August 31, 2016
What do US-based vendors such as Cloudpath, Forescout or Pindrop mean to you? Did you hear about French tech ventures such as BlueFiles or Yogosha? Have you tested or even bought these tech solutions?
A bunch of cybersecurity vendors (source: Momentum Partners Q1 2016)
According to Dow Jones VentureSource — a database that reports on companies globally who receive venture capital and private equity funding, a dozen cybersecurity startups have each raised $100 million or more in funding since 2014.
The worldwide cybersecurity market (including solutions and services) is in “perpetual” growth. In 2004, it was around $3.5 billion, and according to analysts, is expected to grow from $75 billion in 2015 to $170 billion by 2020. Its CAGR (compound annual growth rate) is estimated to 7.8% for 2019, and it will represent around 5% of overall IT expenditures. The cybersecurity market remains difficult to forecast for analysts because of the growing and unpredictable nature of cybercrime.
Specialists fancy that hundreds of billions will be spent on securing workstations, smartphones and IoT devices, corporate networks, and the cloud over the next five years. Indeed, cybersecurity market is naturally extending its scope and size, because of the value chain’s digitalization in many verticals, and the growing adoption of cloud, OT, Internet of Objects, which will lead ineluctably to the inception of new cybersecurity ventures.
Because they need to keep up with changing cyber threats and regulatory compliance requirements, chief information officers (CIOs) and chief information security officers (CISOs) are actively scanning the tech market to find solutions answering their expectations. However, because cybersecurity budgets are often quite insufficient, and attracting and retaining cybersecurity specialists is still a challenge, few CIOs and CISOs have the means of ensuring an appropriate level of security and compliance. Moreover, corporations also will have to demonstrate ability to achieve results within budgetary constraints and the strategic insight necessary to help growing the business. Thus, CIOs and CISOs will have more and more to excel in innovation, technology, stewardship, and operational efficiencies.
Therefore, cybersecurity startups are considered by enterprises because their products meet or exceed the features offered by brand name companies, and the cost can be often less than their competitors.
However, the same major issues are often raised: the startups could suddenly be out of business or acquired by another company, or the brand name is not enough big to justify the acquisition.
Like a personal investor, regarding their cybersecurity strategy, CIOs and CISOs shall continuously and carefully watch the market and its most attractive segments to capture new “opportunities”. Then, when they have identified a few promising stars, they need to gather and document intelligence about the company itself, its business model and offerings, through researches and interviews directly with the founders. In parallel, they also need to set up a live pilot (and not a gadget POC) for a short period (two months at maximum) on a very representative scope. If the pilot is too long or not relevant, it will not speak to the business, and will undermine the innovation efforts not showing the value.
The following key questions will help a lot to raise doubts:
- Who are the founders of the startup? Are they seasoned experts in the industry? Keep in mind that someone being an expert does not necessarily mean they can run a company. Tech, operations, sales, marketing skills and experience must be balanced among the founders’ team
- How long has the startup been in business? What was the company’s revenue last year?
- How is the startup funded? What is the ratio of R&D investments? What are the next big investments? Try to analyze shareholders and understand the founders’ agenda (for instance do they aim to sell soon their venture to a large vendor?)
- Regarding the company, who manages its operations? How is it structured? How many employees does it have? Where is it located?
- What is the Unique Value Proposition? What are the targeted customers’ segments? What are the tech partnerships? Is the startup providing comparative or better products needed by the enterprise than those from more known competitors? How can the solution be incorporated into the overall cybersecurity strategy?
- What are their main references? A list of clients might be worth reviewing and also be interviewed upon a NDA signature. This question shall be related to product satisfaction of current customers, whether the cost is commensurate to the value of the product and if they had to do it all over again, if they would still choose this startup.
- Is the company and its founders trustworthy? Has the company been independently assessed by a third party, and got a market trusted certification or a qualified label delivered by local or federal information security agencies (e.g. Common Criteria, qualifications from the ANSSI in France, the BSI in Germany,FedRAMP in the US…)
The purpose of this analysis is to better understand the startup, to assess business risks, and to start building the necessary confidence between the buyer and the startup. Whatever the results of the assessment, on the customer side, it’s a question of common vision with the founders, of trust, of taking risks and commitment.
For that, the tech vendor startup shall be considered as a real business partner, and not only as a supplier among a long list, and part of the vendor risk management process. However, not all startups can land on this list. Feedbacks from CIOs and CISOs will be valuable for the startup to test and enhance their product from a tech and marketing perspective.
In a true business partnership context, CIOs and CISOs will provide support to co design new features, or even a new product according to their business requirements.
The partnership shall be managed very professionally in a project mode in order to be successful and avoid boiling the ocean. For instance, if the value is not fully perceived across the organization whatever the reasons, or delivery is not good slowing the adoption, the CIOs and CISOs must be firm and stop immediately the partnership. For that, strict criteria and common objectives must have been shared when starting the business relationship.
Large private and public corporations need startups to innovate and win the cybersecurity battle, and startups need large corporations to grow and survive. With startups, corporations will be able to use innovative solutions while protecting against advanced threats targeting their business environments.
July 13, 2016
Cybersecurity is still broadly perceived as an IT discipline, built around technical solutions and projects – you only have to open any industry magazine or publication to see it, or go to any professional event.
Many organisations claim to spend in excess of 3% of their total IT spend on cybersecurity, but in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cybersecurity maturity (“Risk and Responsibility in a Hyper-connected World” – World Economic Forum, January 2014). These results are also echoed by the RSA Cyber Poverty Index published in June 2015.
Indeed, corporations shall be able to understand the human challenges of cybersecurity at different levels both on the attackers’ side and the defenders’ side (at this stage, we will explore perspectives of employees, IT developers and executives) so that cybersecurity can go beyond and become a business and sustainable enabler.
