Resiliency & Risk Management
Perspectives on Today’s Cybersecurity Landscape
At Carlyle, we aim to drive a consistent and repeatable value creation framework through the entire investment lifecycle with over 270 active portfolio companies. Leveraging our global expertise, scale, and reach, our Global Portfolio Solutions (GPS) team guides and enables Carlyle portfolio management teams to seek to strengthen operations, accelerate growth, and catalyze change. In our functional areas of expertise, such as Technology, we identify opportunities with our portfolio company management teams to aim to increase the speed of growth and drive operational excellence within their business.
Carlyle’s 2022 Chief Information Security Officer (CISO) Conference convened over 30 portfolio company executives in Washington, DC to exchange insights through panel discussions and tabletop exercises designed to simulate cyber threats. Read below for five perspectives shared from Carlyle leaders, our portfolio company executives, and cybersecurity experts during the conference.
1. An agile approach is needed to keep pace with today’s dynamic threat landscape
Delivering the event’s keynote address, John Hultquist, Vice President of Intelligence Analysis, Mandiant, highlighted the critical need for organizations to adopt risk management strategies that can be just as nimble as the actors they are protecting against. Today’s actors are not bound by geographic borders and are moving faster than ever from one target to the next; they can be re-tasked from stealing crypto to accessing employee data in minutes.
As far as prevalent pain points in today’s risk threat landscape for CISOs to analyze and address, John Hultquist highlighted several areas, including aggregation of data in company-wide systems, which can create bottlenecks that serve as easy access points for cyber criminals to infiltrate and disrupt corporations. He also pointed to a rise in disinformation campaigns, in which threat actors leverage false identities to attract traditional and social media coverage in an effort to manipulate public perception of a company and influence actions against them.
2. Security is a fundamental pillar of cloud transformation
Praveen Jonnala, Senior Vice President and CIO, Commscope, Guarav Agrawal, Vice President and Practice Head for Cloud and Security Services, Hexaware, and Mark Ryland, Director of the Office of the CISO, Amazon Web Services, unpacked how cloud infrastructure, network security, and identity and security management are all critical to the cloud transformation process, from discovery, design, and test-proofing to migration. Guarav Agrawal urged CISOs to examine what the cloud can offer in terms of their organization’s ability to seamlessly recover in the event of a security incident. Mark Ryland underscored the importance of “creating a culture of no shame” throughout IT modernization process: “Train your people to report when they see something that might be wrong, or even when they do it themselves. Human errors happen, but we want to learn from mistakes and find out how we can optimize the technology to minimize the chances of future errors.”
3. Crisis playbooks are essential
Avi Gesser, Co-Chair of the Data Strategy & Security Group, Debevoise & Plimpton, led a collaborative exercise focused on responding to cyber extortion. Participants were presented with a scenario and assigned corporate roles different than their real-life roles in order to explore alternate points of view. A corporate memo with sensitive, non-public deal information is for sale on the dark web – how do you successfully manage this potentially damaging crisis? Participants worked through the process of purchasing the document, tracing its cyber path to determine how it might have leaked, notifying appropriate parties of the potential issue, and evaluating systems to ensure there are no other vulnerabilities or exposures. At the conclusion of the exercise, Avi Gesser commented, “this was messy and chaotic, and we are all in the same room! Imagine working through this scenario across time zones, from different offices, in-person and remotely.” The group agreed that having an off-the-shelf playbook, as well as legal, cyber, and public relations consultants on hand are key to preparing for potentially damaging cyber-attacks.
4. The evolving role of the CISO
Erica Antos, CISO, TriNetX and Nick Mankovich, CEO, CyberRisk Consulting discussed ways in which the CISO role is rapidly evolving as the critical nature of cybersecurity intensifies. Nick Mankovich shared: “CISOs should recognize the dynamic nature of their role. A useful tool is to ask yourself: (1) 'What role was I hired into?' (2) 'What role does top leadership need me to fill?' and (3) 'What role do I believe is right for the company and my future career?'” It is no longer enough for CISOs to be narrowly focused on compliance; organizations today demand that CISOs work closely with management and think strategically to add value to the business. The panelists agreed on one crucial point: “We are all risk managers.” Further, a CISO needs to fit the company culture, while being agile enough to take security and compliance to the next level with their own vision and experience. Panelists discussed the need for CISOs to ask themselves not only what they were hired for, but what the company needs from them going forward. Erica Antos noted that organizations “may not know what they need until someone with a forward-thinking, strategic security mindset comes in and tells them.”
5. Close collaboration with leadership is paramount
Considering the significant cost implications and increased regulatory requirements around cybersecurity, panelists Shawn Devilla, a Vice President on Carlyle’s Technology investment team, and Emily Larkin, CISO, Abrigo, agreed close collaboration among CISOs, management teams, and boards is key to a successful approach to cybersecurity for every organization. According to the panelists, boards and management teams that are “cyber mature” actively oversee cyber strategy, require regular reporting by the CISO, and promote the importance of cybersecurity monitoring within the entire organization from the top down. On the relationship between CISO and corporate board, Shawn Devilla encouraged CISOs to be proactive in highlighting the organization’s weaknesses and areas of risk to senior leadership as this is essential to building trust and conviction, in addition to establishing proper protections.
Discussions among CISOs from across Carlyle’s portfolio confirmed cybersecurity is a chief priority for organizations globally. Carlyle’s Chief Information Officer for the Americas Michael Kingston said in the event’s opening remarks: “Resiliency and risk management are at the top of everyone’s agenda today and cybersecurity is the bullseye on that target.” Bethany De Lude, Carlyle’s Chief Information Security Officer, added that “cyber risk management is truly a team sport – every day, each of us make decisions that determine if we are a point of risk or a point of strength in the cyber ecosystem.”