Meet the expert: Bill Mew to speak at PrivSec World Forum

Coming to Park Plaza, Westminster Bridge, London on June 7 and 8, PrivSec World Forum sits within the Digital Trust Europe series, and will bring attendees up to speed on the very latest developments in data protection, privacy and security.

The two-day, in-person event is sponsored by OneTrust; it brings together a broad range of industry specialists and subject matter experts to discuss the opportunities, threats and challenges dominating the data protection landscape today.

Founder and CEO of CrisisTeam, Bill Mew will be appearing at PrivSec World Forum on a panel debate exploring the risks that employees pose to the organisations they work for.

We spoke to Bill about his career pathway so far, and for more insight into how businesses can build resilience both externally and internally.

Could you outline your professional journey so far?

I started out as a weapons engineering officer in the Royal Navy, specifically working on guided missile destroyers chasing Russian submarines in the Baltic. When I left the Navy (assuming that the Cold War was over), I went into the tech sector, and spent about 16 years at IBM, where I rose to be the global head of corporate communications for IBM’s Financial Services Sector. A $25 billion business unit – about a quarter of IBM’s revenue at the time – this was the largest Fintech in the world.

My job was not only driving thought leadership globally around how technology would change everything, from risk management to algorithmic trading, but it was also about troubleshooting when things went wrong.

I left IBM in 2015, and was a cloud analyst for a while and then moved to a company called UKCloud, where I was the cloud strategist. We managed critical workloads for the UK Government, hosting things like Genomics England, the largest health dataset in the UK, as well as workloads for the UK courts, NHS, HMRC, DVLA and others, so sensitive data like your health records, tax records, driving records and even criminal records (if you have one).

Interestingly, this was a 200-person business that was taking on the likes of Amazon, Microsoft, and Google. And it was the only market anywhere in the world where the small player was beating these giants at their own game. Our main focus when seeking to differentiate ourselves against the tech giants was around data sovereignty, data assurance, data privacy and security. 

I ended up working with Max Schrems, who was crowdfunding ahead of the launch of GDPR for his campaign against Facebook and other tech giants. I sought to do what I could do to help in terms of my media connections and doing some TV, and Max ended up sort of blowing his crowdfunding target out of the water at about €350K.

As well as supporting Max, I have also been an adviser to leading law firms seeking to bring cases against the likes of Facebook and others in the UK. 

In the last four years or so, I’ve also been on TV or radio about once a week, commenting on things like the NHS track and trace system in the UK and issues surrounding privacy, cybersecurity, regulating social media, etc. Indeed, I’ve probably had more broadcast airtime over this period than any other technologist in the UK.

On top of this I write for a number of publications from AccountingWeb, to Cloud Computing News, and I have a fairly decent social presence. In fact, an analysis by Onalytica across broadcast, print and social media for its 2021 “who’s who” in data management, identified me as the number one expert influencer in the world for data privacy and cybersecurity. 

I’ve tried to use my global reach and influence to help campaign for digital ethics and regulatory reform. My ethos is very much about striking the right balance between meaningful protection on one side, including digital ethics, privacy and cybersecurity, and on the other side, maximising economic and social value through innovation and digital transformation. 

I founded Crisis Team a couple of years ago, based on my experience, troubleshooting for IBM. We have an elite team of experts in the sort of technical, legal, reputational and social capacities that you need to respond to a cyber incident. I strongly believe that you need to use specialists in each of these areas. 

What themes have forced business resilience and security to the top of the agenda in recent years?

Just to set the scene: I think we have a very, very big problem here, and largely it’s cultural. If you look at the way that management structures in almost all large organisations work, individual performance as well as the performance of different business units or teams is measured in terms of return on investment (ROI) factors, such as revenue and profit.

This drives a certain behaviour. There are very few people in an organisation that have metrics that are return-on-risk (ROR) oriented. You may have the CISO, you may have some people in compliance that are somewhat focused on ROR, but to a large extent, they will be isolated. 

In my work in incident response and cybersecurity, I see how CISOs can become isolated – what I sometimes term as CISOlation – because of the different orientation and metrics that they have, which drives a different behaviour from almost all of the rest of the senior management in any organisation. 

We have seen the impact of such behaviour time and time again. I saw this with the financial crisis during my time at IBM. I led IBM’s global response to the financial crisis, helping all of its banking clients at the time. 

We obviously couldn’t blame the IBM technology because it was our technology. We couldn’t blame the banks because they were our clients. And therefore, we had to do some very nuanced communications about exactly what was happening or going wrong.

To a large extent it was a systemic failure that stemmed from their culture and orientation. In most trading banks, the vast majority of the traders, executives, and people that had any power, were focused on revenue and profit. There were risk management teams, and all banks were mandated to have risk management systems, but they were the guys in the basement whose warnings were largely ignored. 

Frequently when people sound the alarm they aren’t listened to. To a large extent, we’ve had the same in the pandemic, when there were people raising the alarm around the health issues and the potential for a pandemic, and again they were largely ignored. 

We failed to act because our orientation was insufficiently risk-oriented. We’re also seeing this in climate change where everyone knows that we have a problem. But the orientation is not sufficiently risk-aware. 

And we’re seeing the same in cybersecurity. A lot of organisations are unfortunately, overly confident that a major failure won’t happen to them; they assume that they’d cope in the event of a crisis and do absolutely fine. They have a false sense of security and a lack of risk appreciation.

