Hello, this is Kevin Donahue with Protiviti welcoming you to a new edition of Powerful Insights and our series on cyber security awareness. Protiviti has a series of webinars on cyber security awareness that, along with these accompanying podcasts, are intended to highlight ways organisations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximising value. In this series, I’m happy to be talking with our cyber security leaders who are speaking on our webinars and are in the market working with organisations addressing these challenges. Our webinars and other content on security and such are available at protiviti.com/security, which we invite you to visit and peruse.

With that, I’m happy to introduce my guests today. They are Andy Retrum and Doug Wilbert. Andy is a Managing Director with the Security and Privacy practise of Protiviti based in Chicago, while Doug is a Managing Director with our Risk and Compliance practise, and he’s based in New York City.

Andy, Doug, great to speak with you today.

Thanks. You as well.

Thanks for having us, Kevin.

Andy, and Doug, I’m going to ask you the same question. Let’s start off with a bit of a fun question here. Andy, how would your parents describe what you do for a living?

Good question, Kevin. I think it’s one they struggle with. I think more often than not, they answer it the same way that my kids answer it in that I spend a lot of time at airports and on planes, and because of my security and privacy focus, my job has something to do with protecting personal information. That’s about as detailed as they get, I think.

That sounds pretty familiar with what we’re hearing from our other experts too. Doug, how about you? How would your parents describe what you do?

I would say help financial institutions - they would just say banks because I don’t think they can discern the difference between them - when they get in regulatory trouble or help them avoid regulatory trouble as well.

Fair enough. That is very clear. Doug, you’re focused in the market on this area of operational resilience. Why is that field so important? Maybe start off with explaining what you see that to be.

Sure. Resilience is really the ability to continue delivering goods and services during an adverse situation. You could have a cyber attack. A building could come down. A number of things could happen, but it’s really just, “How do I continue to produce a widget or give banking services?,” whatever the company may do. As for why it’s important, a few reasons. One is regulators are focusing on this area. Both the U.S., the UK, APAC are all really hypersensitive to the concept of operational resilience. The second reason, and it’s probably due to the regulatory advancements here, is that companies are starting to ask their parties about their operational resilience before signing on for their service. Finally, it’s something that firms need to address even without the regulatory obligations. Are you vulnerable to a cyber attack? If yes, then you go down, you could do harm to your customers, you could also do harm to your business, at some point irreparable harm. So, various reasons to address resilience. I think most people have just started to address it because of the regulatory expectations, but we’re starting to see a lot of third-party providers saying, “Why are my customers asking such hard questions of me?” They don’t have the answers, and the customers are demanding better uptime, better guarantees, and better information in their SLAs.

Thanks, Doug. Andy, turning to you, what do you see as some of the common myths in this field of operational resilience?

Another good question, Kevin. Doug, myself, and our broader Protiviti team spend a lot of time educating companies on the topic of operational resilience and how they need to better protect the systems and processes they have in the face of these extreme but possible scenarios, extreme but plausible events, and how you recover from them if you do experience them. One of the things that we hear a lot is, “Look, I think we’re already doing this. We’ve got things like business continuity and disaster recovery in place. We have incident response plans and a heavy focus on cyber security. Aren’t we already doing this?” We hear that a lot, and the answer is, you kind of are. At least most companies have the building blocks in place that are critical to building resilient services. Disaster recovery and cyber and all those things need to be in place. The distinction that we’re drawing here is not just at the discreet server or system level, or even at a business process level. Operational resilience takes a broader lens and says, “Here are the services that we’re providing to our customers, providing externally, and here’s how we’re going to build resilience and recover in the face of those extreme but plausible events.” That’s a very common question that we get and something that we spend a lot of time talking about in terms of operational resilience as an evolution of a number of things that already happen today.

Doug, building off of Andy’s rundown there, he mentioned there’s a broad lens that organisations have to take with regard to operational resilience. With everything they’re looking at in this realm right now, what do you see as the biggest challenge or some of the biggest challenges facing organisations and your clients right now?

