Cybersecurity – The biggest threat to the Digital Economy..(1/4)

“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.” – IBM Corp’s Chairman & CEO Ginny Rometty, Nov 2015, NYC

The first blog of this four part series will focus on the cybersecurity challenge across industry verticals while recapping some of the major cyber attacks in the previous years. We will also discuss what responses are being put in place by Corporate Boards. Part two of this series will focus on strategies for enterprises to achieve resilience in the face of these attacks – from a technology stack standpoint. Part three will focus on advances in Big Data Analytics that provide advanced security analytics capabilities. The final post of the series will focus on the steps corporate boards, exec leadership & IT leadership needs to adopt from a governance & strategy standpoint to protect their organizations from this constant onslaught.

The Cybersecurity Challenge – 

This blog has from time to time, noted the ongoing digital transformation across industry verticals. For instance, banking organizations are building digital platforms that aim to engage customers, partners and employees. Banks now recognize that the key to win the customer of the future is to offer seamless experience across billions of endpoints. Healthcare providers want to offer their stakeholders – patients, doctors,nurses, suppliere etc with multiple avenues to access contextual data and services; the IoT (Internet of Things) domain is abuzz with the possibilities of Connected Car technology.

However, the innate challenge across all of the above scenarios is that the surface area of exposure across all of these assets exponentially rises. This rise increases security risks – risk of system compromise, data breach and worse system takeover.

A cursory study of the top data breaches in 2015 reads like a “Who’s Who” of actors in society across Governments, Banks, Retailers, Health providers etc. The world of business now understands that an comprehensive & strategic approach to cybersecurity is now far from being a cursory IT challenge a few years ago to a board level concern.

The top two business cyber-risks are data loss & the concomitant disruption to smooth operations.  The British insurance major Lloyd’s estimates that cyber attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. Vendor and media forecasts put the cybercrime figure as high as $500 billion and more.[1]

The word Cybersecurity was not as highly popular in the popular IT lexicon a few years ago as it is now. Cybersecurity and cybercrime have become not only a nagging but also an existential threat to enterprises across a whole range of verticals – retail, financial services, healthcare and government. The frequency and sophistication of these attacks have also increased in number year after year.

For instance, while the classical cybercriminal of a few years ago would target a Bank or a Retailer or a Healthcare provider but things have evolved nowadays as technology has opened up new markets. As an illustration of the expanding challenge around security – there are now threats emerging around automobiles i.e protecting cars from being taken over by cyber attackers. Is this borne out by industry research? Yes..

ABI Research forecasted that by 2020, we will have more than 20 million connected & inter communicating cars & other automobiles with Internet of Anything (IoAT) data flow capabilities[3]. The key concern is not just about securing the endpoints (the cars) themselves but the fact that the data flows into a corporate datacenter where is harnessed for business uses such as preventative maintenance, assisting in new product development, manufacturing optimization and even with recall avoidance etc. The impact and risk of the threat then become magnified as they both extend across the value chain along with data & information flows.

                                          Illustration: Largest Hacks of 2014 (source – [2])

The biggest cyberattacks of recent times include some of the below –

• Home Depot – 109 million user records stolen
• JP Morgan Chase – 83 million user records compromised
• Sony Pictures Entertainment – 47k records stolen with significant loss of intellectual property

Cybersecurity – A Board level concern – 

The world of business is now driven by complex software & information technology. IT is now enterprise destiny. Given all of this complexity across global operating zones, perhaps no other business issue has the potential to result in massive customer drain, revenue losses, reputational risks & lawsuits from affected parties as do breaches in Cybersecurity. A major breach in security is a quick gamechanger and has the potential to put one in defensive mode for years.

Thus, Corporate Boards which have been long insulated from technology decisions now want to understand from their officers how they’re overseeing, and mitigating cyber security. Putting into place an exemplary program that can govern across a vast & quickly evolving cybersecurity threat landscape is a vital board level responsibility. The other important point to note is the interconnected nature of these business ecosystems implies the need for external collaboration as well as a dedicated executive to serve as a Cyber czar.

Enter the formal role of the CISO (Chief Information Security Officer)….

The CISO typically heads an independent technology and business function with a dedicated budget & resources. Her or his mandate extends from physical security (equipment lockdown, fob based access control etc_ to setting architectural security standards for business applications as well as reviewing business processes. One of the CISO’s main goals is standardize the internal taxonomy of cyber risk and to provide a framework for quantifying these risks across a global organization.

