um actually with news just breaking today that hacking and klopp is demanding Ransom payments from corporations such as the BBC boots British Airways and several others unfortunately or fortunately for us this topic is probably more timely um than ever they're all purportedly victims of their their move it hacks so this discussion really couldn't be any more timely cyber security and cyber resilience are also both areas of investment in the schools research strategy as digital Technologies are becoming all pervasive but also as geopolitical tensions are moving ever more powerful actors including Nation States into the arena of cyber crime both vulnerabilities and threats grow in in Tandem and therefore understanding how organizations can prepare for the event and the consequences of a Cyber attack is therefore of great organizational but even macroeconomic importance so in this context I'm particularly proud of our research collaboration between side business school and istari who we're going to introduce in Greater detail in a moment it demonstrates that excellent research can be directly relevant in the world of practice and is Testament to our ethos of doing great research in collaboration with corporate partners and particularly I'm pleased that the work that Manuel actually originally started while being a doctoral student here at the school now continues to flourish in this way and in his new role as head of knowledge and insights at historian it's my pleasure to co-host this panel with him tonight and that of course brings me to the particular delight and great thanks of tonight I'm very grateful to welcome tonight's extinct panelists who have volunteered their time to share their unique insights with this to my far right it's my great pleasure to welcome Rashmi Chatterjee she is the CEO of istari which is a global cyber security investment and advisory firm set up by the singer support Investment Company temasek at 20 billion dollars of investments in cyber security makes it the largest Pure Play investor in cyber security and its advisory business helps clients build cyber resilience rajmi is actually wearing two hats tonight our three she is also a co-author of the report but she's also a member of many boards including aliens where she chairs the technology committee I'm going to introduce Bob and the reason why Michael and I are cuddling on this red sofa tonight is that we will be co-moderating tonight's panel so allow me to introduce Bob and Bob Dudley is the former CEO of BP uh that all of us are familiar with he's had a very distinguished career at BP he was working there for more than 40 years and was the CEO between 2010 and 2020. he also sits on many and I probably can't count them Boards of directors including large companies the reason why he's a great person to join the panel tonight is because he has extensive experience dealing with crises but also he is the chairman of a company called axio which provides cyber security quantification services because he's realized that cyber security needs to be Quantified in financial terms but we'll get to that later on so thank you for being here next to Bob it's Robert Hannigan the former director of gchq which is the UK's largest intelligence and Security Agency in that role he led the creation of the UK's National cyber security Center and oversaw the UK's pioneering activity active cyber defense program during his 20 years of Public Service Robert was the prime minister's security advisor and created the UK's first cyber security strategy who would be better placed to talk to us tonight about the broader macroeconomic and geopolitical implications of cyber security as well currently Robert serves as the chairman of blue voyant International which helps companies build cyber resilience inside and outside their company networks welcome Robert and finally allow me to introduce Eleanor Eleanor Murray is the associate Dean for Executive Education here at the school her research interests aligns very closely with my research interests and that she's interested in the resilience of organizations and her research has been quoted extensively in practitioners journals in news media and I'm very glad that she brings the perspective of resilience to tonight's panel so thank you for being here as well right now as one of the co-authors of the report Rashmi if I may come to you first you have so much experience in the field of cyber security cyber resilience what motivated this report in particular and for you given all the experience you bring what were the kind of standout insights or potentially even surprises to someone as seasoned in the field as you so first of all delighted to be here and I'm very happy to be together with friends and collaborators you know for a long time cyber security was seen as a cost center I would often hear people say things like it's the break to digital transformation at istory right from day one we always believed it is a business imperative it's you cannot be a responsible leader drive digital transformation without ensuring a very solid foundation at that Foundation eventually has to be integrated into your business management into risk it's um we're just shifting from a physical world to a digital world and with that comes some changes in how you lead so we had always started with this belief that cyber security should be a CEO imperative and um you know Manuel and I spent some time to say okay what does that mean we found lots of reports which highlighted what the industry the vendors feel CEOs should do to become more resilient but there was nothing that showed how do CEOs feel about it do they think it's important we've run a few CEO events and you know as there's always demands on time right so how do they feel about it and we thought what better way to figure out than to actually do the primary research ourselves and understand how do CEOs feel and it was very interesting because we spoke to 37 CEOs across the world all three geographies and very large companies you know the top one of the top three banks in the world and to smaller companies and in all cases it was interesting because when you first tell the CEO that you want to have an hour long discussion with them about cyber security is discomfort you know it's um I have a great see so no but we really want to talk to you um but can I have by see so in the room and we we had we assured them that it won't be a technology decision discussion we just want to understand how they approach cyber resilience um so yeah that's the I