The attackers’ side
Most corporations are not really interested in identifying threat sources (governmental agencies, rogue employees, criminal organizations…), they remain focused on the technical threat itself (malware, worms, spear phishing, SQL injection…).
Corporations shall understand the psychology, the methods and the cybercrime organizations behind cyber attacks. Like cybercriminals, they need to innovate and cooperate as a team across the corporation and with other organizations.
A new study of chief information security officers (CISOs), conducted by A.T. Kearney and Mannheim Business School, shows that leading organizations use psychological analyses to understand the motivations for such attacks so they can prevent and thwart future breaches.
Threat intelligence will become critical. Threat intelligence can be described as the process of moving topics from “unknown unknowns” to “known unknowns” by discovering the existence of threats and then shifting ‘known unknowns’ to ‘known knowns’ where the threat is well understood and mitigated.
Moreover, having accurate and timely information on emerging threats and vulnerabilities through such threat intelligence capabilities will allow corporations to enrich their early detection capability and their vision of “known unknowns”, and to quickly prioritize and begin their remediation and threat prevention and protection efforts.
The defenders’ side
The old adage “the weakest link remains the employees” is still there.
Whatever the flavor of the cyber-attack, its origin comes from a “wrong” click by the end user. Thus, IT security vendors and insurance carriers are seeking to predict the probability of mistakes of employees to enhance technical and financial risk guarantees.
Organizations shall engage ALL their employees in the fight against breaches. Bear in mind that cybersecurity awareness is only a means; the ultimate goal is to “change” employees’ behaviors so that they can respond in a correct manner when a cyber-attack or data breach occurs.
Raising awareness and education around cybersecurity is critical. Indeed, corporations shall also provide easy-to-use solutions (e.g. encrypted e-mails, secure file sharing…) so that their employees can handle and protect information accordingly to their level of sensitivity (internal, confidential, secret…).
In addition, organisations remain still vulnerable. Those large organisations have become increasingly dependent on a larger and larger number of third parties, with cybersecurity issues often global and complex in nature. Vulnerabilities come in many flavors starting from outdated software, misconfigurations, incomplete inventory, weak or too broadly distributed access controls and lastly a new type of vulnerabilities is emerging in social media, cloud services and the rapid expansion of un-managed devices. However, poor code remains the major issue for many organizations.
For instance, according to the OWASP (Open Web Application Security Project) since many years, around 97% of web applications are vulnerable, and the main risks associated with Web applications remain the same, including SQL injections that allow a malicious party to recover, steal or destroy sensitive information in a database.
Correcting a flaw in a Web application can still take several months, and is very costly.
The root cause is that IT developers do not develop digital codes sufficiently in a secure way, for various reasons (e.g. lack of time, business pressure…), because they are mainly not educated enough. In the digital age, there is an urgent need to educate and train IT professionals as well as digital marketers to cybersecurity hygiene and “security by design”.
The CEO and executives are the ultimate main decision makers to invest in cybersecurity.
However, there exists a huge gap between the corporation’s turnover, the IT budget and the small amount of money allocated to cybersecurity.
The root cause is probably in the executives’ initial high school education. As a general rule, cyber risk management topics is not included in leading business schools’ curriculum, unlike financial risk management discipline. Because executives are inadequately educated, they are not fully aware of cyber risks and data protection issues, and as a result they perceive cybersecurity only as a technical IT problem, which leads to a lack of interest and funding.
Because of the value chain digitalization and the growing interest of investors in cyber tech ventures, we can fancy that cybersecurity will be incorporated in executives’ areas of interest.
Finally, lack of cybersecurity understanding and commitment may even jeopardize member of the board of directors. Thus, in the US, in the five recent years, shareholders have initiated litigation against the directors of the Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems. We can probably assume that this phenomenon will amplify and entry European markets.
April 14, 2016
Today securing information systems first requires identifying its Crown Jewels and this is a issue that is poorly solved due to the heterogeneous nature of enterprise networks and their distributed nature.
The scale of the problem is daunting for large organizations as they have now in fact to deal with millions of assets residing in multiple geographies.
At the same time, attackers have a field advantage as they work as a team, innovate in a continuous way, automate their attacks tools and need only to identify one weakness to penetrate your corporate defenses.
This explains why we now see in the media so many data breach disclosures and the CEO’s have now another worrying question on their mind. And this question is: Have we already been breached and are we going to discover it in the headlines?
For example, some large corporations in Europe have launched “Back to the basics” large-scale initiatives. The reality is that organizations have some difficulties enforcing this kind of major changes because they consider purely it as technical stuff.
Actually, it’s all about preparing the change within the organization!
Change management initiatives enforcing IT security technologies surprisingly present high failure rates.
Why do CISOs address more and more organizational change initiatives?
As a result, business executives and CISOs (Chief Information Security Officers) feel more and more anxious nowadays, having witnessed a constant rise in their business and threats environment and speed of frequency in the cyber attacks over the past few months. Of course, this is not the only reason for their anxiety.
CISOs also have the feeling that their organization is not keeping pace in terms of information security maturity, initiatives and budgeting. They perceive a contradiction between the vital need to ensure competitiveness while to protect critical business and information assets on the one hand, and organisational inertia, on the other hand.
Crafting from scratch a new CISO position, developing an internal Cyber SOC service within an industrial organization, introducing information security culture into a public administration, deploying the latest APT threat mitigation technology, re-balancing global/local relationships within a new security governance model, launching an information security program within a large financial institution – these are the organizational change initiatives that lie at the heart of the CISO agenda.
Most of information security projects deal with change management, and take into account processes, people and technology.
