented in the private sector. Therefore, there needs to be collaboration to successfully overcome the threats that we face.

The one thing I've learned is that while the government has a massive amount of cyber capabilities, and certainly takes steps to filtering out malicious online traffic, it cannot fully protect the private sector. For example, the government does not have the ability to stop advanced cyberattacks launched by our adversaries, due to the legal limitations that handcuff the intelligence community.

The fact is adversaries are launching attacks every day. They're landing on these corporate networks, and the companies must protect themselves. But there is, I think, a paradigm shift underway.

We grew up believing and expecting that our government is protecting us from criminals on the streets and from foreign armies. However, government does not have the capacity, authority and ability to block all of these complex digital attacks. They do have a role to play in terms of deterring actors who are launching these attacks - but, at the end of the day, the private sector is responsible for protecting its own environment.

CH: Ransomware attacks are regularly grabbing headlines, and continue to be a significant issue. What's your guidance to the GARP community with respect to best practices they can implement to mitigate ransomware exposure? Also, are there any insights you can share on the potential downstream impact of these ransomware incidents, as they relate to operational risk?

SH: When I consider a company's risks, I think about the financial risk, the reputational risk and the operational risk. All three of those come into play when you're talking about ransomware, specifically.

I think with many cyberattacks there are certainly financial and reputational risks - but not necessarily an operational risk. Ransomware, on the other hand, absolutely has an operational risk attached to it, because of the very nature of these types of attacks, where data is encrypted and is rendered inoperable and inaccessible to its owners. That certainly impacts operations.

A hospital that is subject to a ransomware attack, for example, may not be able to do surgeries because its schedule has been encrypted - or some of its important patient data has been encrypted and doctors can't access it in advance of a surgery.

Another example is a services company that loses access to all of its customer data because of a ransomware attack. They won't be able to provide their services because they're not able to look at their deliverables or their customer contacts.

That's an operational impact, and I've seen companies go offline for weeks or months, in some cases, because of a ransomware attack. They don't have the ability to generate revenue - they can't sell their products, because they can't make their products, and that costs them millions of dollars. And then there's the whole cost associated with the recovery piece.

So, for companies to recognize the risks of cyber incidents across those three vectors - financial, reputational and operational - is really important. I would hope that understanding those risks at the leadership level would encourage a company to invest in its cybersecurity, because much of this can be prevented - if companies have the proper posture and the proper security processes and policies in place.

Indeed, they can mitigate their risk significantly - if they patch their systems, if they keep appropriate backups, and if they have endpoint detection and recovery software in place to detect and prevent these attacks. They also should have experts in their organization who are focused on the intelligence, to determine who was being targeted and how they were being targeted.

There are so many things companies can do in advance to protect against cyber risk, and it starts with the senior leadership of the company - from the board down. They must identify and comprehend the risks - financial, reputational and operational. Moreover, they should have the mindset that they can't suffer through major cyber incidents, because the costs and the risks are too high. Instead, they should commit to invest in preventive measures.

I see this not unlike healthcare. We need to invest in our healthcare - we need to exercise and eat properly and not smoke, so that we can protect ourselves.

It's not about trying to fix things after they're broken. Rather, it's about trying to prevent them from happening or putting measures in place to detect them. Using the healthcare example, when you go for a colonoscopy or an annual checkup, or have bloodwork done, you're trying to detect problems in advance of them becoming catastrophic and a threat to your life.

I think focusing on investment and on understanding the risk of cyber incidents, and executing against that to mitigate potential hazards, is the best approach for boards and senior executives.