that was why we set out because we believe it's a business imperative we believe it's LED from the top we actually very strongly believe it's not just about technology and processes it's about much more it's about organizational resilience and um the research set out to get more into the mind of the CEO and how they think about it um you know one of the sort of um don't want to you know kind of go into the full research but the first thing that we discovered is almost all of them think cyber security is one of the top three concerns so it is very very present what's happened today is is what most CEOs worry about before they go to bed and then of course through the process of the research we found um learned more and published what we thought were some directions some guidance for the CEOs what was it for me kind of the the standout insights or that the CEOs offered because I understand it was not just about the technology the human aspects how they felt about the crisis that they encountered yeah so from a problem statement perspective as we spoke to the CEOs pretty consistently a few things came out the first is when you shift the conversation from cyber security to cyber resilience they understand it actually almost every interview that we started we would ask about resilience no cyber and these are CEOs who all come off a generational crisis with the pandemic so the word resilience meant a lot to them they they could talk about it how they had led through this complete change in in the world and then when you link it to cyber resilience that becomes much more of something they see as their their um ownership something that they're accountable for the fact that if there's a crisis they will lead the face of the Christ recovery so that was the first Insight that cyber resilience resonates much better than cyber security the second Insight is so what and what we found is that most of the CEOs think of themselves as the generals right the bug stops at me I will lead A team out of um out of this um you know crisis many of them had lived through the crisis and had let their businesses out of the crisis brilliantly but what did that mean before the crisis what could they have done differently there were some of the things that the research points out you know small things like are you accountable are you co-responsible because there is a difference core responsibility means spending quite a lot of time understanding your risk landscape being a leader in defining your risk appetite prioritizing your risk being prepared things like that you know and that also implied a shift from um blind trust uh they all trusted their csos a lot I think that was something very good they'd spend a lot of time recruiting and hiring great people who were their csos and there was a lot of trust and I think they've in almost all the conversations it was clear they supported the C so budgets Etc time was not a problem but how do you move from blind trust to informed trust right how do you understand the csos challenges in an increasing threat World increasing digital landscape well how do you help them so I think the second thing that came out was that there's got to be a change in mindset and I think the third big Insight was that the current Frameworks don't help CEOs become more resilient too well the current Frameworks which Define nist and sort of orange red green don't have the CEO understand what's most important to my business and you know does it really help him understand am I spending time and money on the right things am I spending enough time and money on what I should be so the Frameworks that they um were working with were more of a check box versus something that really guided them to do more so uh Bob let me let me turn to you and I saw that you were nodding uh while Rashmi was speaking so I'm glad we weren't too far off with the research that we did now um you've been a CEO you've had that seed for 10 years uh cyber I think was on your agenda at the time but as a CEO you have to manage all of these different priorities and I can't speak from experience I can speak from observation um but then all of a sudden there's a crisis and you've been through many crises uh and some of the CEOs that we interviewed nine of them had actually suffered from a devastating attack and it was quite telling to listen to the emotional stories uh because it was something very deep and very personal to them now the lessons that you've been the crises that you've been through while you were at BP what lessons emerged from that is there any lessons on crisis management crisis preparedness that might be relevant for CEOs to prepare for a Cyber attack that's devastating and potentially life treating sending to the company well thank you and thank you very much for being here today and everyone being here I was probably a little bit different you know for a while BP became known as big problems because we did have lots of crises it seems like every month but my my first experience with cyber it came in a different way in that I was running a joint venture of 115 000 people in in Russia for six seven eight years and so my view of cyber data security Communications and everything uh was I came into back into BP from that whole experience thinking we have no idea how it really is happening out there and so I brought that in and in fact you and I met one time about it so I was always a someone who who thought cyber was a threat resilience was a thread um but that what we needed to do was drill over and over and over the management team on many kinds of crises and so we put together pretty sophisticated crisis rooms not only in Houston and London and Sunbury and different parts of the world but we use those rooms we didn't use them for anything other than dealing with crisis and they had the technology there made sure we had the right people um but we drilled through it we worked through the governance of it so that who's clear is it the Management's doing it is it the board of directors are stepping in who's doing what and when because you can trip each other over each other all trying to help so we had various layers of it and through that Drilling we found scenarios that things we never thought about Could Happen of course we had real crisis we had you know terrorism in Algeria that killed 150 people and of course the Gulf of Mexico was a never-ending crisis it seemed like that went on for months and months and months but we did things like on the Cyber side early of understanding you know what what's what's the