Cybersecurity introduction

Nov 10, 2020

2 min

Mark SeifertSiobhan Gorman

This is a business imperative, not a tech issue, says Brunswick’s Cybersecurity and Privacy team


Cyber threats are generating some scary statistics: $400 billion a year in losses from attacks, with some larger businesses experiencing more than 12,000 attacks each year. But there is also good news. Companies are recognizing that cybersecurity is not a technology concern but rather a critical business issue and one they are preparing to deal with. To address the significant business and reputational risks involved, companies are using a cross-functional, top-to-bottom approach, one that treats cybersecurity as a business imperative.


Many companies are beginning to strengthen their “human firewall,” creating a business culture where every employee sees cybersecurity as their responsibility. People, not software, are often the weakest link in a security system and that is a problem no software patch will solve.


Regulation is growing increasingly complex and governments’ expectations differ from those of companies and consumers. The rules are murky and lag far behind the technology – and the threat. To deal with competing and at times conflicting requirements, some companies are moving beyond the minimum demanded of them, and aiming for a higher standard.


To be effective, a company’s cybersecurity program needs to weave these threads into its underlying business plan. Cybersecurity is more than just a strong defense, more than compliance. It must be a part of corporate culture. It represents an opportunity to differentiate yourself from your competitors, increase the efficiency of your operations and earn a greater level of trust from customers, shareholders and the community.

Connect with:
Mark Seifert

Mark Seifert

Partner, Washington, D.C.

Mark Seifert offers insights and practical advice to clients addressing complex privacy issues.

TelecommuncationsMedia RelationsCyber SecurityTelecommunicationsPrivacy and Data Management
Siobhan Gorman

Siobhan Gorman

Partner, Washington, D.C.

Siobhan Gorman concentrates on crisis, cybersecurity, public affairs, and media relations.

Cyber SecurityCyberattacksNational SecurityLitigationMedia Relations

You might also like...

