Helping Companies Meet Digital Danger

In a recent conversation with Hunt Scanlon Media, Stephen Spagnuolo of Mercuri Urval addressed his new job, the concept of cyber resiliency, and sustainability.

September 27, 2022 – Cyber resiliency is the ability of an organization to enable business acceleration by preparing for, responding to, and recovering from cyber threats. A cyber-resilient organization can adapt to known and unknown crises, threats, adversities, and challenges. The goal of cyber resiliency is to help an organization thrive in the face of adverse conditions, be it a crisis, pandemic, financial volatility, etc.

For a company to be deemed highly resilient, its total employee workforce must be collectively and individually aligned to willingly do their part. For most of an organization’s staff, this simply means being aware. More than 90 percent of cyberattacks are made possible, to a greater or lesser extent, by human error. Threats include interdisciplinary, behavioral, social, and ethical factors. Those organizations who bring their workforce along, who can bridge the chasm from forced compliance to voluntary commitment, are winning . . . in resiliency and sustainability. There is almost an innovation esprit that imbues their ranks.

Hunt Scanlon Media recently spoke with Stephen Spagnuolo, vice president – digital security and risk Americas at Mercuri Urval to discuss cybersecurity.  Mr. Spagnuolo discusses how companies have in the last two to three years taken on a resiliency culture and mindset to sustain their operational capabilities in the face of digital menace and intrusion.

Stephen Spagnuolo
Stephen Spagnuolo

Stephen, can you give us a quick review on our cyber state of play?

Spagnuolo: Six maybe seven years ago cybersecurity in the U.S. was where cyber is across Europe today, which is somewhat floundering at the corporate level, to be honest. The missing link was then, in the U.S., and is now, in Europe, unity of effort. Many corporates didn’t have a clue what to do about effectively solidifying their respective cyber postures, for example, rolling to cloud based security; or worse, management teams did not give digital security nor associated risk mitigation the level of importance it required. The companies who were doing it right, weren’t talking to each other nor to our U.S. government agencies. Don’t even get me going regarding our U.S. Congress sitting on their proverbial digital hands!  It’s gotten markedly better, but for a long time, Congress’ lack of clear policy guidance made it difficult for companies to take significant and meaningful cyber leaps forward to achieve a quality cyber resiliency threshold.

What are we seeing today?

Spagnuolo: Today, the CISO office is firmly established, with CISOs having a spend line on the P&L and a voice in the board room. CISOs have taken it upon themselves to talk to each other in accepted back door channels. And, while Wanna Cry and Petya didn’t seem to stoke their collective sense of urgency, Congress finally got off its rear end with gas pipelines (Colonial hack) and meat supply chains (JBS Meatpacking hack) in succession being wrecked for weeks—’Ma and Pa Main Street America’ let their representatives know in clearest terms they were unhappy. Politics aside, this administration has done our nation—and really our entire global cyber ecosystem—well in appointing Chris Inglis as national cyber director and Jen Easterly as CISA head. I can’t effectively communicate here how critical both have been to advancing and bolstering our nation’s cyber resiliency, and, equally, promoting inter-operability between private and public sector entities. Folks are finally talking to each other. And with COVID, we saw CISOs becoming ‘beacons of light’ for their organizations. This figures, as CISOs, more than any other executive on management teams, contend with a flood of unknowns daily, so they—the tier one and tier two level CISOs anyway—possess a certain grace and ease and poise about them, while all else is seemingly spiraling down. But . . . The bad guys are still winning, and we—the good guys—are not keeping pace in innovating, developing, and expanding our cyber talent pool nor writing effective and meaningful compliance policy.

Why does resiliency figure so prominently in the cyber equation?

Spagnuolo: Resiliency, as pertains to cybersecurity, is a measure by which a company or organization can both withstand and carry on operationally in the face of digital breach. It’s a steely and pragmatic recognition that cyber breaches and cyber hacks will occur. It calls for remaining operationally comfortable and confident in the face of bad guy activity, even when an adversary has a foot in the door. A high resiliency quotient requires a fluid mindset across the entire enterprise, up and down the CISO team for sure, and throughout the entire organization, across all company ranks. It’s not an entirely new concept per se, but it’s only lately gained wide acceptance and prominence. Resiliency is proving exponentially effective in staving off massive digital—and hence reputational – calamity. It represents a giant leap forward from where our collective cyber thinking was only a few years ago.

