June 21, 2019

Keeping pace with high-stakes cyber adversaries:
Why Audit Committees pose new challenges to CIOs, CISOs & CFOs

Blog post By George de Urioste, Chief Financial Officer, 4iQ, Inc.

Combat increasingly sophisticated threats with a new resolve: Cyber Vigor

In the 2019 Global Risks Report by the World Economic Forum, of the 29 ranked risks, “massive data fraud and theft” was ranked number four by likelihood of occurrence throughout a 10-year horizon. “Cyberattacks” is at number five. Their resulting impacts are also profiled.

Ever-evolving, cyber security challenges continue to burn holes in Board-room tables across the globe – look no further than the latest round of questions audit committee members fire at CIOs and CFOs. ‘Why?’ you may ask. Because increasingly sophisticated threats from cyber criminals continue to outpace normal security measures. Now, the challenge to keep up requires a new level of cyber security: think Cyber Vigor.

Current Dilemma

Every day, every company of any significance is being attacked over the Internet. But odds are that if you talk to the Board, company management, and even the cyber security department at any company, they can’t tell you who is attacking them, what doors employees have left open into their network, and what data has been compromised when a breach does occur. That is, companies today sit connected to the Internet as an unknowing defender.


Enter the next generation – and fiduciary standard – of cyber-responsibility: turn the tables from being an unknowing defender to a proactive defender. Unmasking the threat is key to a Cyber Vigor approach.

Utilize identity threat intelligence

There is always a thirst for thought leadership among C-Suite executives for new insights in dealing with cybercrime. Along with data breaches and identity theft, ransomware, cyber espionage and fake news have taken center stage on the virtual battlefield. In this perilous environment, the push to stay ahead of digital malfeasance must be accompanied by Cyber Vigor – a new, robust approach to risk management. Specifically, take your cyber security initiatives to a higher level, add “identity threat intelligence.” This paradigm shift in enterprise cyber security is more than technical threat intelligence that deals with device, network and systems information. Unmasking the identity of bad actors and knowing what’s happening to your data are now paramount to proactivity.

Audit Committees of Boards can no longer only ask the most basic security questions: How current is our security vulnerability assessment? Are compliance policies being adequately deployed and followed? How well-educated are our employees about cyber risks and what to avoid? The new benchmark relates to Identity Threat IntelligenceYour cyber security future cannot be one of purely reactive protection. Think strategically (i.e., proactively) to produce a stronger defense. Audit Committees must ask CIOs, CFOs and CISOs the more potent questions:

  1. Who is attacking us? This is your “KYA” – Know Your Adversary. What are your prized digital crown jewels and who would be interested in them? If you don’t know, you are flying blind. The perpetrators know where the value is; you are on their “wanted poster.” They know you; do you know them? Knowing identity attributes raises the effectiveness of tools to protect yourself.

  2. What has been hacked? This is your “CD” – Compromised Data that has been stolen. Are you tracking data that may be breached and transmitted not only out of your systems, but also your data stolen or leaked from suppliers and vendors? How fast will it spread and what damage will be done? Knowing how your compromised data is being used in the dark web will raise the effectiveness of strategies to protect yourself.

  3. How vulnerable is your employee attack surface? This is your “EAS” – Employee Attack Surface. Too often, companies (and media) focus primarily on breaches that include consumer data. Yes, such breaches make headlines and create vulnerability for the consumer, but much overlooked is that these same consumers are also employees – regular, everyday people who commonly use the same passwords to access both personal and company accounts.  And their company accounts unlock valuable corporate data, leaving the door wide open for adversaries to walk out with whatever trade secrets they want. This is vital data a bad actor or competitor would love to have. Where is employee data located on the dark web? Are you waiting for a call from the FBI to tell you? Is there an embarrassment factor acceptable to you? Knowing who of your employees have been compromised enables proactivity of defense to minimize future exploitation.

Cyber criminals never stop becoming more sophisticated. It is an endless game of cat and mouse; more accurately, lion and mouse. Increasingly, networks are breached by use of legitimate account names and passwords by illegitimate actors. By knowing who is attacking and what has been hacked, Identity Theft Intelligence empowers offense for a stronger defense to your employee surface.

I joined the 4iQ team because this company is at the forefront of tackling these tough issues the right way. Identify those bad actors who would do us harm with compromised data. Pivot in advance; otherwise, we are forever playing defense, under threat by the unknown. We create advantages for our customers in solving for KYA, CD and EAS, empowering them to be successful in the fight that lies ahead.