As we ring in 2020, I reflect on the Cyber Security Forum event I attended in Dallas last summer. It was a collaboration between the Security Industry Association (SIA), the Physical Security Alliance (PSA) and Reed Exhibitions, and it addressed the convergence between the physical security and cybersecurity industries.
One example of this security integration requirement is the rapid expansion of remote endpoint devices deployed over IP networks occurring simultaneously with the introduction of 5G networks, that provide various performance improvements. This can be viewed as a “perfect storm” for criminal hackers and nation state adversaries.
During the show, the news cycle included the Capital One cyber attack, where 100 million customer accounts were breached, and the unprecedented news of the Governor of Louisiana declaring a cyber state of emergency due to continuous ransomware attacks aimed at the state’s educational institutions. The city of New Orleans also declared a cyber state of emergency to end 2019, due to a sophisticated malware breach. It appears that the State of Lousiana is the proverbial “cyber canary in the coalmine” as we enter 2020.
The unshakeable fact is that our personal and business lives have been forever transformed to the digital age. This digital transformation has significantly and forever redefined business risk. This not only integrates the “go-to-market” strategies of traditional firms offering physical security products, IT integrations and cyber solutions, but it also creates entirely new business opportunities that demand responsive business models. Physical security and IT integrators, along with MSPs/MSSPs, are evolving from reactive to proactive managed services organizations. They have no choice in an environment where digital threats are constantly attacking networked devices, infrastructure, supply chains and perhaps most importantly, employees. The frequency and direction of automated cyberattacks from sophisticated adversaries is absolutely mind-boggling.
The future of cyber defense involves Artificial Intelligence (AI) and Machine Learning (ML), but we are years away from cybersecurity nirvana. After all, it takes a machine to fight a machine, given the sheer volumes of attacks impacting networks and devices every day. It is beyond the ability of humans to respond in a timely and accurate manner to these threats. Big data assists in behavioral and network anomaly detection, but these technologies are not yet reaching their full potential.
So, security executives are faced with the reality that sophisticated attackers are advancing, the industry does not have enough qualified cyber expertise to hire for offensive/defensive operations, ML and AI solutions are not yet fully mature and everything connected across the digital environment is at risk – including devices like conferencing systems, copiers and fax machines that may be considered an afterthought. Add to the fact that employees are not trained to avoid phishing attacks (inadvertently), while others are being hired who have the intent to deliberately steal information (insider threats). Considering these issues: is it any wonder the average tenure of a CISO in the Fortune 2000 is only 18 months?
Insurance is another major industry facing fundamental changes resulting from these continuous and devastating cyberattacks. Today, cyber insurance represents one of the fastest growth segments this industry has ever experienced. According to a Market Study Report, over the next five years, the Cyber Insurance market will register a 33.8-percent CAGR in terms of revenue. The insurance industry’s aggressive move into cybersecurity reflects changing business risk models, but how does that shift impact corporate leadership in general? This question can be addressed by reviewing the composition of corporate Boards of Directors and privately-owned companies. According to the National Association of Corporate Directors (NACB), the average age of board members in the S&P 500 is 62, with 20 percent of members over the age of 70. No doubt that they are highly successful business people, but they are not exactly “digital citizens.” Gartner Group reports that 24 percent of corporate boards are taking an active role, along with the CIO, in addressing cyber responsibilities. That’s an improvement, but that leaves 76 percent who are not.
The fact is that this threat is critical, and the security executive needs to be elevated into senior leadership to educate senior management, ownership and boards. As a data point, in 2019, cybercrime will cost businesses more than $2 trillion – which is a four-fold increase from 2015 (Juniper Research). This represents a major organizational issue that firms of all sizes, including SMB and mid-enterprise (the most attacked industry segments) must address. “Only five percent of Top Global 100 companies lists a CISO on their executive leadership page,” according to KrebsOnSecurity. If our security executives are to be held accountable, they need to be on the executive staff and in front of the board/company ownership.
Business has placed a premium upon a new cyber knowledge base outside of traditional skill sets. Natural disasters, labor issues and political dynamics aside, digital risk is now the trump card that can destroy your business. Existing Boards of Directors are racing to recruit cyber knowledgeable members. The cybersecurity market and concept of digital risk is new to board members, as well as legal teams. One of the trends occurring across corporations and businesses is the direct involvement of the legal team in cybersecurity issues and vendor engagements. Corporate reputations, stock valuation and customer privacy issues all require legal involvement and ongoing activities.
Increased regulation such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) going into effect this year will keep legal teams active, not to mention class action lawsuits from disgruntled customers who experience breaches of their personal data. Now a security executive (CISO/CSO) must educate board members and business owners to the new digital risk, become a subject matter expert on cyber insurance and understand the legal aspects of a post-breach investigation and public relations, which involves marketing communications and press releases. It is a new job for the security executive, and it is continuously changing.
Giving all of the above, what are the top challenges that you, as a security executive, will likely face in 2020?
A Ponemon Institute survey of CIO and IT security executives found an interesting trend. For the first time in the survey's history the top concern was the talent gap, a lack of competent full-time, in-house staff. Unfortunately, with more than one million cybersecurity positions open today, and growing to more than two million in the next several years, this problem is not getting any better. Fingers crossed for ML and AI advances.
Here is the breakdown of major concerns:
- Lack of competent in-house staff - 70 percent
- Data breach - 67 percent
- Cyberattack - 59 percent
- Inability to reduce employee negligence - 54 percent
- Ransomware - 48 percent
- IoT devices - 60 percent
- Mobile devices - 54 percent
- Cloud technologies - 50 percent
A Gartner 2019 CIO report and additional sources cite similar concerns:
- Attack frequency – DDoS increase of 40 percent YoY in 2018/average of $2 million per attack
- Increasing deployment of IoT devices
- Human error (some studies state 90 percent of compromises result from phishing attacks)
- Cloud security
- Response and remediation
I find this last category to be the most interesting, as it ties directly to the lack of competent cyber staff. In today’s digital world, one must “assume the breach.” There is no perimeter security, with mobile devices and sensors everywhere among us. Automated and continuous threat hunting is required, along with a plan to respond when the inevitable occurs. Non-traditional vendors are filling this critical void to offer cyber protections and human talent outsourcing to their customers through strategic partnerships.
This can be a winning formula for traditional security integrators to introduce cyber managed services to their SMB and mid-tier customers, while reducing selling time for their cyber partners. Cyber adversaries are focused on targets with little or no cyber resources. The cybercrime problem is accelerating at network speed, and it looks to become much worse over the next few years before it gets any better.
The one-two punch that you, as a security executive, face today regarding cybersecurity (digital) risk is the increasing pace of attacks and the lack of cyber talent to assist in countering threats and better protect your enterprise. Given the criticality of the digital threat and the education required to involve Board members, owners and lawyers, enterprise security executives must be executive staff participants. The alignment (integration) of physical security, IT infrastructure and cyber must be initiated and managed into new reporting structures and a security culture that examines a proactive and holistic security model.
Today’s enterprise security executive must be a thought leader who integrates physical security solutions across IT infrastructures with cyber protections. You must be a change agent who implements a security culture and cyber mindset across the organization. Today’s security executive also needs to be a senior staff position with a seat on the Board. It’s that critical.