data people are coming into our retail shops and petrol and buying petrol and food you have a lot of data on that and what happens and what can happen if you lose that data through some some you know data breach and of course it's very very expensive and we just never thought about those those sorts of things uh we drilled the response the communications because Communications is everything as you as your report says Rashmi you communicate within your organization you communicate with government to tell them what's happening you have investor relations and you have uh you know customers out there and you really have to think that through because that just comes at you so fast um and so we uh and then we I I visited someone and I said what could go wrong with this Refinery it's the largest second largest refinery in North America outside of Chicago and I said how how how can somebody get into the control rooms and so we hired a company whether we hired Accenture actually and they went in and within two weeks they were able take control of the control room of that Refinery and make it look like everything was just fine so they could have pushed buttons they could have blown things up and it was all due to just really just the loose three or four Engineers that were doing their remote access into this giant Refinery now that I didn't sleep after that for a long time and so we put a task force together it went around the world and retooled every single one of our assets because of those things that can happen um so these things can be real we've we had our emails brought down uh by by Iran at the time that they went after a ramco I spent a lot of time with aramco in their cyber if you and if you can get these companies to go through their lessons It's amazing And there's one that's quite common now that's uh the Maersk if you ever understand the mayor's shipping one I mean they ran that company with faxes and pencils for months I mean the things that you have to do improvise around uh crises you'll never you'll never get it right you know these things will just happen and then you got to keep everybody calm I mean I think I've seen I was in one crisis and I could just see the management team spinning up and you know you've actually got a calm systematic what you do get the right people involved including government sometimes um so those are just a few things I learned in my dealing with with crises if that's helpful I think it is very helpful let me just respond to that I think something that you said Rashmi about there's not cyber is not all about technology and I think that reinforces the point right the drilling and there's a lot that companies can do to prepare for something like that that doesn't relate to technology yes cyber is always it always and will be a technology conversation but there's a lot of things that CEOs and management teams and Boards can do to help prepare the organization for something like that which also speaks to the broader notion of of resilience um so thank you to what you've said here is get your management team to really drill because there's always one or two saying oh this will never happen well they don't take it seriously don't haven't been part of the drill I mean I mean you'll see all kinds of personals and as a side note it would have taken a story only a week to get into the refinery joking yourself but I want to pick up on on some aspects of what you said you started your explanation thinking about the joint venture uh you you were running talking about remote access which really starts to challenge the the notion of the the boundary of an organization where we talk about cyber resilience and I think especially when we think about cyber security we still have these very kind of old school ideas of patrolling the organizational perimeter and now Robert if I may ask why do CEOs seem to struggle with the idea that cyber resilience is being built throughout the supply chain through third-party risk how do we affect this mind shift mindset shift that it is not just around the organization but much much wider well thank you for advising me and and thank you for laying on such a brilliant example of a supply chain attacker this week actually as you mentioned earlier the klopp statement this morning um I think it is a brilliant example because it illustrates um the attackers whether they're nation states or criminal um don't give up when they find a well-protected company they go for the soft the soft entrance and that's usually the supply chain so most companies have experienced a supply chain attack uh in the last year um and once you're in there you've got this fantastic choice of targets big companies like ba and BBC and others so it is a great example um to answer your question though why do CEOs find it tough well I think it goes back to the excellent report the recipe mentioned the understanding of CEOs it's really tough to get visibility of your supply chain you know the average small company in this country and European countries have a thousand plus vendors some I've dealt with have ten thousand plus so the scale is a problem understanding the dependencies which is more a business issue actually than a cyber one you know when you try to tear your suppliers even if you map the supply chain you've got your ten thousand try to decide which are the critical ones for you is quite difficult and typically you do it by spend you say you were here the 10 biggest spending supplies but they're not necessarily where the site where the Cyber risk comes in so who would have heard of the uh the small software company in Ukraine that was the cause of the not Patcher incident that took down mask uh nobody had ever heard of this company probably nobody's heard of the payroll provider for BBC and uh and ba and others so um working out those business dependencies and criticalities is really really difficult I think the other problem of understanding is that cyber is a very Dynamic threat so your networks are changing the attackers are changing the attackers are looking from the outside all the time for weaknesses for vulnerabilities to exploit they're doing that 24 hours a day and you need to do that as a company and I think you're absolutely right that we we've come from an era where we thought about the perimeter of our our company and our networks and we thought if we defended that really well it was sorted but things have moved on and I think CEOs do get frustrated that you know I've spent all this money protecting my networks and now you're telling