At the recent inaugural CSX 2016 Asia Pacific conference in Singapore, Richard Quest, CNN’s foremost international business correspondent and host of Quest Means Business, presented a keynote address on what he considers the biggest single threat to any CEO today—ransomware.

ISACA Now recently had a virtual conversation with Quest on the cyber security issues that are foremost in the minds of business leaders around the world. Quest discusses breaches, solving the cyber security problem, and the key takeaway from his keynote address.

Here is the conversation with Quest:


ISACA Now: What are the issues that strike you most from your reporting on cyber security and cyber breaches?

Quest: In the space of 6 months I received warnings from my credit card company, 2 department stores where I had shopped, my bank, even my health care provider, all telling me that my personal information may have been compromised by hackers. I was lucky; neither my identity nor my money were stolen. But suddenly I was acutely aware that what we were facing was far more than the usual problem of “theft’, but rather a systemic and dangerous threat from all sides. No wonder President Obama calls cyber security the Wild, Wild West!

Pause. Consider the range of organizations that have been hit: The world’s largest banks, JP Morgan and Citi. Same for stores. Target and Home Depot; also the online dating site Ashley Madison, where the hack even led to one known case of suicide; Sony, where a movie studio was almost brought to its knees after its entire email cache was released.

No institution, however big or grand, is safe. The global payments system SWIFT has embarrassingly admitted $100 million was stolen from one of its members who had been careless with authentication details. Even the US government has admitted data on millions of employees has been compromised.

What makes cyber security breaches most worrying for companies is the existential threat that comes with them. Rob a bank branch and you only get the money inside the vault. Compromise a bank’s trading or transfer systems and, as the SWIFT CEO admitted recently, you create a threat to the very existence of the institution itself.

Cyber attackers frequently squat in compromised systems for months before launching their attacks. It creates a huge challenge for companies. It is not enough only to secure the front door—you have to constantly be trawling your systems to make sure no-one has got in while you didn’t notice.

The biggest issue for top management is designated responsibility. A bank CEO told me cyber security policy was non-delegable from the chief executive. It is not something that can be “left to IT” and hope for the best. Now that we know the seriousness of the threat facing companies, the buck must stop with the CEO.


ISACA Now: You’ve talked to some of the greatest minds in business. Are there any consensus on solving—or at least greatly reducing—the cyber security problem?

Quest: There is no consensus on what to do because, first, many CEOs have to awaken to the risks and consequences of failure. It was cases like Ashley Madison and Sony that truly set the alarm bells ringing. It’s one thing to have “data” stolen that you can’t really understand. It’s another to have your clients’ details and private emails splashed across the front pages: That is something your clients and your shareholders can understand.

How to tackle cyber security has limited consensus. More guards on the firewall; stronger encryption; more policies for systems access; compartmentalizing systems so that when one is compromised it can be isolated; rapid resolution of breaches; strong PR and customer-facing responses. These are just some of the generally accepted measures being taken. The only true consensus is: It is going to happen to me someday. I need to be prepared as best I can, so that it doesn’t create an existential threat when it does.


ISACA Now: What were the key takeaways from your CSX Asia Pacific presentation?

Quest: I am a business expert not well versed in the computer world. My takeaway will be simple and maybe obvious: It can happen to you. And when it does, it will be nastier, more embarrassing, more costly than you can possibly imagine. It may bring down your top management and could well bring down your entire company. You know all of this. And you are still probably not doing enough to handle it.

I have covered plane crashes for years. Airlines continually practice how to handle incidents so responses are rehearsed and effective. But ask any CEO whose airline has been involved in a crash and they will tell you it was nothing like they had experienced. I believe that cyber security threats are in that same league.

It is hard giving a speech to an audience of experts, who deal with this all the time. So, if at the end of my keynote you are a little bit more frightened about what might happen to your company, then my job will have been done.

I can sum up my speech on one sentence: Cyber security is the single biggest threat your company faces today.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access