This combination of environmental business volatility, inherent complexity of information security and organizational inertia has created an unprecedented strategic issue. There exists an increasing need for new management competencies for CISOs, ones that will be geared towards the implementation of organizational changes.
More generally, the bunch of different frameworks emphasizes the need to standardize and professionalize information security governance (see the “Is ISO 27014 the new graal of information security governance ?!” article)
Which business skills to develop for the CISO?
The job profile of the Chief Information Security Officer is evolving. He shall be positioned in the second line of defence, and be independent of the CIO organization.
CISOs will have to communicate well among technologists, business managers, and senior executives.
To succeed, CISOs will still need deep technical skills, but will also need to develop many managerial and business skills in order to entry into the C-level suite.
CISO will also have to enhance their communication, relationship management and business skills, and not neglect competencies, such as leadership, risk or business process management.
CISOs have to leverage knowledge of human behavior, as individuals and in groups, to influence security culture and behavior, and to lead the change. Individuals respond differently to risk, controls and authority, and they behave differently when they are on their own versus when they are in a group.
Having a very good understanding of the business operations is paramount. Spending time in business lines will also improve the CISO knowledge of the business landscape.
In order to get these competencies, we see more and more CISOs attending MBA or alternative management programs, or thinking about attending such trainings.
Specialized Executive MBAs in the information security domain are now available. In addition, for instance, training in financial planning is becoming critical, such as cost-benefit analysis and NPV (net present value) computation.
What sort of toolbox does a CISO require to be successful in the change management domain?
Such a toolbox shall provide some clarity in regards to the distribution of roles between the stakeholders and specifically between the project sponsor (business sponsor) and the project manager (project leader).
Let’s illustrate the toolbox with the following six key domains and some key questions (not exhaustive) that have to be spotted before deploying the change:
1. Expectations, vision of the future; providing the background of the change initiative
Has a clear vision been created, defined and well explained? Is a vision devised of what it should look like at the end of the program “end state” in terms of concrete objectives as well as in terms of target mindset and behavior?
2. Objectives, results to be achieved; the result aimed at through the initiative
Has the change been thought to be aligned with the cyber security strategy? Which role does corporate governance play in the change project? Is the kind of change chosen well suited? Radical vs. Incremental Change
3. Planning and coordination; analyzing what to be done for the initiative to succeed
Which means were used to establish a sense of urgency (i.e. a crisis) to get momentum for launching the project? Were people aware of the need to change? Which means are used to raise Awareness? Has the business sponsor evangelized stakeholders?
4. Steering; defining who decides the project should be launched and who is in charge operationally
Is there a written Project Management Plan or a sort of “contract”? Has the Project Management Plan been approved by all the stakeholders? Which KPI are defined? Is there an effective governance?
5. Players, people involved, their roles; all the people involved in the project
By which means are the business owners, BU’s CISOs, IT Operations and administrators involved in the change process? Which strategy (direct/indirect/pilot sector) for the implementation has been chosen?
6. Rollout strategy, best tactics; the tactics most likely to bring the initiative to fruition
Is there political awareness, in identifying potential coalitions and in balancing conflicting goals and perceptions? Which levers are used to encourage the desired behaviors and to achieve required outcomes ?
What are the key success factors ?
One key success factor in the change is the compelling story. It’s a story that is capable of changing the view of the receiver or at least of supplying him/her a new perspective as well as convincing the receiver to embark the journey.
Over the last decade, some significant cybersecurity incidents (e.g. major breaches at Sony and Target, the Snowden insider incident, corporate espionage, malwares) have increased executive support and driven new investments in information security programs. Such cybersecurity events may be used for story telling.
One another key success factor is identifying role models.
Role models are people that are aligned with the objectives set by the organisation and who show on the every days (organizational) life that they embody completely the mindset and behavior to be, being therefore the example to follow.
Because it involves organisational culture and requires deep transformation, implementing a new cyber security strategy or any kind of large information security projects is difficult and requires a number of elements to be in place.
Before wasting millions of Euros in large programmes, think about the old new change management techniques !
March 14, 2016
In our previous posts, we explored why companies board should invest in cybersecurity and to what extent.
When they decided to unleash whatever cybersecurity budgets, the reality remains that organizations have great difficulties to apply and fix the basics (e.g. good password quality, secure machines, vulnerability management) and to automate their security processes to a large scale.
Attackers on the other hand have a field advantage as they have automated their attacks tools and need only to identify one vulnerability to penetrate corporate defenses.
This explains why we now see in the press so many data breaches disclosures and the CEO’s have now another worrying question on their mind. And this question is “have we already been breached and are we going to discover it in the press?”. In another words, security has become a problem of scale. How to deal with millions of assets residing in multiple geographies? (e.g. consumers’ web browsers)
As a knee jerk reaction to these all too frequent and highly publicized data breaches, organizations are reacting by tightening their security policies and regulators are flexing their muscles publishing an ever increasing set of new regulations that present an additional burden for Chief Security Information Officers.
Throwing people at the problem and installing more enterprise technology solutions is clearly not the solution. Advanced security threats are increasing, but simply adding more layers of defense does not necessarily increase security against targeted threats; security controls need to evolve.
For sure, technology can help mitigate dramatically and efficiently (because of automation) cybersecurity risks. However, technology can not resolve ALL cybersecurity issues and tech selection shall be based upon various criteria such as the business requirements, the corporation’s maturity level, or its threat landscape…
Thus, corporations shall consider very carefully technologies to avoid bad “gadget” projects and the increasing proliferation of technologies, , which could undermine the cybersecurity organization’s reputation across the corporation, such as:
- Install a costly and heavy SIEM or GRC platform if you do not have fix the basics!
- Deploy the latest DLP tool if you did not identify and know well your Crown Jewels
Cybersecurity is still broadly perceived as an IT discipline, built around technical solutions and projects – you only have to open any industry magazine or publication to see it, or go to any professional show.