me that it's the ecosystem and it's all the companies who are either embedded in my networks or connected to them or are processing my data outside the networks of the problem and unfortunately they are so the perimeter has melted away risk has got a lot more complicated and the only answer Regulators are on to this government surrounds this is to start monitoring the at the the supply chain and doing it continuously and prioritizing risk and then doing something about it so I mean I think the key and final point is you can reduce risk in the supply chain just admiring it and quantifying it isn't enough you can actually drive it down you won't get to zero but you'll get to yeah maybe 10 percent and now let me uh Turn to You Eleanor and now the you've done extensive research on resilience and we've talked a little bit about risk a little bit about resilience what was interesting is the title of the research is the CEO report on Cyber resilience it's not the CEO report on cyber security uh and the reason for that is because a lot of the CEOs who had been through an attack realized that what matters is the resilience of the business from a couple of different perspectives reputation operationally financially now from all of the research that you've done why do CEOs care so much and both care so much about resilience and how could they think about building it in their Enterprises yes I think resilience is a really strategic issue it's not a technical issue as the panel members have all alluded to it is strategic and in my research I've looked at sort of four key areas where resilience is really pertinent and they're all sort of core areas of the business it's performance strategy risk and recovery and one of the key elements of this is that resilience is always about Paradox to an extent because on the one hand you're trying to create reliability in your business you want robust processes and you want to ensure there's no sort of technical loopholes but on the other hand I think as Robert's alluding to you know it's all about having it being Dynamic and having adaptability because things keep changing the whole time we know that uh crisis you know there's huge opportunities for crisis in the current geopolitical situation and so businesses have to be able to adapt very quickly and be responsive to a dynamic situation so CEOs and boards are really trying to hold those two elements which are sort of potentially paradoxical of reliability and adaptability at the same time and I think that's the key sort of learning that's crucial to board function and I think just to drag up pull out that adaptability point when Bob and I walked down earlier today he said actually this panel made me reflect a little bit about all of these crises that I've been through and made me realize that well actually you can't fully prepare for them there's always something that's you haven't thought about or that you just can't anticipate although how hard you try so how do how do companies and and management teams Ellen how do they shape and and drive that ability to adapt to new things in their environment what can they do yes I think it being future facing and being really alert to weak signals that are coming towards them so that's weak signals are sort of those um early Trends early early patterns that potentially show a issue might be emerging and I think it's very easy for boards and CEOs to get very bogged down in the here and now and be sort of responsive and reactive to all the issues that they're trying to deal with but it's about building in that prospective ability to look ahead and actually have some time to think prospectively I think in agile methodology that you're always encouraged to do retrospectives but I argue in resilience terms it's important to do prospectives and find ways to build into the way the business functions a way of looking forward and anticipating those early weak signals so CEOs are expected to to monitor all these future facing weak signals as they understand Robert they have to do so across in the entire supply chain the entire supply network that's a lot and I recall one of the CEOs in one of the interviews really said like I should have an unlimited budget for cyber resilience no I see from your reactions that that might be optimistic to be signed off but Bob if I may tap into your your experience and also your your role in axio at the moment how can CEOs get a sense of when they're doing enough how do they quantify how much is actually a realistic investment in cyber resilience short of asking asking for for an unlimited budget in that field given that all of the the complexities we've just heard about well for years I would see it at the board twice a year maybe twice a year we do a cyber review and it would be green Amber and red under these categories and and I used to think well okay well do we have do we have too many Reds is the green make me feel good I don't know um and so that's when got involved with uh with with and learned about axio which do a cyber risk quantification calculation they look at your critical assets and they go through and monitor your company and they say okay if these things go wrong this could be the financial impact for your company and then of course and there's some other companies that are doing that as well and then now insurance companies and I know at least three or four insurance companies and one for South American Oil Company who's used this axial method and has reduced the insurance premiums now because they begin to think aha this company actually understands what its risk could be um so you're seeing these sort of new tools that are coming out and they're changing ways it's hard to get Cyber insurance now as well so some of these risk quantification tools are going to be really important going forward but when you go through and you look at your critical assets of what could go wrong in that Refinery I gave you an example was which could have been multi-billion dollar issue I mean that puts it in perspective of where you should be putting some of your money and risk and applying the risk to it and then retooling those kinds of things that are quite quite vulnerable you may not even realize you have and yes it can be expensive and your board says okay well you can only have 80 percent of that you know when you go through that debate but it should be part of your critical I think it needs to be part of the capital allocation program of big industrial companies and if we may quickly follow up in in the interaction with boards