For this Present Value post, members of ESI’s thought leadership team sit down with the experts behind Driving Cybersecurity Performance to examine the state of cybersecurity practices and the growing trends impacting the industry.
Driving Cybersecurity Performance is the latest multi-client study from ESI ThoughtLab. The study will include an in-depth global survey of CISOs in companies spanning the Americas, Europe, and Asia Pacific and represent firms of varying sizes, from $50 million to over $50 billion in revenue. Full findings will be publicly available in the Spring of 2020. For more information, please visit our project microsite.
In your opinion, what are some of the most challenging cybersecurity issues organizations currently face?
Perry Carpenter, Chief Evangelist, KnowBe4: I think the biggest cybersecurity issue most organizations currently face is not a technology issue, but rather one of mindset. Many organizations simply don’t know where to start or what to tackle next. And so, such organizations easily get caught in a cycle of reactiveness; simply being led around by the latest threat-of-the-day, tech-of-the-day, or breach-of-the-day. That approach leads to confusion, inefficiency, or apathy.
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: Within cloud computing, having many services, platforms, technologies and tools to deploy applications in the cloud can burden security teams. This ‘operational sprawl’ adds to security complexity, and slows down processes. Within the multi-cloud environment, the management burden is compounded by incompatibility issues that arise as users move between clouds.
Mike Convertino, CSO, Arceo.ai: In every company where I have served as the CISO the biggest problem – somewhat ironically – is prioritizing and focusing on work that protects the most important elements of the business. There are so many competing demands from new regulations such as the California Consumer Privacy Act (CCPA) and the EUs General Data Protection Regulation (GDPR), mergers and acquisitions, business process initiatives, etc., that it is easy to lose sight of what it takes to create a security program specific to the most sensitive parts of your business.
Jamie Singer, Senior Vice President, Crisis & Risk Management, US Data Security & Privacy, Edelman: Ransomware can be debilitating to an organization not only in its ability to communicate to external stakeholders, but also how to communicate and function internally. Organizations suffering ransomware attacks must balance the desire to meet stakeholder expectations of transparent and frequent communications, while acknowledging the fluidity and length of forensic investigations and restoration processes.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: Third-party risk management is another area that is a tough problem to solve. The current practice of sending customized questionnaires to partners is not sustainable. Do you give your doctor a list of questions to test their medical acumen or ask your legal counsel to write an essay on their knowledge of case law or accept their degree, license and other credentials? Somehow, the industry must find a way to standardize and stop making extra work for already overloaded security personnel especially when it does very little to move the needle on reducing risk.
What industries need to be most proactive in improving their cybersecurity tactics?
Jack Kudale, Founder and CEO, Cowbell Cyber: No organization is immune to cyberattacks. Industries, like healthcare, retail, or financial services, have been systematically targeted because they process sensitive data that have monetary value on the dark web.
Mike Convertino, CSO, Arceo.ai: Medium-sized businesses are in the unique position of understanding that they have significant exposure to cyber risk, but often don’t have the resources to properly address it. Certainly state and local governments have a difficult job. They have so few resources available to protect systems that not only serve the public, but also contain citizens’ personal data, and so they are juicy targets for identity thieves. Utility, critical infrastructure, and logistics companies have an out-sized impact on all of us, given that they keep the lights on and goods moving.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: I think the educational industry needs to fundamentally improve but not in the traditional sense. They need to make cybersecurity education a priority in primary and secondary education curriculums. In 2020, colleges and universities are still graduating thousands of engineers and programmers who are not required to pass a single, cybersecurity course before joining the workforce. It’s no wonder the OWASP top-10 hasn’t really changed in a decade.
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: Government institutions, both large and small, have struggled for years to keep pace with malicious hackers and insider threats. Cybercrime is becoming innovative and ruthless, and therefore government agencies and federal institutions need to look beyond traditional methods to prevent cyber espionage and ensure the protection of sensitive data and critical infrastructure.
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: Today’s threat actors have evolved from thrill seekers to well-funded cyber criminals, competitors and nation states that have huge investments and various agendas to “hack” into a company’s system and cause business disruption, brand damage and financial losses to the company.
With an upcoming US presidential election, cybersecurity is top of mind for the federal government. In general, how should local, state, and federal governments address cybersecurity?