The current cybersecurity situation in many large organisations is still dominated by significant blockers:
1/ Lack of interest in the topic by the Executive Management
2/ Obsession with compliance and audit issues
3/ Focus on technical details and short term actions
The geographical, operational and technical complexity of large organisations requires a well-designed strategy and proper governance framework, that is rarely in place, to enable the true delivery of cybersecurity solutions on a global scale.
Every CIO/CISO should establish a long-term, clear and shared strategic roadmap – and be prepared to stay in charge for the time it will take to deliver it. Such a strategy is the right mix of governance, organization, processes, technology and culture, engaging representative business stakeholders.
Part of such as a strategy, we can mention four main categories of cybersecurity solutions which are composed of preparation, prevention/protection, detection and reaction.
Because the data breach or high impact cyber attack will occur one day or another (it is a question of chance or not), greater emphasis has to be placed on early (continuous) monitoring, detection and reaction instead of prevention or protection controls.
Moreover, having accurate and timely information on emerging threats and vulnerabilities through threat intelligence capabilities will allow corporations to enrich their early detection capability and their vision of “known unknowns”, and to quickly prioritize and begin their remediation and threat prevention and protection efforts.
Corporations recognize that, regardless of their current security controls, cybersecurity can never be 100% guaranteed. That’s why the overall cyber insurance market is growing at great pace. The growth of cyber insurance is related to the need to mitigate the damage from cyber security incidents. Cyber insurance, the transfer of financial risk associated with network and computer-incidents to a third party, has captured the imagination of professionals and researchers for many years. Cyber insurance will bring in a near future many benefits for the cybersecurity posture of firms.
The last but not the least, because the weakest part is the human, organizations shall engage ALL their employees in the fight against breaches.
Raising awareness and education around cybersecurity is critical. Indeed, corporations shall provide easy-to-use solutions (e.g. encrypted e-mails, secure storage on removable media..) so that their employees can handle and protect information accordingly to their level of sensitivity (confidential, secret…).
March 9, 2016
Most corporations operate under very tight budget constraints. At the same time, cyber incidents are becoming so popular that some of the associated costs shall be fairly well anticipated, and shall be increasingly accepted as part of the risk of doing business.
Recognizing the growing cyber threat landscape, many finance and risk officers are responding by increasing budget allocations for cybersecurity programs and investing in cyber insurance. While these commitments may be necessary to improve protection against certain kinds of losses, if made in the absence of a more comprehensive cyber risk program, they can leave an organization unwittingly exposed to far more consequential financial damage.
In our previous post, we explored why companies board should invest in cybersecurity.
In addition, board are mainly concerned with the following issues:
- Is our current cybersecurity budget sufficient?
- Can we do more with our current cybersecurity budget?
- Do we need to invest in new cybersecurity projects and capabilities?
- How to measure paybacks of new cybersecurity investments?
These issues are complex to answer, we will try to provide a first set of ideas and areas to explore.
The challenge is now to find the right balance between overspending and underspending. Shaping and handling the right cybersecurity budget is not an easy task.
At the very moment, regarding cybersecurity, we need to recognize that it is highly difficult to measure quantitatively paybacks of new investments (projects) and current operations (BAU).
When an organization considers investment in a traditional business project, its shareholders and board look for financial value creation. When budgeting capital, they will compute the Net Present Value (NPV) (which is the difference between the present value of cash inflows and the present value of cash outflows) to analyze the profitability of a projected investment or project.
The same approach can be applied to determining the financial feasibility of a large cybersecurity programme. The big difference is that cybersecurity projects never generate income (exception will be if cybersecurity is the value proposition it self or tightly embedded into a digital value proposition); rather, they save costs, or prevent the loss of funds that the organization would otherwise devote to its business operations. The value of the project is expressed in the amount of money it “saved” the organization in terms of prevented losses (or in operational processes optimization). Just as with income-generating projects, however, the cost of the cybersecurity project should be less than the value it provides. Intuitively, an organization would not spend $50,000 to protect $10,000 in assets.
According to the Gordon-Loeb rule, an organization should never spend more on a cybersecurity measure than 37 percent of the expected reduction of the risk value through implementation of the measure. Expected loss is based on the value at risk and the probability of the risk materializing. While theoretically possible, this approach assumes a very precise calculation of expected losses, and arriving at such a value is far from straightforward.
To measure paybacks of cybersecurity and answer the board question “to what extent do we need to invest in cybersecurity?”, it requires organizations to adopt a true cyber risk management approach, assessing costs, rewards and risks. For that, board shall set up the cybersecurity risk appetite (i.e. the kind and level of risk a corporation is willing to accept).
However, can we assess direct and indirect impacts and costs following a massive data breach or a cyber incident? Yes, probably in a first approach but … How can we value the financial impacts of a reputation loss? Highly difficult.
In order not to waste time and resources, and develop relevant cyber risk scenarios, the right approach will be to understand and identify firstly what the Crown Jewels (e.g. business and information assets) of your organisation are, where they are in the business value chain, and then protect them accordingly to the value at risk. Similar to the Crown Jewels of royalty, companies pay close attention to these divisions or products because they often are responsible for a sizeable portion of the company’s earnings. Indeed, protecting every asset or piece of data is totally inefficient. In order to estimate a business value to assets and identify so far the “Crown Jewels”, it will worth using ranges for business impacts (e.g. between 500,000€ and 1,000,000€).
Around this robust set of Crown Jewels, leaders need to think more broadly about cyber risk and consider the true intent behind a potential cyber incident, and understand that theft of data may not be the most damaging impact. Operational destruction and organizational disruption may be significantly more impactful than data theft alone.
