PwC’s Kevin Campbell On Why Cybersecurity Responsibility Lays With the C-Suite First

PwC’s 2018 Global State of Information Security survey showed that almost half — 48 percent — of companies surveyed don’t have an employee security awareness training in place, while 54 percent don’t have incident response plans in regards to cybersecurity threats.

“Thinking through how you’re dealing with stress testing in the incident response programs cannot be understated,” says Kevin Campbell, cybersecurity lead for PwC’s Southeast region. With 25 years of experience in the fiber privacy and cybersecurity space, Campbell supports the cybersecurity and privacy needs of PwC across the region.

“It amazes me that companies don’t have a disaster recovery plan or incident response plan in place, or there’s something that was developed years ago and has not been actively updated, and even more so that they haven’t been tested.”

With Georgia ranking third in the country for information security companies, generating almost $5 billion in revenue, Campbell decided to bring together over 40 local companies to create a forum for chief information security officers to discuss common threats and issues. It also encourages CISOs to conduct mock incidents at their companies to test out their current security procedures.

“One of the exercise that we see companies doing right now is tabletop exercises,” says Campbell. “It includes the Board, the C-suite, the IT department, communications, and marketing teams. As you walk through scenarios, you’re able to know how to deal with a cybersecurity threat prior to an event occurring.”

Campbell shares more about why company leaders should implement risk management training and response plans sooner rather than later and why collaboration in the Atlanta market can help fight these growing threats.

Why is it important that cybersecurity and risk management come from the C-Suite versus the IT department?

According to our global state information security survey for 2018, companies have not made the progress that you would think they would have made. Right now, 44 percent of companies don’t have an overall information security strategy. Companies are embracing new platforms such as mobile technology, artificial intelligence, predictive thinking, the internet of things —  it’s more important than ever when you think through those stats of where companies are, to have some of those basic things in place.

If affected, then how are you effectively minimizing impact to your organization, to your customers and employees to get them back up and running as quickly as possible without going into brand-damaging issues. People don’t think about the corporate communications side — the clock starts ticking with some of the data privacy laws in as little as 72 hours. Do you have an information strategy that is able to access and show progress with these evolving threats? Have your CISO or chief security officer built a relationship with the board? Because we know when things go bad, those people tend to lose their jobs.

Understanding the link between business strategy decisions, the relative risk that’s having on your organization, and then the relative risks that it’s having as a result of your cyber environment is critical to have that open communication channel.

Why is it important, aside from the obvious, to protect your employee data? Is there a way to do it that also incorporates your customers?

When you look at laws, at least in the U.S., the personal identifiable information covers employees and consumers. You think about some of the big government hacks that have happened, which have been breaches of personal employee information, so they have been out there. You have the same sort of consequences with those, because you’ve had the same amount of personal identifiable information, sometimes in various forms for customers and/or employees. They both need to be protected with the same realm and the same controls and vigilance as you would anything else.

When you start to understand what threat actors you face as an entity, you can then begin to understand where your data is and what those data elements are that may be of target and use to them — and that’s how you end up getting into being able to protect that information differently. Employee information should be protected just as much as consumer and customer information should be.

What are the benefits of collaboration and discussion between companies within the Atlanta tech scene about cybersecurity issues?

We’re in this together. While there are industry-specific issues, there are a lot of issues that are common across the board. That was one of the reasons why we formed our PwC chief information security officers roundtable to discuss every quarter. We can pull CISOs into that knowledge-sharing session and share the threats they’re facing. Collaborating with our peers and understanding that any impact on one of us is probably going to impact others and propagate.

There’s also a government element that needs to be addressed as part of that collaboration. Right now, I know the U.S. government is trying to make information sharing a little easier, but a lot of this stuff is top secret and you need clearance. There are people in companies that are getting that clearance to access some of this threat intelligence. Many times, the first time that most companies know that they’ve been breached is when the FBI knocks on the door and tells them so. That’s the most common way to find out that you’ve actually been breached. That’s not a good thing and that’s not much of a collaboration when you think about a holistic solution, about how we can do better within that organization to have a more protective front.