it's like we've learned also through the report that there is a certain level of discomfort amongst CEOs considering cyber security people feel a little bit out of their depth but I still found the the most striking figure was that I think 72 percent of the CEOs in in the study did not feel comfortable making decisions in the area of cyber what is the importance of Risk quantifications insurance premium changes like that to actually also educate boards about the the importance of of cyber resilience and and justifying Investments like that well I'm I'm seeing and hearing more about the criteria that boards are looking for for members to join their boards now with some cyber background experience so you can see that coming into the board selection processes now I'm I'm not necessarily a believer that you bring in somebody who's on the board as a cyber expert and then they're the Cyber expert I mean you need to you need a lot more than that and but I think boards are becoming more liable for lots of things Financial Risk and and cyber risk I think you've told me about some examples cyber risk where companies have actually been fined to know the person has had to um acculating in the U.S there's been the first case where the person has got jail time for for the Cyber breed so it's um you know just on Bob's point I I think the risk of the Cyber threat will keep growing the geopolitics you know the sophistication of attackers that will keep driving and increase cyber threat the more birds can understand that threat in context of risk the easier it is we make for them to make the right decisions right if you keep throwing the threat it's hard to react it's sure you you know as you said unlimited money would help but resources unfortunately are limited so converting it to risk is is very helpful to the board we're keen to hear more from you on your experience on boards in a second I just quickly wanted to invite both the audience here in the room but also the audience online to join the conversation in a few minutes during our q a so please feel free to submit questions through the QR code or the mentimeter link that's that's shown on the slide and we look forward to you joining the conversation in a few minutes time yeah I can also see there's a few questions that are coming in from the online group so we'll pick those up in a second but Rashmi I want to follow up on some of those Bose conversations now Bob you said on many boards Rashmi used it on many boards but you've joined the board of Allianz which is one of Germany's largest companies uh they do a lot on Cyber you've joined that board uh not only because you're familiar with technology and you have that deep knowledge and expertise and cyber because of all of the other qualities and Leadership qualities and the experience that you've gained but from joining this board and all of the other boards that you sit on what's your experience how do boards interact with cyber security risk and the small anecdote that I can share I think it's okay to share um to kind of uh broker this uh this uh this topic a little bit was we held a chair and CEO Forum in Zurich last year and after that uh that chair and CEO Forum one of the chairs approached us and said I look around and I and I sit on quite a lot of boards and we don't have a clue about cyber and we don't know what to do about it is there anything that you guys can do to help us so hearing from you firsthand how boards deal with it what are the challenges that they face what are the challenges that you face as a board member who's knowledgeable about this stuff when you go into these boards yeah I think you know all the boards if um I think true first and foremost cyber security and cyber resilience is very important there is nobody who says you know this is priority low priority in their in their work um so when you say something is important what how do you address it you could say things like every board meeting will have a topic or we can look at our Frameworks Etc but I think that that it unless you integrate it with risk it's very hard to do anything about it that's what I meant taking off you know extending on Bob's Point uh both are very familiar with governance they're very familiar with compliance they're very familiar with risk in a board often the first committee that set up is the audit risk committee so the closer you get to integrating cyber resilience and cyber risk into Enterprise risk the more you simplify the board's ability to support you know as long as it is this separate thing as part of technology that alone is not I don't think it makes it easier for the boards and then um when you get it closer through risk through the risk dialogue now both comfortable with that they understand there's threat they understand there's impact they understand that they have to make that assessment or what is the threat what could be the impact what's more important um yeah then the last point I would make is how do how do you move that conversation oh how do you extend it from Beyond the technology to other factors that can cause tremendous risk like organization you know you can have a large organization that spends billions on cyber security and may have the organization structure could be confused when you're at crisis more the two things that matter most is uh in a chain of command and hence speed of response so if your chain of command at that point is not very clear you've just given the attackers a lot of Leverage um so you know organization matters attrition are you losing talent in that space ecosystem is everything I mean uh Robert talked about the third party you know how is their risk assessment fourth party risk and the most important thing then which we will start talk about in the future we're still trying to figure it out is product security when you get a product into your environment when you get a product into your house how do you know this is secure I think today there's some news right about the UK changing cameras in restricted spaces so um we're just at the beginning of the journey there's a long way to go and I do think that being able to converse about cyber resilience in context of a new world where threat will keep increasing digital footprint will keep increasing and then you understand what the risk is that is what will what will help the most hmm now obviously as we talk about this this new world and increasing threat levels we have to discuss the recent geopolitical shifts and and Rifts and if I may tap into your experience also from from gchq