On the unique nature of his company’s work:
“I’m one of three founders for the company, and all three of us came from the insurance/reinsurance industry. Between us, we’ve held C-level positions including chairman of the board for a public insurance company, CEO, COO, and general counsel, so obviously we work well together in terms of identifying risk. We work with public and private companies, as well as K-12 schools and universities to help them overcome damaging events and moments of crisis, as we did at Virginia Tech more than eight years ago, to name but one example. We help deal with anything that could be a disruption to a business, so when I pick up the phone, I never know who’s going to be on the other end of it.”
On his company’s approach to managing crises:
“A crisis isn’t business as usual—it’s business as unusual. That is why we have a predict, plan, and perform methodology. We predict vulnerabilities and look at their potential impacts, how we can monitor them, and the triggers that would activate a plan. The planning phase involves business continuity and crisis management, which might include preparing for communicable diseases, pandemics, workplace violence, and cyber security breaches. The perform portion of our methodology includes the training, exercises, and testing of plans. We even create predictive intelligence networks so an event’s effect can be monitored and understood to better identify brand and reputational issues. What is unique is that our plans are based upon crisis experience.”
On why a cyber breach is a business issue, not an IT issue:
“The FBI says there are two types of companies: those that have been breached and know it, and those that have been breached and don’t know it. The average amount of time before a cyber breach is discovered is 120 days, so imagine the damage that can be done. An IT team can build a higher ‘wall’ or plug a hole, but we’re seeing an overreliance on a strategy that focuses on keeping the bad guys out. There is very little in most companies’ plans that detail what to do once they are inside. We’re in an environment in which you have to expect that it is going to occur because it’s happening already, and the effects on a company’s overall business can be disastrous.”
On the true cost of a breach:
“The Home Depot data breach is a great example to use in terms of demonstrating how expensive things can get. The postage alone that was needed to notify the potential victims totaled $23 million. When you see that kind of expense, you begin to understand the magnitude of loss. When your management says, ‘We’re ready,’ you better be certain. An independent review and test is the best way to know for sure.”