Cyber Threat is magnified in the Digital Age – 

As IBM’s CEO states above – “Data is the phenomenon of our time.”  Enterprise business is built around data assets and data is the critical prong of any digital initiative. For instance, Digital Banking platforms & Retail applications are evolving to collections of data based ecosystems. These  need to natively support loose federations of partner applications, regulatory applications which are API based & Cloud native. These applications are majorly microservice architecture based & need to support mobile clients from the get go. Owing to their very nature in that they support massive amounts of users & based on their business priority, these tend to take a higher priority in the overall security equation .

It must naturally follow that more and more information assets are at danger of being targeted by extremely well funded and sophisticated adversaries ranging from criminals to cyber thieves to hacktivists.

                       Illustration – Enterprise Cybersecurity Vectors

How are Enterprises responding? – 

The PwC Global State of Information Security Survey (GSISS) for 2015 has the following key findings [4]. These are important as we will use expand on some of these themes in the following posts –

• An increased adoption in risk based security frameworks. E.g ISO 27001, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls. These frameworks offer a common vocabulary, a set of guidelines that enable enterprises to  identify and prioritize threats, quickly detect and mitigate risks and understand security gaps.

• Increased adoption of cloud based security platforms. Cloud Computing has emerged as an advanced method of deploying data protection, network security and identity & access management capabilities. These enable enterprises to improve threat intelligence gathering & modeling thus augmenting their ability to block attacks as well as to accelerate incident responses.
• The rapid rise and adoption of Big Data analytics –  The drive to a data driven approach can help organizations shift their focus away from pure perimeter based defense to ensuring that realtime data streams can be analyzed as well as combined with historical data to drive security analytics. A data-driven approach can shift enterprises away from a predominantly perimeter-based defence strategy and enable enterprises to put real-time information to use in ways that can help predict cybersecurity incidents. Data-driven cybersecurity allows companies to better understand anomalous network activity and more quickly identify and respond to cybersecurity incidents. Big Data is being combined with existing security information and event management (SIEM) technologies to generate holistic views of network activity. Other usecases include the use of data analytics for insider threat surveillance.

• A huge increase in external collaboration on cybersecurity working with industry peers as well as law enforcement, government agencies as well as Information Sharing and Analysis Centers (ISACs).
• The emergence of Cyber insurance as one of the fastest growing sectors in the insurance market, according to  PwC [3].Cybersecurity insurance is designed to mitigate business losses that could occur from a variety of cyber incidents, including data breaches. This form of insurance should be factored into more and more Enterprise Risk Management programs.

Thus far, Enterprises are clearing waking to the threat and spending big dollars on cybersecurity. According to Gartner, worldwide spending on information security in 2015 reached $75 billion, an increase of 4.7% over 2014[1]. However it needs to be noted that Cybersecurity compliance comes at a huge cost both in terms of manpower as well as the amount of time needed to certify projects as being compliant with a set of standards – both of which lead to delays in time and a rise in costs.

All said, the advantage remains with the attackers – 

The key issue here is that the attackers need to succeed only once as compared to the defenders. Important factors like technology sophistication,the number of attack vectors ensure that the surface area of exposure as well remains high. This ensures that the advantage lies with the cyber attacker and will do so for the foreseeable future.

Summary – 

Given all of the above, the five important questions Corporate leaders, CXO’s & industry practitioners need to ask of themselves  –

1. First and foremost, can an efficient security infrastructure not only be a defensive strategy but also a defining source of competitive advantage ?
2. The ideal organizational structure and processes that need to be put in place to ensure continued digital resilience in the face of concerted & sophisticated attacks
3. Can the above (#2) be navigated without hindering the pace of innovation? How do we balance both?
4. Given that most cyber breaches are long running in nature – where systems are slowly compromised over months. How does one leverage Cloud Computing, Big Data and Predictive Modeling to rewire applications with any security flaws?
5. Most importantly, how can applications implement security in a manner that they constantly adapt and learn? How can the CISO’s team influence infrastructure, application & data development standards & processes? 

The next post will examine the answers to some of these questions but from a technology standpoint.

References:

1. Cybersecurity ventures – “The Cybersecurity market report Q1 2016”
2. Gemalto “Cybersecurity Breach Level Index for 2014”
3. Forbes Magazine – “Cybersecurity Market Expected to Reach 75 billion by 2015” – Steve Morgan
4. PwC Global State of Information Security Survey 2016 (GSIS)