Check out some other posts from Brunswick Group

9 min

U.S.-Iran Crisis: Outlook and Implications

Executive Summary: The immediate crisis following the death of Iranian general Qassem Soleimani in a U.S. airstrike and Iran’s retaliatory missile strikes against two U.S. airbases appears to have settled down. However, the conditions for a future flare-up remain in place because the underlying conditions have not changed. Going forward, each side is likely to double down on its stated strategic objective, with Iran pushing for an end to U.S. presence in the region and the U.S. pushing for an end to the Iranian nuclear program. Further, the norms that had previously prevented an open exchange of fire between the two sides have been eroded. Why It Matters: The events of January 3rd and 8th represent the first time since the skirmishes of the “Tanker Wars” of 1987-88 that the military forces of the United States and Iran have directly and openly exchanged fire with each other. For the last three decades, the contest between the two states has been a shadow war of proxy conflicts, plausible deniability, and non-military measures. The American decision to strike Soleimani and the Iranian decision to fire missiles in response removed many of the guardrails that have set limits on previous escalations of tensions. The Iranian decision to renounce cooperation with the 2015 nuclear agreement places back into contention an issue that had previously brought the U.S. and Israel to the point of war with Iran in 2012-13. Business Impact: Markets have been largely taking a wait-and-see approach in order to determine the form of Iranian response to Soleimani’s death, and they responded with relief when President Trump signaled that the U.S. would not retaliate. To an extent, uncertainty in the Middle East had already been priced into the markets due to tensions in the second half of 2019. A significant or prolonged conflict would have an obvious negative impact on energy markets and regional economies. In addition, American and Western companies operating internationally or their employees could suffer collateral damage from any future Iranian proxy attacks against visible symbols of U.S. presence overseas. Looking Forward: In the immediate term, the resolution of the crisis represented one of the best possible outcomes: Iran has publicly signaled that the missile launches conducted on January 8th constituted the extent of their military retaliation to Soleimani’s death and President Trump’s White House address acknowledged Iran’s desire to de-escalate and spoke of finding mutually beneficial outcomes with no further mention of military action. Going forward, both Iran and the United States are likely to double down on their desired strategic outcomes. Iran will seek to use all of the levers of its influence to drive the United States from the region, beginning with Iraq but also including indirect pressure on the Gulf states that host U.S. forces. Offensive cyber operations and deniable proxy attacks against civilian infrastructure in the Gulf could be part of that campaign, returning to tactics observed in the past. For its part, the United States will continue its maximum pressure campaign over the Iranian nuclear program, with President Trump promising additional economic sanctions even as he stepped back from military action. Therefore, although both sides appear to be committed to non-military means, the points of tension that caused the most recent crisis are all still present and have arguably increased based on Iran’s increased non-compliance with JCPOA. It remains to be seen whether coming close to the brink of open conflict will have changed the risk tolerance of either side or whether the first acknowledged exchange of fires between the U.S. and Iran for 32 years will usher in a new period of low-level conflict. The View from Tehran: Iran has played Soleimani’s death for maximum strategic benefit. The messaging of the past 96 hours was aimed at various audiences within the country, the region, and around the world. Having been caught on the backfoot by the U.S.’s strike on Soleimani, the Supreme Leader allowed the IRGC to retaliate against U.S. forces in Iraq in a calibrated manner, likely calculating that a strike with limited casualties would satisfy demands for vengeance while not prompting a response. Khamenei’s Decision: Ayatollah Khamenei is an inherently conservative figure and one who is above all else motivated by the priority of regime survival. Given their long-standing personal relationship, there is ample reason to believe that his displays of emotion of Soleimani’s death, including weeping over his coffin during the funeral on January 6th, were genuine and heart-felt. However, his expressed desire for revenge has been tempered by the overarching imperative to avoid a conflict that would have threatened the regime’s hold on power, either from within or without. Rally Around the Flag: Within Iran, the regime is seeking to use Soleimani’s death and their subsequent retaliation to build national unity following a period of significant domestic unrest. This has been emphasized by the extended period of mourning for Soleimani, days-long funeral spectacle, and the invocation of religious and cultural symbols associated with Shi’a martyrs. The death of Soleimani comes on the heels of a series of mass protests in Iran that originally began on November 15th in response to proposed increase in the price of gas, but which have since expanded to a wider challenge to the regime. Media reporting from late December suggested as many as 1,500 Iranian civilians have been killed as part of a regime crackdown on the protests, which have been characterized as the most serious challenge to the regime since the Green Movement of 2009. JCPOA as a Wedge Between U.S. and Europe: Iran announced on January 5th that it would cease compliance with the remaining provisions of the 2015 Joint Comprehensive Plan of Action but would be willing to return to compliance if sanctions are removed. The nuance in Iran’s position highlights the fact that it is continuing to attempt to use the nuclear issue to drive a wedge between European signatories to the agreement and the United States, which unilaterally walked away from the treaty in May 2018. Regime Dynamics: Soleimani was a high-profile figure within Iran, but his outsized influence on Iranian foreign policy also created friction with other stakeholders in the regime, including leaders of the conventional military forces, the ministry of foreign affairs, and the intelligence services. He was one of few genuinely strategic thinkers in the Iranian national security apparatus and the one with the most extensive and deepest connections within the Arab-speaking world. His replacement as commander of the Quds Force is his long-time deputy who will be familiar with the day-to-day operations of the IRGC’s external operations arm