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: Legislation needs to catch up to technology. The US lacks a national law that sets data security standards. There are no security statutes to set minimum data security requirements. Each state has their own, unique data breach notification law. Spirited dialogue around the legal, moral, and ethical issues related to the future of autonomous machines and humanity augmented with cyber technology need to be happening now.
Mike Convertino, CSO, Arceo.ai: Undermining the integrity of our elections is what our nation-state competitors want to do in order to shake the public’s faith in our democratic processes and by extension, our faith in our country. We can’t permit that. Tearing down the barriers between local, state and the federal government by passing laws and regulations which mandate both contributions and coordination between levels of government has to be strengthened and changed to a legal duty to cooperate. But let’s not forget that most of the infrastructure and technology created and operated to support elections is provided by the commercial sector. That’s where large, online technology companies in the news and media sectors in particular can help.
Perry Carpenter, Chief Evangelist, KnowBe4: As we recently learned with the application issues that occurred during the DNC Iowa caucus, having alternate means to reliably verify the results will be necessary for the foreseeable future. We live in an age where various groups seek to exploit any form of technology-based system to manipulate public opinion and weaponize politics. The stakes are high.
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: The notion that an election, or your voting records, can be hacked is a very disturbing one. There are, however, several protections candidates ought to use to stay protected and defend the democratic process. Their prevention strategy should include using advanced sandboxing capabilities, which can detect and prevent incoming malware; solutions capable of sanitizing content before it reaches users; and real-time blocking of Command & Control communications. Since political campaigns face a wide array of attacks, a comprehensive, multi-layered security strategy, should be implemented to safeguard them against the full array of known and unknown threats.
How are organizations defending against cybersecurity threats?
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: A knowledgeable CISO (or equivalent security officer) is looking at assets of the company and threats to those assets and is taking steps to address these threats. They are investing resources in people, process and technology in various areas such as protecting corporate environment, network, cloud, endpoint, infrastructure, application, systems and employee training to protect their organizations from a myriad of ever evolving cybersecurity threats.
Mike Convertino, CSO, Arceo.ai: The teams that I’ve worked with are doing what they always have: hiring and supporting the best talent their budget can afford, building consistency in operations through automation and well-vetted processes and measurements and finally, tracking threats and innovating on technologies in response. The balance between the fundamentals of People, Process and Technology continue to be the hallmarks of highly successful and resilient cybersecurity programs.
Perry Carpenter, Chief Evangelist, KnowBe4: Most organizations understand that a multilayered, multipronged defense is essential. Relying on any single strategy, vendor, or technology is just too risky. That’s one of the reasons that frameworks like NIST’s “Identify, Protect, Detect, Respond, Recover,” prove valuable. They give organizations a way of wrapping their minds around the dimensions of the problem, breaking it up into smaller components, and then tackling each of them appropriately.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: Based on the unending news about breaches, not very well. On the plus side, seeing more adoption of automation and orchestration. In the past, security teams were so afraid of disrupting some aspect of the business or causing even a minor inconvenience to the end-user experience that issues would go unresolved or new solutions would be ignored. Now filtering rules are automatically updated in real-time, based on machine analysis of incoming phishing emails, rather than waiting for a change request to be reviewed and the next change review board meeting.
Are there any regional trends in cybersecurity practices that you have noticed?
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: The CCPA, enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply. The Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: We have seen people getting really worried about privacy and how their data is being sold and used. Governments are listening and that was one of the major reasons the European Union came up with GDPR in 2018. Many US states are also listening and establishing more stringent privacy laws to protect their citizen’s data and privacy. The onus is for the organizations to comply with these laws or be fined millions of dollars and lose their reputation.
Perry Carpenter, Chief Evangelist, KnowBe4: KnowBe4 recently conducted a study about the state of cybersecurity in Africa. Drawn from over 800 respondents across 8 countries in Africa, (South Africa, Kenya, Nigeria, Ghana, Egypt, Morocco, Mauritius and Botswana) the results are both fascinating and important. The survey revealed the pressing need to educate Africans to the different cyberattacks. The key finding of the report are as follows:
- 53% of Africans surveyed think that trusting emails from people they know is good enough.
- 64% didn’t know what ransomware is. Yet, they believe they can easily identify a security threat.
- 28% have fallen for a phishing email and 50% have had a malware infection.
- 52% don’t know what multi-factor authentication is.