When developing further cyber risk scenarios (e.g. using ISO 27005), four options will appear: accept risk, avoid risk, mitigate risk and transfer / share risk.
Sharing risk (e.g. cyber insurance carriers) should be seen as part of a holistic approach to cyber risk management. Cyber insurance will probably bring in a near future many benefits for the cybersecurity posture of firms and support corporations in cybersecurity investments decisions rationale. Corporations realize that, regardless of their current security controls, cybersecurity can never be 100% guaranteed.
Nevertheless, in what kind of solutions should board invest in cybersecurity? Do they need to consider insurance solutions to transfer cyber risks? Read our post next soon …
February 29, 2016
Cybersecurity is perceived as costly. However, many organizations claim to spend in excess of 3% of their total IT spend on cybersecurity, but according to the World Economic Forum, in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cybersecurity maturity (“Risk and Responsibility in a Hyper-Connected World” – January 2014).
Why should board of directors make sound cybersecurity investments? We have wrapped up major concerns to be considered. (Lack of) Cybersecurity may even jeopardize member of the board of directors.
1/ Organisations remain still vulnerable. Those large organisations have become increasingly dependent on a larger and larger number of third parties, with cybersecurity problems often global and complex in nature. Vulnerabilities come in many flavors starting from poor code, outdated software, misconfigurations, incomplete inventory, weak or too broadly distributed access controls and lastly a new type of vulnerabilities is emerging in social media, cloud services and the rapid expansion of un-managed devices.
- According to the OWASP (Open Web Application Security Project) in 2013, 97% of web applications were vulnerable, and the main risks associated with Web applications remain the same, including SQL injections that allow a malicious party to recover, steal or destroy sensitive information in a database. Correcting a flaw in a Web application can still take several months.
- The DBIR study (Data Breach Investigations Report) made in 2014 by Verizon revealed following the “autopsy” of 855 incidents, 92% of attacks were less complex, 79% were opportunistic targets and that 97% of successful offenses would been prevented if the victim had implemented basic controls.
2/ The cyber threats organisations face continue to evolve at a faster and faster pace. We can say that attacks are more and more combined and complex. In parallel, the digital backbone of corporations is growing at high speed, e.g. web applications are developed to achieve time to market business objectives, and create new generations of useful and immersive web experiences for customers.
However, the digital backbone of our organisations is really at risk!Indeed, according to the ENISA Threat Landscape 2015 report (see the chart below), one of the top threats is the injection of malicious code in HTML code of websites that exploits vulnerabilities in user web browsers (known as drive-by download attacks). Web applications and browsers are becoming critical points and attack vectors, and need to be inventoried, risk assessed and protected. The current trend for this threat is even increasing.
Regarding web presence, are business owners of your corporation able to answer quickly the following questions:
- How many web applications do they own on the Internet?
- How many are really critical for their business?
- What are the top five most vulnerable web applications?
For instance, can business owners provide the following KPIs?
- What is the number of web applications ? How many apps have been securely coded ?
- What is the number of uniquely pentested web applications out of all web applications per year?
- What is the number of remediated critical vulnerabilities out of all identified critical vulnerabilities for web applications within one year?
3/ Cyber threats are not only theoretical risks drawn and fancied by cybersecurity professionals. They are now cyber incidents in the field.
Have a look back to the Sony Pictures massive hack which has leaked tons of documents and data — passwords, full-length films and the social security numbers of 47,000 people, including Sony Executives, celebrities… What was unique with the Sony Pictures case is the desire to humiliate an organization.
“Guardians of Peace” leaked among other items internal documents from a consulting firm, including salary information for more than 30,000 employees. Sony Pictures issued a data breach notification letter to current and former employees, confirming that various personal details including medical information may have been compromised. Cybersecurity investment wasn’t always a major concern up to the top. Remember the CISO statement in 2007: “I will not invest $10 million to avoid a possible $1 million loss.”
4/ Your customers are becoming more and more demanding regarding data protection matter when buying online goods or services. Customers must trust the company with whom they have entrusted their financial and personal details throughout the course of a purchase. Without this trust from the consumer, a digital business will fail. The prominence of smartphones and tablets has seen consumers’ awareness rising as individuals are increasingly taking charge over their own security on personal devices. Pressures from an increasingly knowledgeable consumer base should act as incentive for digital players to get their own products and premises in order. Business lines shall integrate data security and privacy topics when shaping business model and customer value proposition.
5/ External pressure from regulators is increasing (e.g. EU data protection regulation, NIS Directive, LPM in France, etc.). Strong regulatory fines will come with the EU Data Protection regulation. Current fines are quite low across European Union, e.g. 150,000 Euros for France, 300,000 euros for Spain. EU regulation is one of the most binding regulations. After the period of two years, in case of proven violation of the rules, companies will face a risk of financial penalties, up to 5% of their annual turnover or 100 million euros according to their size.
Even there are strong ongoing regulatory requirements, companies should be proactive, and not reactive, and invest in “genuine cybersecurity” and not have only a “tick in the box” strategy.
Withal, to what extent should board of directors invest in cybersecurity? How can we measure paybacks of cyber risk mitigation? Read our post next week …
Picture source: http://www.bankinfosecurity.com/
February 11, 2016
Demystifying Internet of Things
The Internet of Things is no longer an emerging but an emerged domain!
But how to define it? The “Internet of Things” refers to physical objects that have embedded network and computing elements and communicate with other objects over a network. Definitions of IoT vary about the pathway of communication. Some definitions state that IoT devices communicate over the Internet; others state that IoT devices communicate via a network, which may or may not be the Internet.
For example, an IEEE special report states the following: “The Internet of Things, or IoT, which you probably have heard about with increasing frequency, is not a second Internet. Rather, it is a network of items— each embedded with sensors—which are connected to the Internet.”