but will not have the stature or the network of Soleimani. As a result, other stakeholders may jockey to move into the vacuum created by his death. The View from Washington: The present challenge for the U.S. is how to maintain both a deterrent posture and establishing the means to avoid further escalation. The policy on Iraq going forward will have to balance President Trump’s desire to disengage from the conflict while not creating the appearance of having been pushed out by Iran. Escalate to Deter: President Trump’s decision to kill Soleimani reflected an “escalate to deter” strategy, using a sudden and unexpected escalation of force during a crisis in order to reestablish deterrence after previous provocations in 2019 had gone largely unanswered. However, deterrence is only as good as the last demonstration of a willingness to respond. The decision to not respond to Iran’s retaliatory missile strikes reflected a pragmatic decision to de-escalate. National Security Decision-Making: Nearly three years into his presidency, Donald Trump feels increasingly confident making national security decisions based on his own instincts. The original coterie of experienced national security establishment members such as Jim Mattis and H.R. McMaster who had populated the Situation Room during the early days of the administration have largely resigned or been fired and replaced with individuals of lower profile and/or proven loyalty. Although the mechanisms of the formal interagency process continue to function, President Trump increasingly makes decisions based on a network of informal advisors and media sources. Domestic U.S. Considerations: The decision to launch the strike on Soleimani came during a period of high political tension in Washington, as it had been expected this month that the U.S. Senate would begin a trial in response to articles of impeachment passed by the House of Representatives in December. The Soleimani strike is being taken up by both Trump’s supporters and opponents as evidence of either his credentials as a decisive commander-in-chief or his unsuitability for office, depending on their perspective. Congress has proposed votes to limit President Trump’s independent authority to initiate hostilities with Iran, but this is unlikely to gain traction in the Senate. Separately, the first voting in the Democratic primary is less than one month away, and a sudden shift in focus to national security issues could have results that are difficult to predict, either boosting those with national security credentials (such as former vice president Joe Biden and military veteran Pete Buttigieg), or rallying support among primary voters for anti-war (such as Bernie Sanders). Third-Party Perspectives and Responses: Iraq: The strike at Baghdad International Airport that killed Soleimani also killed the deputy commander of Iraq’s Popular Mobilization Front, a coalition of militias that forms a part of Iraq’s official security apparatus. Iraq’s new Prime Minister Adel Abdul Mahdi has condemned the attack as a “massive breach of sovereignty” and an “aggression on Iraq”. Iraq’s parliament passed a draft law on January 5th calling for the removal of all foreign troops from Iraqi soil, but the law was non-binding and the session had been boycotted by most of the Sunni and Kurdish members of the legislature. Iranian presence has also been the recent target of Iraqi ire, such as in November when a crowd of Iraqis burned down the Iranian consulate in the Shi’a holy city of Najaf, and the Iraqi government will likely try to play both sides against each other to maximize its leverage for military and financial support. Withdrawal from Iraq would mean that the remaining American forces in Syria could no longer be supplied or supported through the western desert of Iraq and would therefore also have to be withdrawn. Iran will likely seek to use all its considerable levers of influence in Iraq to convince the government to see through the expulsion of American forces. The United States leaving Iraq and Syria due to Soleimani’s death would be a fitting legacy from the Iranian perspective and a perverse one from the American perspective given that Soleimani was responsible for the deaths of hundreds of American servicemembers in Iraq (and thousands of Iraqi civilians) through his support for Shi’a militias in the mid-to-late 2000s. Europe: Statements from European capitals emphasized the need for restraint and de-escalation. French President Macron is likely to view this event as further justification for his proposals that the EU develop a defense and security apparatus independent of NATO in order to avoid being entangled by potentially reckless American actions. Iran will likely continue to use this event as an opportunity to drive a wedge between the U.S. and Europe on the nuclear program and other issues, and their chosen retaliation was likely calibrated at least in part to allow them to continue positioning themselves as a responsible actor. For his part, Trump is urging the European signatories to join him in walking away from the JCPOA in order to increase Iran’s international isolation. United Kingdom: The British government has tried to tread a fine line in its responses to the strike, with Prime Minister Johnson calling for de-escalation while also stating that he “will not lament” the fact that Soleimani is dead. The U.K. is likely trying to balance its desire to remain aligned with France and Germany in trying to keep the JCPOA together with its traditional close alliance with the United States and Johnson’s personal relationship with President Trump. Russia: Unsurprisingly, Russian President Vladimir Putin condemned the American strike, which removed a valuable interlocutor for Russian forces in Syria. Russian troops and Iranian-backed militias in Syria had periodically found themselves with diverging interests in their campaign to support the Assad regime, and Soleimani performed a critical function in directing the activities of those militias to ensure that both Russia and Iran achieved their strategic objectives in Syria. A potential American withdrawal from Iraq and Syria would advance Russia’s interest in establishing itself as the indispensable foreign power in resolving the crisis in Syria and within the region more broadly. China: In line with their long-standing principle of non-intervention and their own interest, China condemned the strike, but the response was muted overall. Chinese interests are primarily economic and tied to ensuring a steady supply of petroleum. One of China’s newest and most capable naval destroyers recently participated in trilateral naval exercises with Iran and Russia in the Gulf of Oman. Although such exercises primarily serve a strategic messaging and diplomatic function, they do signal an emerging alignment of interests between the three states that would be significant for the response to any future crises.