The results proved that respondents’ confidence was based on the little they knew about cyberattacks and it is where the problem lies. Africans are not prepared for these threats, making them increasingly easy preys to cyber-criminals.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: Look no further than the new CCPA and its impact on state residents. I recognize that many companies outside of California will need to comply but the impact on small, local “mom and pop” businesses can be substantial relative to similar companies in states less regulated with laws that heavily favor businesses.
How are organizations equipping their staff to better understand/handle cybersecurity issues?
Jamie Singer, Senior Vice President, Crisis & Risk Management, US Data Security & Privacy, Edelman: As many data security and privacy issues stem from employee negligence – a lost laptop, a stolen flash drive – organizations must continue to focus on educating internal stakeholders on cybersecurity threats. We’re seeing increased focus on employee training/engagement programs on cybersecurity awareness, from large-scale training modules to frequent phishing security tests.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: One game changer has been the gradual shift in attitude toward cyber incidents. No longer are they automatically career ending events with the CISO taking the blame. Allowing for bad cyber events to occur just like in the physical world has freed security personnel from defaulting to always answering no to aligning with the risk appetite of the company.
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: Cybersecurity is a broad area. Everyone cannot know everything cyber. Also, cyber is a global organizational issue. Organizations are realizing this, and more mature organizations are embedding cyber as part of everyone’s daily job. Organizations are realizing that cyber cannot be an afterthought, so they are trying to “bake cyber-in” from the get-go using principle of “trust-by-design”.
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: Incorporate phishing simulation into your employee training programs to ensure that users can identify and avoid these cyber attacks. Even your most tech-savvy people can fall prey to a well-architected phishing exploit. Social engineering scams have become so sophisticated that criminals are using artificial intelligence to fake the voice of executives and demand payment from subordinates. Phishing detection systems can help pick up subtle cues and block e-mail threats.
Mike Convertino, CSO, Arceo.ai: Aside from properly resourcing the security team, organizations are increasingly training their employees on how to spot threats themselves through anti-phishing training and threat briefings. Key personnel and C-suite staff are now often pulled into table-top simulated attack scenarios to understand what is happening to the company during an attack and how they can help.
What is the first step to becoming more cyber secure?
Mike Convertino, CSO, Arceo.ai: Without a doubt, understanding what processes power your organization’s operations at a base level and what information systems support those processes is a critical first action. For a company, that’s whatever process and systems that produce major revenue streams
Jack Kudale, Founder and CEO, Cowbell Cyber: Organizations also need visibility and understanding of threats and risk exposures for their class of business and their own business. Potential risk severity and probability along with financial impact is what should dictate how budget and resources are allocated, including budget for risk transfer and cyber insurance.
Perry Carpenter, Chief Evangelist, KnowBe4: The first step is taking a sober look at where you are. It can be very instructive to go back to first principles and begin asking some very basic questions about your program. Questions as simple as:
- What are our most critical systems?
- Where are we storing PII?
- Do we have confidence in the security of third-partiesthat we share data with?
- Do we have a solid understanding of the “supply chain” of data that we ingest and that we may share?
- Do we have a firm understanding of the roles within our organization?
- Do our people actually know what they think they know and behave consistently with how they believe they behave?
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: Many times, organizations tend to ignore people as a cybersecurity risk. People can be the weakest link to any cybersecurity program. So, cybersecurity controls need to focus not just on technology but also people, process and structure.
What are the biggest trends you see taking shape within the cybersecurity industry that will have major impacts in the next 3 – 5 years?
Perry Carpenter, Chief Evangelist, KnowBe4: On the threat side, we see some interesting and scary trends with how ransomware is evolving. Ransomware is no longer just about encrypting data, it is now regularly stealing data, stealing credentials, threatening a victim’s employees and customers, and publicly telling the whole world. If the victim doesn’t pay the ransom, attackers threaten to release the stolen data and credentials publicly, and other hackers can use it to hack the employees and customers. Not to mention the victim’s competitors get to see all that private data. Ransomware gangs aren’t just taking the organization’s passwords, but every logon they can steal including the employee’s personal credentials to anything they logon to while at work. They are promising to inflict maximum damage.
Jamie Singer, Senior Vice President, Crisis & Risk Management, US Data Security & Privacy, Edelman: Consumers increasingly expect organizations to be accountable for the data they collect, share and use. Organizations will be challenged to ensure their data privacy policies align with the regulatory/legal demands under GDPR and the CCPA, while also meeting stakeholder expectations for clear and transparent communications.