Robert if I made when war broke out in Ukraine tensions are rising possibly between China and the US and in our report many CEOs gave a call to their CSO and this is like what do we do with this what new risks are are emerging what would be your advice what is this this new world of increasing risks like and what are potentially the risks that you think might still be flying under the radar of some CEOs so I think there are some really interesting lessons coming out of the war in Ukraine on Cyber and cyber resilience which you refer to in the report actually particularly around the use of cloud and I think that's changing the boardroom conversation around Cloud I remember five years ago if you said to a CEO we you know you should move to Cloud there would be deep intake of breath and not just for financial reasons but because of security and operational Effectiveness that completely changed partly for business reasons but partly because as Ukraine shows you get a fantastic resilience out of cloud and Cloud security has got so much better Microsoft particularly but the others are catching up so there are some important lessons that really relate well to the the asterisk report but what what what should a CEO do well I thought it was interesting at the start of the war um sisa in the U.S and ncsc here and uh and Eastern Europe but actually most countries put out guidance which they called Shields up in the US but essentially it was get the basics right because the truth is we know uh we know how ransomware is delivered for example it's basically um four vectors of I.T what we call it hygiene so RDP particularly so we know that so if we can get those right and they are not difficult and you can see from the outside where there's a problem get your it hygiene right you've massively reduce the risk and the danger I think for CEOs and for boards is that they get they get distracted by the the hype about the war if you like and they they start thinking about incredibly sophisticated nation-state threats and of course they are sophisticated but the delivery of them tends to be through the same old things we've been talking about for years so IC hygiene failure to do proper authentication multi-factor authentication these sorts of things which are lots of companies particularly in the supply chain are still not doing and if you look at most of the attacks that's how they're happening and if you could get the basics right or put Shields up as the put it that's what CEOs should be doing as well as revisiting their plans revisiting their resilience and Recovery plans it's a good time to do it and the drills that Bob mentioned those are the things that CEOs should should focus on as a result of a conflict like this rather than getting carried away by some of the Cyber hype that you read about there's a a lot of challenges that come out of that geopolitical space um cyber and I think this is something that's been talked about a lot cyber it can't be looked at just from one single perspective it has ramifications into geopolitics and when the war broke out I think there was a lot of these calls what are we supposed to do and the answer is you see might not be something completely new but actually just get the things right that you should have been doing anyway in other words and and I think because cyber is such a pervasive topic it is one of those areas that leads to discomfort um in Business Leaders and this is you mentioned the statistic before 72 percent of CEOs feel uncomfortable making decisions in the area of cyber security Now Ellen I want to turn to you as the associate Dean for Executive Education does that level of discomfort pose an opportunity for universities for industry for research and for Executive Education exactly I mean at the moment a lot of the research is very technically focused as we've discussed it's much more than a technical issue we need to really understand the broader impact for boards for businesses particularly thinking about the organizational impacts so that's one key issue um into that we are understandably seeing a need in terms of education for boards and I know we're jointly working with histari and ourselves with a board offering to explore how boards can have that sort of broader business focus on cyber security and cyber resilience yeah that's fantastic so I I was actually monitoring a little bit those motions that are coming in and we have about 15 minutes left I think we've got more questions than we can actually uh get to but uh you've been able to go through them a little bit why don't we it was just a a very quick pick up Robert on your comment around cloud computing and and the extension so as many companies are still transitioning to Cloud software as a service solutions we're still seeing tools adopt how do you see AI impacting the understanding and the engagement of CEO decisions in that space yeah it's a great question I think uh there's an awful lot of hype around Ai and people mean very different things from Ai and clearly for attackers we're already seeing through um through products that are already out there uh the ability to do existing fraud at scale so to do websites at scale to do domain look-alikes at scale all the things phishing emails at scale and to do them better so there's a very obvious quick use and we're also seeing I think the use of AI to do coding really at scale and well which can be can be misused but in a sense that's just scaling up what already happens and good cyber security companies and good companies all to be able to see that off I think long term we're still in the early stages of understanding uh what what AI will be able to do for defense there are clearly some customer facing stuff that most of us are looking at you know how can you how can you improve sock performance with with AI but the truth is we're not quite there yet and I think even Microsoft who are probably furthest ahead on this and they've got a new product called co-pilot which is AI driven to help help security teams um there's some way to go before we really understand what AI can do for defense we can see what it's beginning to do for offense but I I think there's there's some way to go here so uh this is actually a quick question uh for you Bob from the room uh you kind of left the name suck Paul do you maybe want to yeah there you are do we have a microphone maybe so you can you can ask the question yourself um this is uh for you Bob so be prepared [Music] where are you from thank you [Music] I work for kodalski security um question