4 min

Governing for Resilience

COVID-19 has raised the stakes for boards, argues Brunswick’s Paddy McGuinness, former UK Deputy National Security Adviser. We now live with COVID-19. Fewer business leaders are making the mistake of talking about “post-COVID” or “when this is over.” The better of them have factored in COVID-19 related constraints to their medium-term plans and are even thinking about how the world may change in the long-term. They are building capacity to take advantage of an early recovery within months, yet they are modeling and encouraging grit for current and indeed harder conditions to last much longer. In the past, when health emergencies—say the Spanish Flu pandemic of a century ago—subsided, there was a greater return to economic normality than had been expected during the crisis. Extreme events often heighten or even distort our perception of wider risks. That old journalistic cliché “one thing is certain, nothing will be the same again” is rarely true. But the pandemic has created the expectation that businesses will be resilient—that they will be able to respond to an event and recover to the state prior to the event, incorporating the lessons learned into business practice. Many business leaders feel they have not done too badly responding to a once-in-a-hundred-years event. Business Continuity Plans (BCPs), which were understandably sketchy for pandemics, were pulled out of second-line risk management and owned and improved in real-time by executive committees. The transition to remote working and, at least in Asia and some of Europe, the gradual return to offices again, has been managed. Services and even vital production have been maintained. Leaders have absorbed the personal and collective strain of this. Good reason then for some satisfaction as they delegate certain COVID-19 responses and focus on the economic tsunami that follows the pandemic. The public seems to largely agree with business leaders’ assessments. While many national and scientific leaders find themselves beset by “blamestorming,” corporate executives have been given more slack. They weren’t expected to have foreseen a pandemic. Their sometimes scrabbling responses are understood. However, behind this lucky pass lurks an expectation that businesses will now be more prepared for crises and foreseeable risks. Resilience cannot be relegated to BCPs and traditional risk-management structures. It is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Think how fast leaders have been expected to respond to the issues raised by the Black Lives Matter movement. Alacrity will be required. The speed and scale of decisions in response to the pandemic leaves board committees playing catch up to assure themselves that risks have been managed. The move to working from home has been rapid, so too the digitization of the business. Some see these as new, streamlined ways of working, yet the negative consequences are not yet fully apparent. Working from home, for instance, is attractive to some employees as well as chief financial officers, who may relish the chance to reduce fixed costs. Concerns about the impact on the coherence of the business’s culture, its productivity and innovation, the security of data held at home, hardships for those in difficult home conditions, and, indeed, the needs of the younger demographic who seem to favor a return to the office, need to be given due consideration. It may be a case of “decide in haste, repent at leisure.” Resilience is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Boards also need assurance that the business has regained its balance and can manage parallel or interrelated crises. In recent weeks we have been helping several clients respond to major cyber events unrelated to the COVID-19 outbreak. They have probably needed more external support than otherwise because their leadership capacity was inevitably denuded by pandemic response. And they have benefitted from us already knowing each other and having experience of how to work together in crisis. After the Great Financial Crash there was a heavy focus on balance-sheet resilience and having the requisite finance skills on boards. Business leaders are now beset by advice on the heightened obligation to be resilient in much a broader sense of the word. Regulators, lawyers and risk consultants are sharing checklists of factors for executive committees to take into account when managing risks and for boards to oversee. The challenge here is defining what changes your specific business needs and how to actually bring those about. Shareholders will be expecting a judicious move away from “just in time” systems to ones that can endure foreseeable risks. This isn’t just about potential legal liability or reputational risk. This is about setting your business culture for success. Undermanage risks and the business is wide open to damage from foreseeable shocks with all the loss of confidence and capability that follows. Overmanage and the business losses its competitive edge just when there is opportunity in the recovery. In order to track broader resilience, boards and their committees will need access to a wider set of skills and insight. Board membership emerges as an obvious area of focus. Yet each board will take more time and belonging to too many—“over boarding”—may well be unacceptable. Risk methodology and information flows will also have to be reviewed, alongside how to strengthen board members’ awareness and skills. Before the pandemic, chairs and CEOs were already wrestling with this for their difficult-to-price risks, such as data, technology risks and cyber. Individual experts on boards created siloed responsibility for what should have been a shared risk. A focus on process and method often led to a focus on the management, rather than genuine oversight of, risks. External advice didn’t always help (as we have learned from the plethora of competing advice around COVID-19). No single intervention will meet the new standard for resilience. Nor will simple prescription. A broader and more articulated approach is required if governance is to maintain stakeholder confidence and corporate reputation.