Mike Convertino, CSO, Arceo.ai: We continue to see the increased “democratization” of cyberattacks with access to more advanced hacking tools for purchase on the open market. These tools now rival the capabilities of nation-states which will make for much more hostile cyber threat “weather” patterns. Along with this will be the counterpose of an explosive growth in the commercial cyber intelligence product industry. There will be further acceleration of outsourcing of security capabilities to Software as a Service (SaaS) technical capabilities and Managed Security Service Providers (MSSPs) because of the tight cybersecurity talent market and the economies of scale of centralization.
Jack Kudale, Founder and CEO, Cowbell Cyber: The focus in the cybersecurity industry is shifting from prevention and detection to cyber risk assessment. Traditionally viewed as a very technical domain, everything cyber is becoming a business discussion. The benefits of moving aggressively towards digital operations will be re-balanced with the imperative to understand threats and risk exposures associated with operating online. In the next 3-5 years, the process of quantifying cyber risks in terms of financial impact will become systematically integrated with the pursuit of digital initiatives.
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: Artificial intelligence (AI) technology has come of age in elevating cybersecurity. In 2018, global development of AI within the cybersecurity market reached $7.1 billion, and it’s projected to reach nearly $30.9 billion by 2025. However, AI technology is available to all who want or need it, including hackers. AI can be used to automate cyberattacks and hack a system’s vulnerability even faster than it’s done today. AI might be used to disguise attacks so that you do not know that your network or device has been exploited. Cyberattacks are an ugly reality for organizations around the globe, and the threats are growing more challenging. The emergence of AI technology that integrates into your cyber security is an important
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: Privacy will consume a much larger portion of the security activities and budget. We all realize that privacy is not just a Legal or HR issue. Advances in hardware and software technology are fueling a data collection and retention explosion. As data analytics becomes common practice across all facets of a company’s operating rhythm, protecting the confidentiality and integrity of the raw information and trending reports will expand beyond the current PII elements.
Cybersecurity frameworks, like NIST’s, typically include five dimensions: identify, protect, detect, respond, and recover. How are organizations shifting their focus across these areas? Which dimensions are most important for 2020? Why?
Chris Scanlan, President, Americas Sales, Check Point Software Technologies: You cannot secure what you cannot see. The fast scale of cloud, log data, and elastic and dynamic nature of cloud makes it extraordinarily difficult for your security teams to see and understand what’s going on. Seeing what’s happening in your cloud reduces rates of incidents, and shortens incident response time. The importance of clear visibility into data analytics cannot be overstated. Enhanced visibility translates to better monitoring and compliance, and better overall business outcomes
Jack Kudale, Founder and CEO, Cowbell Cyber: As organizations get comfortable with cyber insurance, and insurers offer tailored coverage that truly meets the needs of businesses, the concept of risk transfer through insurance will become mainstream.
Jamie Singer, Senior Vice President, Crisis & Risk Management, US Data Security & Privacy, Edelman: Given the potential for long-term reputational fallout stemming from major cyber events, organizations in 2020 must continue to focus on sharpening their internal and external communications responses to these issues. Companies that fumble the tone and execution of the communications response may face longer news cycles, stock impacts, scrutiny from local and federal elected officials, class-action litigation and eroded stakeholder trust.
Perry Carpenter, Chief Evangelist, KnowBe4: In many ways, we need to wake-up to the fact that there is no such thing as a system that is one-hundred percent secure. And an attacker only needs to find one vulnerability in order to make an organization have a very bad day. That means that NISTs “respond” and “recover” elements are critical for organizations who wish to survive and thrive in our current and evolving cyber-reality.
Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security, Optiv: As breaches become unavoidable and more common, people will judge you based on how well you responded to the incident. They are looking for transparency, speed, and accuracy. The most important dimension depends on the maturity coverage of the given company. That’s why it is important to measure your cybersecurity program against the framework to uncover gaps and areas of weakness that should be explored to determine if you need to take corrective action.
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: CISOs have realized that security is best done upfront. So, they are focusing their attention on identifying and protecting. Detection is now mostly done using automated tools such as SIEM and cloud and other proprietary products. Nevertheless detection, respond and resilient recovery remains a critical part of any successful cyber security program.