This is a phenomenon whose main challenge is to connect reliably and in real time billions of people, often through mobile terminals, but also billions of objects of any kind.
The main principle is that each object is able to connect to the Internet to exchange information and to increase its intrinsic value.The traffic generated by the Internet of Things will generate exponential volumes of information in a variety of formats and with rich content. Data deposits are likely to transform the management of our daily lives.
The Internet of Things will increasingly become Machine to Machine, and will be an Internet of Services, characterized by two key pillars – Cloud Computing & Big Data.
The Internet of Things is a unique combination of three essential components of any kind of architecture: the network (for connectivity), the access terminal (with capacity for processing, storage and communication) and data centers (for storage and processing).
But why is the Internet of Things considered as a phenomenon? Gartner estimates that IoT product and service suppliers will generate incremental revenue exceeding $300 billion in 2020. IDC forecasts that the worldwide market for IoT solutions will grow from $1.9 trillion in 2013 to $7.1 trillion in 2020.
In addition, as mentioned by the French investment public bank called BPI, connected objects are everywhere (cities, houses, cars, health, etc.) and areas of application are huge (waste management, urban planning, gadgets, emergency services, mobile shopping, counters smart, health, automobile, insurance, etc.)
Understanding the universe of business risks
However, beyond these opportunities, the Internet of Things generate cybersecurity, privacy and legal risks.
For example, (and there are many others), researchers of Fortinet corporation were able to take remote control of a “connected home” from their offices in California by exploiting a very basic vulnerability (default password), browsing first on Shodan.io website, which is called the “search engine of the Internet of Things.”
In addition, connected objects can be used to bounce cyber attacks on third parties, which raises the question of legal responsibility. These objects represent an abundant resource for cyber criminals who want to shift their use to make them attack tools.
Who could imagine in a near future an attack launched by a coalition of cyber refrigerators or houses??!!
The problem is compounded by the fact that industrial network protocols in question have little or no protection (like ICS), and that these objects exist in very large numbers.These objects need to be secure and monitored to avoid such a takeover.
Indeed, the Internet of Things collects an ever increasing amount of data (e.g. personally identifiable information, personal health information, and payment card information). Regarding privacy, personal data leakage is obviously a real business risk but the danger comes even more from the correlation of multiple data sources to get rich and usable by sales and marketing organisations.
There is an awareness of the legislator to the need to modernize the data protection system reconciling consumer protection and the very promising market development of connected objects. It seems unrealistic to achieve and offer full guarantees to consumers. However, they must have a sufficiently clear and comprehensive information to understand the risks. The issue of consent is essential, but should not be exaggerated.
The consumer must trust the company with whom they bought Internet of Things related services and apps. Therefore, corporations engineering or (re)selling Internet of Things solutions must provide transparency, and it’s essential that data security and privacy be integrated into their value proposition design and product development phases. As a business advisor, the CISO can make the difference, showing both opportunities business risks to senior executives so that they can make informed decisions.
It is in the best interests of online Internet of Things providers or operators to make themselves as secure as is possible. Compliance may tick boxes, but in a competitive market, businesses must look beyond this to engender the loyalty of their customers.
Unleashing the full potential of Internet of Things
The Internet of Things clearly introduces into our digital economy a new fragility driven by multiple aggravating factors:
- an enormous and exponential volume of hyper connected objects of any kind, which are not really secure by default, and are collecting huge amount of data;
- an increased surface for cyber attacks;
- a tsunami and a potential aggregation of personal data;
- a potential complexity in terms of stakeholders and responsibility;
- a strong challenge of privacy and the right to oblivion.
To thwart these threats, the following first best practices are strongly recommended:
- integrate data protection and privacy into the value proposition design
involve CISO or cybersecurity experts at early stage
- promote and systematize the “secure by design” when shaping new disruptive product or solution
- clarify the roles and accountabilities (customers, suppliers, subcontractors), and for that understand your value chain
- watch the regulatory and legal environment
- develop partnerships with cybersecurity companies to address vulnerabilities and cyber threats
To take advantage of the many opportunities of Internet of Things, corporations must take seriously data protection and privacy to keep their competitive advantage
Data security and privacy was the main stream of the 8th International Cybersecurity Forum in Lille 25th & 26th of January 2016. This paper is a wrap up of the discussion of the roundtable “Internet of Things: a new weakness?” Business Digital Security SAS had the chance to drive. This roundtable was sponsored by the Cyber Excellence center and composed of a pluridisciplinary panel (legal, R&D, information security, business).
November 26, 2015
Have you heard that?
- Ryanair has been stolen nearly $5m
- Dropbox left 6.9 million accounts possibly compromised
- TV5 Monde has been hacked and taken down
- Target corporation was stolen around 40 million credit and debit cards data
Probably. Because cyber attacks are unfortunately becoming popular in terms of frequency, business impacts and visibility. When reading the headlines, citizens, end consumers, senior executives and shareholders are more and more aware of serious data breaches.
Cybersecurity is hopefully considered as a growing business concern for most corporations.
(Lack of) Cybersecurity may even jeopardize member of the board of directors. Thus, in the US, in the five recent years, shareholders have initiated litigation against the directors of the Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems. We can probably assume that this phenomenon will amplify and entry European markets.
Another risk that board of directors face is “activist” shareholders. They can make alliance to challenge re-elections of directors when it’s perceived that they didn’t do enough to prevent a cyber attack. Indeed, on behalf of shareholders, role of the board of directors is all about governance, i.e. to control and oversight business strategy related decisions and to manage efficiently risks.