I think that really wrapping your head around what it means to your individual firm and coming to terms with the fact that this is something that we’re going to have to do. Invariably, firms are going to have to spend a lot of money, put up a new organisation within their institution, a resilience office. There’s going to be governance out of that. There’s going to be some obtrusive things like process mapping that they’re inevitably going to have to do. The hardest part is just acceptance. This is a new reality much like Dodd-Frank or CCAR before it. We have to get it done, let’s just make this as painless as possible. The other myth that rolls into that is, people think they already do this. A lot of places do parts of it. As Andy mentioned, BC and DR, they don’t do it in a way that resilience is asking them to do it. So, it’s sort of a big change to tell people, “You’re doing this today. You’re not doing it wrong but you have to still change it anyway.” The change component is just a really, really big deal.

Andy, I’m guessing my next question is related to Doug’s explanation there which was pretty thorough. When you’re talking to companies, what’s the one question you’re asked about most often, the kind of question among companies that are interested in operational resilience, and how do you answer that?

Of course. The one question that we almost always get asked in these discussions is, “What are others doing?” How are other clients approaching the topic of operational resilience, and how far along the path are they to addressing the topic in a thoughtful way? That certainly varies. We have seen some companies that are a bit ahead of the curve and now have robust resilience programmes in place with thoughtful governance and resilience built into their services. They have the ability to test it and demonstrate that resilience over time, but they’re outliers at this point. We’ve seen a significant trend in the last just 12 months actually in firms starting to stand up and think through how over the next two or three years they’re going to tackle the topic of resilience in an enterprise manner.

Doug, let me ask you this, big picture. With respect to operational resilience and everything that’s going on with it, inquiries and even through the regulatory side worldwide, what are you most curious about right now?

Well, sort of curious about a lot of things. Mostly it’s where the regulators will reside and if they will come to a single solution on what resilience means or they’re each going to have their individual mandates. Delving a little further there, there’s a concept of impact tolerance where the regulators came out and said, “We’d like to understand what your impact tolerance is without defining it specifically.” Depending on how they come out, we believe impact tolerance is the amount of time an organisation can be down before it’s irreparably harmed. I’d like to see where the regulators come on that because if they change in advance our belief of what they’re going to say, it could mean a lot more work for organisations.

Hear, hear. Doug’s not alone in the curiosity around the pending regulations. I think many of us are in that same boat right now.

Let me ask you one final question here as we wrap things up. Andy, I’ll ask you to respond first but Doug, you can chime into this. Concerning these issues around operational resilience and what organisations are doing, what would you say is the most important step or the first step an organisation should take to start addressing them?

Sure, Kevin. I think in order to build resilience into the business services that you provide, and furthermore, test it and all those things, you need to have a clear understanding of what those services are and what the critical path of processes, systems and third parties are for that service. It sounds like a straightforward question, but it’s much harder to answer in many enterprises where you’ve got hundreds or thousands of business processes and the same amount of systems and you’ve got key third parties that are playing a role. In order to really build resilience, you need to have a clear understanding of what makes up a business service. That critical path - we sometimes call it front-to-back mapping of those services - is kind of a key foundational component of building resilience into it. So, I think if you’re just getting started along the path to resilience, that is one place that time should be spent.

Yes, I agree with Andy from a functional point of view 100%. I think from a change point of view, acceptance that this is a new normal and acceptance that you want to get ahead of regulators, and the regulators have come out and said that. This regulation is in flux. We don’t know what the final requirements will look like but you have a pretty good idea, but the regulators have been saying, “Don’t wait for us to come in. Get ahead of us,” and they’ve been pretty consistent with their message. Accepting that fact and doing what you have to do to get ahead before they walk in is probably key.

Well, again, Doug, Andy, thanks very much for talking with me today. Great insights into this area of operational resilience, and obviously, many more changes and developments to come. Again, please visit protiviti.com/security for more information about Protiviti’s security offerings, deeper looks into operational resilience, and other areas around cyber security, data, privacy, and more.