It’s been four months since you joined Mercuri Urval. Can you tell us what brought you to MU and how has the transition been?

Spagnuolo: Full disclosure, I really hadn’t heard about MU when I was first approached, earlier this spring. I knew Darcie Murray, MU head of Americas, from years past, but that was all. I’d done the ‘overseas firm into the U.S.’ thing (London-based Sheffield Haworth’s 2004 launch in New York); I’m glad I did it, but I wasn’t sure I wanted to do it again. But, after speaking with Darcie and then Matthias Loidold in Dusseldorf, our group director charged with overseeing our Americas expansion, and latterly our CEO Richard Moore in London, I have to say I was blown away in the best possible way. The storyline just resonated with me across the board—not just regarding MU’s commitment to building out a consequential and impactful global digital security and risk practice; not just in the firm’s commitment to invest in the U.S. over the long haul; but also and especially in our firm values and reliable leadership advice culture and collaborative go-to-market engagement underpinned by science.

Today, the CISO office is firmly established, with CISOs having a spend line on the P&L and a voice in the board room.

What are some of your focuses at the firm?

Spagnuolo: My lane is digital security and risk mitigation. I bring a track record of working with emerging-growth domain cyber and fintech companies, across their leadership and next level down hires; CISO recruitments for corporates; and more generally recruiting partners and their reports for professional services firms. Additionally, I serve as point here in the U.S. for our global sustainability practice, led by Flemming Kehr in Copenhagen, and global semiconductor practice, led by Richard Goddard in London. 

Tell us about the cyber practice at MU.

Spagnuolo: I cover the U.S. and Canada cyber markets day-to-day; and I have two partners—Richard Goddard, whom I just mentioned and is long deep in SaaS globally, and Oyvind Bakken in Oslo, who covers technology broadly—who each allocate time to cyber.  This might seem daunting to some but, from a growth standpoint, it presents a significant opportunity for us as a firm. Darcie is steadfast and clear that U.S. growth is a key priority; but it must be done smartly. We will get there. I’m working closely with my partners across sectors to intelligently dialogue with their clients around this operational, financial and national security imperative. We’ve established and enjoy nice synergy and easy collaboration with our exceptional sustainability and SaaS practices.  The common thread here is we aim to help our clients maximize their innovation capacity and capabilities to outperform.

How does sustainability figure in?

Spagnuolo: We know that effective leadership has the biggest impact on results. We also know that leadership is the first barrier to a sustainability transition. The same goes for a cyber resiliency transition. Add to this that sustainability and cyber resiliency will affect businesses in all sectors and industries in the coming years no matter size, structure or shape. Both are leadership imperatives! In short, this means that boards and C-suites must have a truly value-driven sustainable and cyber resiliency mindset, a thorough understanding of what these transitions mean to the business and to the organization; understand how cyber resiliency and sustainability are interrelated, why it is a necessity to merge sustainability and cyber resiliency with strategy, why the leader is the determining factor, how to succeed with the transitions and achieve full or near full buy-in across the organization. Therefore, we need to thoroughly understand each individual leader’s ability to approach and navigate complexity and how they perform as effective self-leaders. Effective value-driven self-leadership is a prerequisite for leading complex transformational processes like a sustainability transition or a cyber resiliency transition, succeeding in creating followers and building a shared vision for change in the organization, throughout the value chain and among strategic partners and stakeholders. At MU, we’ve identified the essential two questions for leaders and the required five main capabilities characterizing a sustainable mindset. Not surprisingly, these two questions and five capabilities tie in directly to driving a cyber resiliency culture and mindset.

Related: Hiring Top Talent in Unprecedented Times

Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media

Share This Article


Notify of
Inline Feedbacks
View all comments