For example, the data breach has cost the Target corporation a significant drop in its profit, which was estimated around 40% in the 4th quarter of the year. As a consequence, the Target CEO was also dismissed. Then after, shareholders of Target urged to oust seven of Target’s ten directors for “not doing enough to ensure Target’s systems were fortified against security threats” and for “failure to provide sufficient risk oversight” over cybersecurity.
In which area did board of directors “fail”?
According to the New York Stock Exchange’s definitive cybersecurity guide (October 2015), board of directors mainly fails:
- To implement and monitor an effective cybersecurity program;
- To identity and protect company assets and business by recklessly disregarding cyber attack risks and ignoring red flags;
- To implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
- To take reasonable steps to notify individuals in a timely fashion that the corporation’s information security system had been breached.
What do the board of directors need to ask?
Cybersecurity is becoming a strategic issue and needs to be addressed with a strong and professional risk management approach, like any other business risks (strategic, financial, operational, etc.).
Even if cybersecurity is now to be considered as a business risk by the board, it’s strongly recommended that board of directors ask the following questions:
- What are the most valuable business assets to protect? Are both external and internal threats considered when planning cybersecurity program activities? Does the organization understand the origin of the threats (e.g. cybercriminals, competitors, governments, rogue employees, etc.)?
- Does the organization have a sound and consistent cybersecurity strategy and program? Does the organization use an ISMS framework such as ISO 27001?
- How is cybersecurity governance managed within the organization? Is it well integrated into the corporate governance? Are the roles and responsibilities well defined among directors, business, IT and cybersecurity stakeholders?
- What are the top five-cybersecurity risks the organization faces? How does the organization manage uncertainty? Are cyber risks related to strategic partners considered? Is it addressing new business cases like mobile devices, the bring-your-own-device trend, big data, or cloud computing?
- How are employees made aware of their role related to cybersecurity? Does every employee receive some basic cybersecurity awareness training?
- In the event of a serious breach, has management developed a robust response protocol? What incident response and crisis management approaches are in place?
Thus, every CISO should shape and implement a long-term, clear and shared cybersecurity strategy and governance framework, both aligned with the corporation business strategy and governance. ISMS will help to support gathering various stakeholders’ expectations.
The increase in data breaches will force the CISO to climb the agenda in board meetings.
As a result, board members, business executives, IT and cybersecurity will better understand their respective roles and accountabilities regarding cybersecurity.
This strategic roadmap should be regularly updated and tailored to the business environment and provide accounting perspectives with powerful KSIs. It will bring more attention from the board and the business lines executives.
It will also enable directors of the board to stay involved in the corporation’s cybersecurity program and to involve themselves in a higher level of engagement with the risks associated.
To strengthen their involvement, board members should receive from the CISO periodic cyber risks updates and have also access to external cyber experts whose expertise and experience board members can rely on in making decisions about what to do (or not) to manage cyber risks.
Because board members will be more involved, it will promote cybersecurity, and engage senior management, middle management and finally ALL employees. The employees of the corporation will become the first line of defense in the event of cyber attacks.
As a whole, it will improve the overall resilience of the corporation business lines and its IT infrastructures, and we can expect that it will bring more value to shareholders, which will better protect board members from « activists » shareholders.
Stay tuned with: https://business-digital-security.com
October 13, 2015
“If you can not measure it, you can not manage it.” The old adage of management goes also for information security department.
CFOs have had the monopoly on interesting metrics to present that demonstrate the financial progress of the business. Like a CFO, CISOs should also master the figures and present KSI (Key Information Security Indicators).
Even if there exist plenty of standards and approaches on the market for information security metrics (e.g. ETSI ISI, NIST, SANS Institute, ISO 27004), CISOs shall design and implement their own sustainable metrics and KSIs tailored to their organization and culture.
In order to avoid flooding the board with new and gadget indicators, it will worth developing a comprehensive yet concise list of KSIs, which speaks to the board and businesses.
Corporations shall start with easy to measure and understand KSIs on a limited but representative scope or topics (branches, projects, processes, etc.).
- rate of number of employees trained with awareness sessions
- number of risk assessments / number of new critical projects
- rate of non-patched systems
- average number of vulnerability tests a month / number of websites, etc.
The set of KSIs could sweep multiple dimensions, for instance the five dimensions of the AT Kearney Temple Model for information security: strategy, organization & governance, processes, technology and culture.
These KSIs, integrated in an actionable balanced scorecard, will help the CISO to drive the cultural change, the execution of the information security strategy, and highlight misalignment with defined goals and objectives. The KSIs will be regularly measured and monitored on an annual basis.
The KSIs shall be fully aligned and linked with business KPIs. For example, for an online banking, we could map the KSI “Percentage of incidents where customer data is put at risk” with the business KPI “Customer churn rate”.
It will reinforce the partnership between the information security department and the business lines.
Then after, with a first set of robust KSIs, the corporation will be able to address effectiveness and even some first efficiency issues.
September 10, 2015
We explore the three stages involved in reaching Cyber Resilience, from examining the current situation to breaking the dynamics of failure and reaching and maintaining the end goal.
- The current cybersecurity situation in many large organisations is dominated by significant blockers.
Cybersecurity is still broadly perceived as an IT discipline, built around technical solutions and projects – you only have to open any industry magazine or publication to see it, or go to any professional show.
The “three lines of defence” models promoted in some form or another by various standards, such as COSO or ISO 31000, are poorly understood and poorly applied. Cybersecurity is often arbitrarily kept in a technical first line, in spite of its complex nature, requiring a true implementation across the three lines of defence – and across many corporate silos.
In practice, this excessive technical focus – which spans the entire industry history – is failing for most large organisations. In fact, many of these organisations claim to spend in excess of 3% of their total IT spend on cybersecurity, but in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cybersecurity maturity (‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, January 2014). These results are echoed by the RSA Cyber Poverty Index published in June 2015.