4 min

Resilience in the Face of COVID-19

Brunswick Senior Advisor Paddy McGuinness, former UK Deputy National Security Adviser, on how businesses can chart a course amid the fear and uncertainty. We are all becoming more familiar with this disease than we care to be—and may become yet more so. Still uncertainty remains. It began even with the terminology. Coronavirus is a descriptor, a general term. Under the microscope, the virus has crown-like spikes, hence corona. The common cold and variances of it are coronaviruses. COVID-19 (as in Corona Virus Disease 2019) is the effect that this particular coronavirus has on the human being—that’s the disease the world’s grappling with. That’s the distinction between the two terms. We’ve now spoken to more than 150 clients about their situation. That has given us a broad view of the corporate response across affected geographies from Asia, through the Middle East and Europe to the Americas, a window into how those responses have played out and the challenges continually unfolding. Here’s what we’ve been advising our clients: First, develop a single view that’s grounded in professional, well-sourced information. In government we called this “a commonly recognized information picture.” That view has to be based on the responsible medical experts: the World Health Organization, the Center for Disease Control, Public Health England and similar bodies. You do not get it from the newspapers, from social media, from friends, or even your local medic. You operate on the basis of informed medical and public health advice. The current vocal challenge to that advice in Europe and the US is not reason to depart from it as your foundation for the actions you take. A leadership team needs to develop the discipline to clarify that generic narrative into a specific frame for their business context and then operate within it. It’s dangerous for leaders to start pretending they’re epidemiologists. Have a single view and stick to it. I’ve been on calls with leadership teams where there’s agreement on that view and then someone says, “But I read that the disease ...” Don’t go there. Don’t work on that basis. The uncertainty is difficult enough to deal with. Don’t add to it. You will be focused first on the safety—the human consequences—of your course of action and then on the resilience of your business. That may cause you to anticipate some of the “Non Pharmaceutical Interventions” that government makes. Brunswick has. Having established your position, think through how you’re going to communicate it to employees, customers, and investors. What about your suppliers and regulators? How might you engage with local public health officials and local authorities? Exaggeration and understatement are equally unhelpful. These engagements need to be tailored, yet aligned within your broader narrative. Leaders also need to plan for reasonable worst-case scenarios. Covid-19 has already spread in a way that we hoped wouldn’t happen, and in a way that standard business continuity planning doesn’t cover. Now, many in the workforce have to work from home. Among other considerations, that produces additional cyber and data vulnerability. What if schools close and your employees have children at home they have to look after? What will your IT capabilities be if 20 to 40 percent of your team is incapacitated at any one time during the peak period? Are your HR teams prepared to deal with the most unfortunate case, where employees or their close relatives pass away? In extreme times, it can be tempting to take extreme positions. A lesson of crises is never to enter into something without knowing how you’re going to get out of it, how to reverse it. If companies are going to start shutting down their operations, how are they going to open again? On what justification? Taking fixed positions amid great uncertainty can prove restrictive—or counterproductive—when circumstances change. Resilience is the ability to respond and recover to the state prior to the event, having learned the lessons of the event. Respond and recover—that’s the long-term goal here. Covid-19 will pass. We know from other pandemics that recovery does come. How can you position yourself to take advantage of that recovery, to get back with speed and strength? Because some companies will. Now more than ever senior leaders need to talk about how things will be the other side of the crisis and to describe signs of recovery. This is easiest for enterprises with transnational reach. They recount what is happening in Asia as the disease passes so that European and US stakeholders can see beyond the immediate demands of emergency response. On a personal level, stick close to the medical experts and the people who know what they’re talking about. I may well get Covid-19 here in the United Kingdom. I assume that, like the vast majority of healthy people who get it, I will experience mild to moderate symptoms and recover just fine. If I don’t, I want health services to be available. I want the spread to be managed at sustainable levels, so I am doing what Government asks of me and avoiding all but essential contact with others and unnecessary travel. I expect that more will be asked of me, my family and colleagues before we are through this. I wouldn’t let Covid-19 overwhelm you in your daily life, given what we know. That’s certainly my intention: carry on with as much normality as possible, support others and use the unexpected circumstances to prepare for the recovery phase which will come.

View all posts