I wrote this original article in September 2015 when I was relatively new to the cyber security world. When I came across the article a few weeks ago I thought it would be an interesting exercise to see how this has played out and changed over the last five years. I would love to get peoples perspectives and views.
My thoughts in 2015: Over recent years, mainly due to an ever-increasing level of risk, we have seen the profile of cyber security rise out of the depths of IT where it was rarely seen or heard of by anyone looking at business risk, to it being front and centre in many boardroom discussions around the world. A 2015 study by Deloitte covering 100 CFOs from large organisations in North America, it was found that 97 percent viewed cyber attack as a serious threat to their organisation – but only 10 percent believed they were well prepared to deal with an attack.
Now in 2020: It seems that in the last five years this hasn’t changed massively. The EY Center for Board Matters 2020 Global Information Security Survey (GISS) report stated that “around 40% of board members say that cybersecurity is not a regular discussion item on their full board agenda, revealing an opportunity for many boards to strengthen oversight of this existential threat”. To me, given the significant number of high-profile breaches in the last five years, it seems strange that cyber security isn’t a standing item on the risk register and reviewed at every board meeting.
This rise in profile is being driven by a growth in the actual risk level and the shift in thinking inside many organisations that it is not a case of ‘if’ but ‘when’ they will be attacked. This change in mind set has led to a much more proactive approach to cyber security and is paying dividends amongst these organisations who are willing to spend time identifying and then appropriately protecting their business-critical assets.
Now in 2020: In my view this has shifted but not far enough. I have seen larger, enterprise organisations, especially in Financial Services, move towards a risk based or an automated approach to deal with large volumes of penetration testing. This move is in an attempt to free up more budget for new project testing work as more new systems and applications come on line and to free up budget for more interesting, cyber defence type work to improve the security posture of either the whole organisation or specific critical assets.
The pressure driving this mindset-shift is coming from various internal and external influencers and is clearly having an impact on the way boardrooms are viewing cyber security.
Media coverage – the obvious and high profile first pressure point that is currently being pressed very hard. Coverage of Sony, Target, Carphone Warehouse, Ashley Madison and JPMC, to name but a few, and the associated, large financial costs of each, are focusing the minds of boardroom execs.
Now in 2020: In my opinion not much has changed here as we have seen high profile attacks reported across British Airways, CapitalOne, Norsk Hydro, Talk Talk, and Travelex, to name but a few. If anything, and especially with the events of 2020 so far, news coverage of these and similar has become more normalised and less sensational, (in most quarters anyway!).
Insurers – more insurers are adopting the stance of “no action, no cover”. Clients that bury their head in the sand and ignore the cyber threat are very unlikely to be covered in the event of an attack unless they can show a clear programme of proactive work within the realm of cyber security.
Now in 2020: Over the last five years we have seen insurers taking a more staunch position on this and high profile cases like Mondelez reinforce this where property insurance policies with cyber clauses refused to pay out for claims caused by Not Petya. Insurers are increasingly looking for evidence of systemic cyber security programmes to demonstrate continual improvement as a key criterion to satisfy before paying out. It will be interesting to see how this evolves over the coming years and if the evidence of systemic cyber security programmes will be used at the outset of a policy to set premiums.
Regulatory Stipulations – these are slow burning at the moment but there is gradual move by more and more sector regulators to stipulate more stringent, realistic and focused cyber testing of organisations critical systems and platforms. Whilst this is currently mostly aimed at the financial stratum, it will broaden out to other sectors depending on countries’ differing key economic interests and vulnerabilities. This pressure point will only be pushed harder in sectors of critical national or global interest.
Now in 2020: CBEST has grown and changed to include more organisations and be more evidence based rather than more frequent regulator-imposed testing. Other attempts by industry sectors to follow the Bank of England’s lead has been slower to evolve with TBEST, NBEST, GBEST and others all moving at different speeds. Globally efforts have been fragmented and mainly focused on the financial services markets with TIBER being expanded across the EU by the European Central Bank and The Hong Kong Monetary Authority (HMA) and the Monetary Authority of Singapore both pushing their own schemes as examples.
Shareholder concerns – shareholders are gradually becoming an extra pressure point. Every investor, whether institutional or private reads the media coverage of cyber-attacks and the associated financial losses and will increasingly want to ensure that their investments have appropriate and proactive cyber strategies in place. This pressure point will only increase as investors include ‘cyber strategy?’ as a key question in selecting investments for their portfolio.