Bob and really appreciate your insights that you shared on the crisis aspect um what are your views given where where you started out in 2010 and I guess left BP in 2020 but are still involved in industry of the Seesaw reporting directly to the CEO versus the CIO because it as we in my role I've done um boardroom simulations where we've basically simulated a ransomware attack and often it's because the Seesaw is trying to convince his peers stakeholders and the board on coming on board with understanding the risk the appetite so when you start to simulate failure of a site where production facilities are going on that's when the CFO is like well this is actually costing me x per hour Etc so you get a bit more Focus but it's a constant battle we see so what are your thoughts on that I'm working with three companies and they all do it three different ways and I would not say that any of them are wrong it gets down to the expertise and the personalities involved and how the team works together I do see a lot of cyber being pushed down and you made me feel a little bit better about it Rashmi but a lot of it is being pushed down now into the audit committees not the technology but the audit so audit tied with risk I get a little nervous if we don't talk about it at the board but sometimes it's pushed down into the audit committee he's very thorough but I I think expertise personality and a management team how it works is probably the the better answer and understanding your risk than a a formula and a single way of doing it and that's probably confusing answer but um you gotta you've got to have a team that doesn't compete with each other I mean and it's the I.T you know it's the whole thing the I.T and the even the Big Data experts and you know you I've seen that having to sort that out in the in in organizations you need to do that but if you get a team that high performing team that works together there's no there's no one single answer I think there's an interesting question on online which I would like to to post to rajmi which is I think is an intriguing flip on the theme of the report we focus on on how CEOs need to change to enable cyber resilience but here's the question how does the role of the Seesaw actually need to adapt to better enable the CEO yeah very important as well it's not one-sided at all and this is actually one of the reasons why at istari we set up a strategic leadership development program just for csos because many csos today often come from strong technology backgrounds and the Gap often is in the actually in business language and again the conversion of priorities right you you create a lot of Technology input it's hard to consume you know to your question we've written a perspective at a study if you have time you should read it but it's interesting every organization is different I agree with uh Bob organization Dynamics have to work well so there's no single answer but often or many times the CIO is tasked with digital transformation Workforce productivity and can see cyber as the impediment to achieving those goals so it really depends on the CIO CTO CEO whatever you know maturity of the organization but the the fact that the CSU should always report to the CIO is I don't think any more valid and especially in Industries where we are seeing that the cyber security is about much more than I.T right uh medical devices production systems these are going to become a big part of entry point for cyber attackers so you want to make sure that the Seesaw has line of sight to everything but I would say the simplest answer you know is language big believer in business Language by the way maybe two decades back the CIO was the I.T person right until digital transformation changed the world until you had suddenly a whole breed of CEOs who were technologists and you know and the CEO got very comfortable with talking about digital transformation agile thinking design you know the the fundamentals of um technology became became very core to a CEO role so I think that's sort of where the CSO role is today it has to go from the the protector and and we kind of say the three types of csos you know one who really spend much of their time on managing the landscape sort of vendors procurement the others who are compliance driven and then the third which is the Strategic who is really the ciso who is the guide to the CEO on how can they always have a strategic advantage in the face of cyber threat so you know as the role evolves it's language its understanding of risk reporting matters because that gives you visibility to um to what else is going on in the in in the organization so there's another question in the room from Claire Matthews I don't know if you uh ah there we go can we get a microphone to her as well and maybe this is something for you Robert uh but everybody please feel free to contribute so thank you so much um I'm Claire Matthews from WMC Global I'm also an Executive MBA student here at Oxford um I'm curious to get your perspectives about how you how you develop resiliency around human vulnerabilities within corporations the company I work for is tied to automated phishing detection and mitigation um so I'm coming at this from from more of the human human vulnerability angle rather than necessarily intrusion detection and academic research and a couple of universities I can think of about the the psychology of this the effectiveness of these products of which there are lots now um and it is a really tough question I think for csos as to whether whether there's a really return on investment but whether a particular product works I mean there's no question that trying to change behavior is a large part of improving resilience I think everybody gets that so changing culture which in the end comes from the CEO downwards I mean I think if the CEO and the board are not are not exhibiting the right behaviors in cyber security they're not taking shortcuts they're not demanding special privileges that they're actually being seen to take this seriously as they would so health and safety of the energy sector and I was always really struck visiting energy companies how seriously they took even in headquarters where there was no real risk the very visibly took health and safety seriously for obvious reasons and I think if you could instill the same kind of culture in in cyber security or you're halfway there really but how you do it is I think is I would be interested in colleagues views on how you how you drive down that culture well there's a there's a phrase