What key challenges do businesses face as they bid to improve security?

You need to change the culture which isn’t going to happen easily, especially as the performance and incentive management systems in most organisations act against you in terms of risk awareness. Plus, it can always be an uphill to struggle to justify adequate budget for cyber security. 

Furthermore, if people lack the right priv-sec culture or aren’t necessarily cyber risk aware, then they’re going to behave differently in terms of diligently abiding by cyber hygiene rules; failing to click on phishing, emails and other things. Therefore, to a large extent, training and cultural awareness is half the battle. 

The other half concerns the budget and getting the investment right. I think cyber insurance is set up to fail at the moment, and is largely for most clients a waste of time and money. If you’re a very large organisation, you can afford to do a full cyber audit. From this full cyber audit, you can actually identify the assets at risk and the vulnerabilities. All of that can be used to accurately price any cyber insurance premium. 

For the rest of the market who cannot afford a comprehensive cyber audit, pricing risk is largely guesswork. For the mass market insurers often use web crawlers that look at an organisation’s externally facing endpoints, and assess them for the security – whether they’ve been patched recently, and whether they’re up to date. This is a very crude way of assessing cyber risk.

Pricing cyber risk in this way has been compared to assessing the fire safety of a building, using a photograph taken from the opposite side of the street. You can see that it’s a brick building, you can see roughly how big it is, but you have no idea if it has sprinkler systems, you have no idea if there are flammable materials inside. To a large extent, you’re assessing all of this risk remotely and have very little knowledge of the realities, and that’s typically the case for almost all of the mass market. 

Therefore, the insurers need to cover their backs and tend to do so by including a number of exclusions in their policies, some of which can be quite broad. These can include everything from insider threats and acts of war and collectively the exclusions can negate a claim of almost any kind for almost any incident. I’ve written articles detailing some of the most common and most concerning exclusions. 

And then when you have a cyber incident, a lot of insurers will have a list of recommended suppliers that they sometimes insist that you use because they want to limit their costs. If the technical response team going in to solve your problem is a team that your insurer has recommended, you need to question what their loyalty is: is it to you? Or is it to the insurer? And if they find something on site that would negate your cover, will they report it to the insurer?

You also need to consider the extent of the cover. We saw this with Norsk Hydro cyberattack, where the company thought that it had comprehensive cyber insurance, and ended up with a pay-out from the insurer of about three and a half million euros (about 5% of their overall costs), as the policy only covered the technical fix, and not any of the remediation beyond solving the initial problem. Therefore, you have to question what the point is in having insurance is in the first place. 

If you’re going to go down the route of cyber insurance, I would advocate using a very canny broker to act on your behalf, because a lot of policies out there simply aren’t worth the paper that they’re written on.

What role do employees play in reducing internal risk?

You need to have risk awareness and all levels. So, you need a risk representative on the board who can put forward the risk perspective to other senior management who might not and typically don’t have such an orientation. 

Below that, you need people in the organisation not only mandated to keep you secure, but given sufficient budget to do so. Then you need staff that are trained – I mentioned the culture and it comes back to that as well – but on top of all of that, you need to be crisis prepared because the chances are things will go wrong at some point. 

You definitely need to check that your backups and test them; you also need to check that your crisis management and your incident response plans are going to work and you need to test these as well.

I’ve seen organisations that have very sophisticated backup systems, but haven’t tested them in a very long time and have no idea if they’re working properly. You also have organisations that either don’t do incident response simulations, or rehearsals. Even though testing and assessing all of your processes, including your incident response and crisis management procedures, is mandated under GDPR. 

Senior management in many organisations don’t participate in such rehearsals as they see cybersecurity as an IT thing, and not a business thing – the reality being that by the time the IT does go wrong and the business is in crisis, it has definitely become a business risk.  If senior management don’t take the rehearsal seriously, you’re not going to be seriously prepared for eventualities. Not only do you need to conduct these rehearsals, but you also need to have the senior management actively involved. You probably also need to have external Incident Response Teams set up and participating in rehearsals as well. 

From my perspective, incident response needs to include four different levels. You need an expert technical team – your internal technology team may know your systems inside and out, but they don’t have the kind of external, objective viewpoint that will actually spot when something is potentially out of kilter. 

On the legal front, you may well have an in-house legal team and also a retained legal firm, but often they tend to be GDPR specialists rather than incident response experts. Inevitably they will need to seek advice from expert counsel in order to turn the digital forensics from the tech team into a legally defensible narrative. 

On the reputation management side, firms also believe that they can handle an incident themselves, but quickly become unstuck when they realise that they don’t understand that cyber incidents need to be managed in an entirely different way from all other crisis management scenarios. Specialist support is again essential.

Finally, on the social media side, your credibility will be at an all-time low. We approached the Marriott team at the time of the big Marriott hack. They knew at the outset that it was only the Starwood brands that had been hacked – less than a fifth of their brand portfolio. We advised them to get social media influencers to act as trusted voices to support them. They failed to do so and were unable to counter the mystery and misinformation and the incident ended up tarnishing ALL the Marriott brands.

Rather than seek expert legal counsel and specialists in technical, reputational and social response when you’re desperate for help, you’re better off doing due diligence to select the best team long before things go wrong. Then during rehearsals, they can become familiar with your legal and management structures so as to offer expert advice in advance as well as being well prepared when their help is most urgently needed.