Navigating Corporate Risk and Cybersecurity: A Discussion with Annie Searle

By Sean Costigan, PhD

In a recent exploration of the intricate world of corporate risk management and cybersecurity, I enjoyed the privilege of engaging in a compelling conversation with Annie Searle, a distinguished expert in the field of operational risk management. Searle’s extensive experience in the financial, IT, and emergency services sectors illuminates the multifaceted nature of risk in the corporate world. With her academic prowess at the University of Washington, Searle is a formidable voice in the realms of corporate governance and cybersecurity. Her career trajectory is not just impressive; it’s a testament to her deep commitment to risk management excellence. Searle’s work in developing premier risk programs and advocating for technology access, notably through her involvement with the Seattle Public Library Foundation, underscores the breadth of her expertise and dedication. 

During our discussion, we delved into the intricacies of notorious corporate scandals, including cases like Theranos and Wells Fargo. Annie emphasized the utmost importance of recognizing early risk indicators, a lesson that many companies, unfortunately, have yet to put into practice. Her critique of the failures in corporate governance systems reveals a troubling disconnect between leadership’s decision-making processes and the operational ground realities of organizations. One of the most enlightening aspects of our conversation revolved around the concept of tone at the top.

Annie elucidated how leadership ethics and operational standards cascade through an organization’s hierarchy, profoundly influencing its overall conduct. She brought to light how skewed incentives and bonuses can lead managers down the wrong path, and how important it is to recognize the early warning signs of risk. Furthermore, Annie’s observations on the dilution of risk reports as they ascend the corporate ladder resonated with me, highlighting a dangerous underestimation of risks at higher management levels. In conversations with board members, Annie notes that she recommends the creation of risk committees: “Because I see risk as overarching and including cyber and I think there ought to be a relationship between the board members on that committee at the board level and the cyber organization itself.”

Our analysis of the Wells Fargo debacle shed light on the critical role of board members in overseeing company operations and managing risks. Annie’s insights into the board’s challenges, especially in comprehending and managing cybersecurity risks due to a lack of technical know-how, were eye-opening. It’s notable that, according to a recent study, just 12% of S&P 500 corporate boards have some measure of cybersecurity talent. As she notes: “we still have this gap operationally with the security apparatus where we’re not good at explaining what the threats are or why the investment will pay off or assembling a kind of research history of the threat in terms that even a C-suite executive can understand.”

We also tackled the complex new SEC rules on cybersecurity, particularly the intricacies involved in determining the materiality of a breach. Annie’s recommendation for boards to establish dedicated risk committees, distinct from audit committees, struck me as a vital step towards enhancing board-level advocacy for cybersecurity and risk management. This approach is especially crucial when cybersecurity doesn’t top the CEO’s agenda.

Reflecting on our conversation with Annie Searle, I am reminded of the pressing need for vigilant and well-informed leadership at the highest corporate levels. Her expertise sheds light on the criticality of a strategic and informed approach to risk management across organizational tiers, particularly in our increasingly digitalized world. As we advance, the lessons drawn from this insightful dialogue with Annie are more relevant than ever, emphasizing the importance of robust governance and risk management strategies in today’s complex corporate landscape.

Listen to Episode 1 of Resilience Rising by clicking the link below

PUBLISHED BY

Sean Costigan

8 Feb. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more