that I don't like because it really doesn't work very well in Asia but but it it affected three things I had been through once and um if you really want to change the culture quickly of a big company you almost need a near-death experience to do it now it's not a very pleasant thought but I've been involved with three of those and boy you take advantage of that you change the culture and you can really do it quickly rather than incrementally so how you change big companies incrementally in the culture I think is hard I think I see companies that are capable of doing it but it can take a long time [Music] and maybe you have to do that compartmentalize things that just really aren't working in your company and you you just have to change something a product line or something to do it quickly I mean Microsoft did it came from uh you know my computer company into a software company and they're very unusual examples though but but I had the experience of three though that had you know dramatic impacts and if you don't take the advantage of it you you'll miss it and I think we can just broaden the perspective on that question slightly because it resonates with one of the questions being being asked not quite sure whether it's online or in the room and maybe get Eleanor's perspective on the broader question so short of a near-death experience what have you found to be the most successful culture change mechanisms maybe to build resilience more broadly but cyber resilience more specifically if maybe I could come to you first Eleanor about what what drives the kind of culture change to a more resilient culture in an organization yeah of it has roles about demonstrating that commitment at the most senior level to what the change you want to achieve and and then really focusing on that there's a very single-minded priority in the organization to I think to get that change in language so that Rashmi is talking about you know to get that the change in language the changing attitude and mindset is so crucial but just really driving it through and I mean I know from having worked in healthcare and tried to change cultures around issues that were causing near-death experiences or actual death experiences unfortunately um it did take time but I think if you can focus on one single issue and really drive it through and make that a major priority like I think health and safety has been in the energy industries that that is one way of approaching and I would add strategy is always at the heart of this and there are other strategy strategic steps to take and they could be mergers Acquisitions they could be other things that you just realize you're going to have to do to really change culture and I know some companies do that sounds better than near-death experience so let me actually pick on one question and that may be something for you Rashmi because I know we've spoken to the IBM cohort earlier today a little bit about that so someone asked in um from the life audience and I didn't leave a name so I'm gonna have to repeat the question here in the same way as we attempted to get into the minds and perspective of the CEOs is it plausible or even possible to get into the minds of the perspective of the attackers into the psyche of the attackers and what would if we were able to do that and I know you have an answer to that and so I'm asking you um how would that help us defend better yeah um firstly absolutely there are organizations around the world who really try to understand the attacker mindset one of the historic companies I obviously think is absolutely fabulous that it is understanding the attacker mindset so you I'll think actually the attack before it happens um yeah I think um you know there is always an ethical question around here how how the ethical hack is some how much of it is okay not okay but I do I do think that um we were talking Elena early today at lunch when we talk about cyber resilience and when we talk about the framework in our paper the past Frameworks have sort of sort of focused on identify protect defend Etc we have an area before that which is anticipate we were with a group of csos last February in kids bowl when the Ukraine war broke out and the entire agenda changed because all their CEOs and boards were asking what does this mean for us from a cyber perspective and I think that part of anticipation means you've got to think about what's driving the attackers and therefore where will they come from in the past attackers were driven by you know sense of power a little bit of Mischief look look at the trouble I can cause or financial gains but today you have a very different breed of attackers they are driven by a patriotism nation-state attackers they are the soldiers in a different kind of War their motivations are very different so really spending the time this is exactly why I feel so strongly that this has to be a CEO level LED thinking um anticipation comes okay so as a CEO if you anticipate challenges caused because of nation-state attackers or financial attackers what are the things you would protect most what are the things more most valuable to you and what are you doing to build protection against that it's not an immediate protection of putting in a technology or a tool but the kind of people that you hire you know um yeah so yeah I think unanticipating comes when you try to understand why attackers will want your information why will they want to attack you I feel there might be another research collaboration on the horizon for now however it is time for me to thank the panelists for sharing their insights today for participating and supporting the research that we've conducted many thanks Russia Bob Dudley Robert Hannigan Eleanor Murray and Manuel heifer if you would like to read the report if you hadn't had an opportunity yet please find it online you can scan the QR code it will take you straight to the report if you haven't had an opportunity to download it yet if you think conversations such as these are interesting then please join us again in new week's time when my colleague Mike Devereaux will be hosting a conversation about the future of the taxation of global businesses and in the meantime if you are in the room you've warmly invited to join us and meet the panelists over drinks in the uh for you thank you very much again to all the panelists thank you all here in the room and thank you to those of you online for joining us tonight for our future of business this event thank you very much have a good evening [Applause] thank you [Applause]