This failing situation is rooted in the lack of cultural fit between cybersecurity and IT mindsets. Technologists are essentially trained and incentivised to deliver functionality and features – not risks and controls – and this leads to a tactical and technical security focus that rarely delivers true results in large organisations.
Those large organisations have become increasingly dependent on a larger and larger number of third parties, with cybersecurity problems often global and complex in nature, and the threats they face continue to evolve at a faster and faster pace. The geographical, operational and technical complexity of large organisations requires a well-designed strategy and proper governance framework, that is rarely in place, to enable the true delivery of cybersecurity solutions on a global scale.
This lack of results can drive middle-management frustration and budgetary tensions around cybersecurity internally, which in turn brews demotivation and further talent alienation away from cybersecurity functions. It is often also the lack of results (or insufficient or slow progress), which attracts the attention of auditors and regulators on these matters; those are often ‘low hanging fruits’ in absence of any strategic vision around cybersecurity.
This, in turn, is effective at drawing the attention of Executive Management towards the topic – but for all the wrong reasons. And when coupled with the increasing media and political attention around cybersecurity, it simply aggravates the tactical dynamics around cybersecurity. Driven by endemic fears of negligence claims and short-termism compliance obsessions, money – which wasn’t there yesterday – suddenly appears out of nowhere just to fix audit or compliance issues. Senior Executives can go to the media or claim with their peers that “cyber is on our agenda and money is there”, but in practice, the lines haven’t really moved at all – and the same old mistakes and habits are being perpetuated.
Over time, cybersecurity becomes an overhead and a problem – instead of a necessary barrier against real and active threats to the business. And, in practice, money is often simply wasted to put ticks in boxes. A large number of technology companies make a good living in that compliance space, but this eco-system is inherently unhealthy. This results in stagnating protection levels and low cybersecurity maturity, which is what the World Economic Forum report highlighted last year.
- Large organisations, which find themselves in such a situation – and want to break these dynamics of failure – must rethink their approach and rewire their cybersecurity practice by acting at three levels.
- The profile of the CISO needs to be right in order to drive change.
Look without complacency at the cybersecurity history across the firm, and at the barriers that have prevented progress. The CISO needs to have the right amount of business and management experience, personal gravitas and political acumen to be credible with all stakeholders across corporate silos (not just technologists) – these are attributes of seniority. Cybersecurity is not just a technical discipline.
Cybersecurity is all about protecting information, which is at the heart of the organisation value chain and business processes. Therefore, only with the right attitude and experience will the CISO be able to reach out of IT to all stakeholders and drive success. Of course, the reporting line of the CISO is of paramount importance in that context. It should be to the CIO or the COO in most cases and delegating down must be avoided at all costs – as it would simply confuse objectives and create opportunities for political tensions with stakeholders. This would destroy any credibility around the real desire of Executive Management to drive change.
Raising the profile of the CISO (and their reporting line where necessary) will break the dynamics of talent alienation around cybersecurity. Sound governance, coupled with a better management and political acumen at senior level within cybersecurity, will break the dynamics of failure around delivery. Pinning success against a long-term backdrop and ensuring that the CISO and key personnel remain in place throughout will help Executive Management develop a true sense of purpose around cybersecurity, beyond short-termism or audit and compliance obsessions.
- The CISO needs to structure their relationship with all stakeholders as part of a strong Cybersecurity Governance Framework, positioning roles, responsibilities and accountabilities across the cybersecurity space and across the whole organisation from the top down.
The CISO must also define a proper Target Operating Model for the cybersecurity team itself – which would give it a strong backbone, a clear structure and an unambiguous sense of purpose internally.
All of this is key to driving success. For example, you cannot imagine delivering a successful Identity & Access Management programme of work without the involvement of HR – and the business units if they are allowed to hire & fire directly. There needs to be clear demarcation lines around what gets done within the cybersecurity team and what remains outside of it.
The whole governance model should also address, without complacency, the full geographical spectrum of the business – and its true nature in terms of dependencies on third parties.
- The cybersecurity department should be seen as a true Business Unit, and therefore, every CISO should establish a long-term, clear and shared strategic roadmap – and be prepared to stay in charge for the time it will take to deliver it.
Real and long-lasting change in the cybersecurity space will involve a cultural shift for most large organisations – and the embedding of a structured practice and a controls mindset in the way the organisation works. It will not happen quickly. It could typically involve an initial transformation cycle of several years, followed by a consolidation cycle of several years.
The CISO and key team members may have to consider their tenure over a 5 to 7 year horizon to genuinely drive change through. During the period, all actions (technical or not) must be pinned against a consistent long-term backdrop – including any unavoidable short-term tactical initiatives (typically driven by incidents, audit observations or compliance requirements). Inconsistencies and a constant reshuffling of priorities would simply kill the change momentum, as would the untimely removal of key personnel.
- The resulting outcome should be a cyber resilient organisation, where cybersecurity is embedded in the business environment.
A long-term strategic roadmap for cybersecurity that is regularly updated, tailored to the business’s environment and provides financial perspectives – will bring multiple benefits:
- Traceability up to the organisation strategy and business lines’ requirements
- Improved overall resilience of business lines and cyber infrastructures
- Improved visibility and control over costs (where that’s a concern)
This should bring more attention from the Board and the business lines, and improve their engagement with the cybersecurity concepts – leading to more constructive discussions around cybersecurity budgets and costs.
Over time, focus on information risk should drive meaningful intelligent actions, and cybersecurity should become a valuable business function at the heart of the organisation – not just an IT department that deals with audit and compliance issues.
This article is based on an earlier article by Corix Partners, which Corix Partners (JC Gaillard) and Business Digital Security (François Gratiolet) have revisited jointly to reformulate its content as the foundations of a road to cyber resilience.