Jason Hogg is the new CEO of Aon Cyber Solutions and Stroz Friedberg. Aon Cyber Solutions brings together Aon’s industry-leading cyber risk broking expertise with Stroz Friedberg’s technical proactive and reactive cybersecurity services. Here Jason discusses what brought him to Aon and how organizations should be approaching cybersecurity as an enterprise-wide risk.
You’ve worked at the forefront of technology in finance and in cybersecurity, at start-ups and at household-name organizations, as well as the FBI. Tell us, what brings you to Stroz Friedberg and Aon?
First, the culture of Aon and Stroz Friedberg is incredibly proactive and enthusiastic. I was particularly struck by the dedication of everyone on the team. Second, cybersecurity is an area which will only become more important as enterprises become more mobile and increase connectivity with their customers. Whether it’s through a retail bank’s mobile app or an auto manufacturer producing a connected car, organizations’ exposure points are increasing exponentially. Third, the combination of Aon and Stroz Friedberg provides a very unique and differentiated approach, because we offer a holistic platform. We act both proactively and reactively, with end-to-end assessments, testing and remediation capabilities, quantification and risk transfer expertise, and our ability to respond to incidents. The combination of these factors made it a hugely exciting opportunity.
What is your take on the current cyber risk landscape and the way companies are looking at this risk?
The way companies are looking at cyber risk is beginning to change. Up until recently, companies looked at cyber risk as an information security component or as part of the information technology group, focused primarily on protecting hackers from getting in. It was assumed that keeping someone out of a building was good enough. But then if someone breached the building by using someone else’s badge, they could simply plug an Ethernet cable into a conference room and intrude upon the network. You have to have layers of protection. There must be a coordinated approach across the entire enterprise to identify exposure points and remediate them.
Because of this and the other trends I just talked about, enterprises are realizing they have to look at this risk holistically. It’s not only about keeping people out. It’s about monitoring transactions and having varying degrees of protection across the value chain for the customer and the consumer experience. It’s about brand reputation, and making sure that if something does occur, you’re able to respond as quickly as possible. It’s about minimizing interruptions to your business.
A holistic approach should be the bedrock of any company’s cybersecurity strategy. Organizations need to be examining whether they’re taking adequate precautions to minimize their exposure to the types of threats we are now seeing on the scale of the recent WannaCry attack. My strong recommendation is to engage with the experts to properly assess what those exposures are, improve security governance and protocols, quantify the financial impact from cyber risk, explore risk transfer solutions, and make sure you’re ready to respond to incidents with as little business disruption and damage as possible.
What functional areas in an organization should work more collaboratively?
Everyone has a different lens on how they view and measure risk. The general counsel, the CISO, the CRO, the CTO, product developers, financial executives, and compliance and audit team leaders need to work collaboratively, in a cross-functional manner. Together, these individuals should form a risk committee, so that there is a complete view across the organization, and someone needs to chair the risk committee and be ultimately accountable.
How does Aon’s Cyber Solutions Group help companies respond in a holistic manner? What are the benefits?
Our unique, turnkey solution enables clients to take a more integrated approach to managing cyber risk, which enables a number of advantages.
No other firm can deliver this level of integration. When partnering with us, organizations have an end-to-end advisor who understands cyber risk and offers multidisciplinary teams with strong legal and law enforcement backgrounds. For example, the network effect for clients of working with one platform means we have greater intelligence about them that we can use to more rapidly respond to incidents and remediate. We can also use this knowledge to provide better risk transfer services. All of this results in being able to more effectively protect, detect, and respond to cyber risk for our clients.
Working with our single platform also helps reduce costs. Without us, a client might use separate providers for services like assessments, penetration testing, response, and cyber insurance, in which case each partner is trying to generate their own revenue. As one organization working with the client, we’re more closely coordinated.