Now in 2020: Shareholder concerns around cyber attacks on their investments have increased as the financial impact of attacks, both in direct and indirect cost have been significant. In my opinion I don’t think this has becomes as strong a factor as I initially thought as there are so many issues which can impact investment performance, especially in 2020! The difference between an institutional investor and a retail investor will be different however and I have seen evidence of a growing number of investment companies spending more of their due diligence budget on assessing the cyber security maturity before signing off on a new investment.
Customer pressure – for those organisations that supply critical business services to other large companies, this is becoming an ever growing criteria for supplier selection. As outsourcing has grown through ITO and into BPO, organisations now rely on others to ensure that these often mission-critical business processes and technology platforms are ‘always on’. Ensuring there are effective measures in place to safeguard these outsourced processes and technologies from cyber-attacks will only continue to grow in significance when selecting suppliers.
Now in 2020: Here the big change I have seen in B2B organisations is the focus on supply chain risk and the subsequent programmes that have been put in place to routinely test and check the cyber security maturity of suppliers, of all shapes and sizes. These programmes have mandated things like Cyber Essentials (and CE +) as well as ISO 27001 and in a growing number of cases evidence around the cyber security controls that the supplier has in place. In many cases, particularly in small and medium size companies, I am seeing this demand being driven by client demands.
Internal pressure from IT – due to the increasing involvement and impact of IT in running many large organisations, the voice of IT now carries a lot more weight in senior positions. This voice is being used more and more effectively and appropriately to ensure the risk of attack is comprehended and the work programmes required to deal with attacks and their consequences (and the associated budget) are clearly understood at the right levels.
Now in 2020: My view here is that the pressure from IT to be more secure hasn’t increased and in fact the opposite is true and there is often healthy tension between security and IT operations to balance security with end user experience and business process. What I have seen here is the move to drive efficiency in IT by using security more effectively. A good example of this is SDLC and the drive to ‘move security left’ in the development lifecycle to remove obstacles as code is pushed into production and tested as the last step in the process. A number of organisations that I have worked with have implemented this with excellent results; seeing not only a reduction in re-work but also driving a much closer relationship between the development and security communities which had previously been strained at best.
Threat intelligence – everyone now seems to have heard some ‘threat intelligence’ involving a high-end criminal group, or special military or intelligence agency cell, in some far away country that is going to be potentially targeting their organisation in some way, shape or form. Threat intelligence, used in the right way, is hugely beneficial, but what is deemed threat intelligence can vary and overly excitable people can get carried away with back street whispers. As the threat intelligence market develops and boardrooms see the increasing benefit of good threat intelligence linked to organisational strategy, the associated pressure that comes with good threat intelligence will increase the pressure around cyber security.
Now in 2020: Threat Intelligence feeds seem to have matured significantly over the last five years but also, I think importantly, so have the organisations who are consuming the data. Previously the view I heard repeatedly from organisations was that they had a huge amount of incoming TI but it was almost impossible to pick out actionable information without an army of analysts. That view seems to have changed over time with organisations that I now talk with being far more able to isolate actionable TI and react to it with strong processes and playbooks in place linking the TI to their SOC analysts.
There is no doubt that the pressure is growing and forward-thinking companies are turning this pressure into an advantage by being proactive, reviewing if the “same old approach” is right, building programmes and executing well. The challenge is now on the organisations who are burying their heads in the sand to accept the pressure and be proactive rather than wait until a significant attack lands and deal with the often extensive, and expensive fall out.
Now in 2020: As discussed above, changes in some areas have progressed significantly and in other areas not much development has taken place. What we have seen is that organisations are now much more balanced in their thinking and have moved away from focusing on Prevent to balancing effort and budget across Detect, Respond and Recover as well. The challenges of 2020 have pushed some of what would have been major stories related to cyber security away from the headlines, but this hasn’t meant the impact hasn’t been felt as cyber attacks rose significantly, with Ransomware attacks rising 715% in 2020 according to Bitdefender’s Mid-Year Threat Landscape Report 2020.
My fundamental takeaway from the last five years is that overall Cyber security has continued to become more prominent at board level in the majority of organisations but this is something that needs to be continually pushed to make sure that it gets the air time it needs as well as the investment.
Ian is a proven commercial leader with over 20 years’ experience covering sales, marketing and delivery across Cyber Security and IT & Document Services, having delivered impressive results in both global corporate organisations as well as in high growth businesses. Ian was Sales Director for UK & US at F-Secure and previously held numerous roles at Xerox. He has a passion for building high performing teams, enabling people to reach their potential and enabling teams to deliver results that surpass expectations. He thrives on being challenged to continually learn, develop and expand his skill sets to better serve his teams, customers and the wider organisation.