Navigating Corporate Risk and Cybersecurity: A Discussion with Annie Searle

By Sean Costigan, PhD

In a recent exploration of the intricate world of corporate risk management and cybersecurity, I enjoyed the privilege of engaging in a compelling conversation with Annie Searle, a distinguished expert in the field of operational risk management. Searle’s extensive experience in the financial, IT, and emergency services sectors illuminates the multifaceted nature of risk in the corporate world. With her academic prowess at the University of Washington, Searle is a formidable voice in the realms of corporate governance and cybersecurity. Her career trajectory is not just impressive; it’s a testament to her deep commitment to risk management excellence. Searle’s work in developing premier risk programs and advocating for technology access, notably through her involvement with the Seattle Public Library Foundation, underscores the breadth of her expertise and dedication. 

During our discussion, we delved into the intricacies of notorious corporate scandals, including cases like Theranos and Wells Fargo. Annie emphasized the utmost importance of recognizing early risk indicators, a lesson that many companies, unfortunately, have yet to put into practice. Her critique of the failures in corporate governance systems reveals a troubling disconnect between leadership’s decision-making processes and the operational ground realities of organizations. One of the most enlightening aspects of our conversation revolved around the concept of tone at the top.

Annie elucidated how leadership ethics and operational standards cascade through an organization’s hierarchy, profoundly influencing its overall conduct. She brought to light how skewed incentives and bonuses can lead managers down the wrong path, and how important it is to recognize the early warning signs of risk. Furthermore, Annie’s observations on the dilution of risk reports as they ascend the corporate ladder resonated with me, highlighting a dangerous underestimation of risks at higher management levels. In conversations with board members, Annie notes that she recommends the creation of risk committees: “Because I see risk as overarching and including cyber and I think there ought to be a relationship between the board members on that committee at the board level and the cyber organization itself.”

Our analysis of the Wells Fargo debacle shed light on the critical role of board members in overseeing company operations and managing risks. Annie’s insights into the board’s challenges, especially in comprehending and managing cybersecurity risks due to a lack of technical know-how, were eye-opening. It’s notable that, according to a recent study, just 12% of S&P 500 corporate boards have some measure of cybersecurity talent. As she notes: “we still have this gap operationally with the security apparatus where we’re not good at explaining what the threats are or why the investment will pay off or assembling a kind of research history of the threat in terms that even a C-suite executive can understand.”

We also tackled the complex new SEC rules on cybersecurity, particularly the intricacies involved in determining the materiality of a breach. Annie’s recommendation for boards to establish dedicated risk committees, distinct from audit committees, struck me as a vital step towards enhancing board-level advocacy for cybersecurity and risk management. This approach is especially crucial when cybersecurity doesn’t top the CEO’s agenda.

Reflecting on our conversation with Annie Searle, I am reminded of the pressing need for vigilant and well-informed leadership at the highest corporate levels. Her expertise sheds light on the criticality of a strategic and informed approach to risk management across organizational tiers, particularly in our increasingly digitalized world. As we advance, the lessons drawn from this insightful dialogue with Annie are more relevant than ever, emphasizing the importance of robust governance and risk management strategies in today’s complex corporate landscape.

Listen to Episode 1 of Resilience Rising by clicking the link below

PUBLISHED BY

Sean Costigan

8 Feb. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more
Certificates

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more
DMARC

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more
DMARC

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more