As technology has evolved and grown increasingly powerful, cyberattacks from malicious individuals and organizations have escalated, both in frequency and magnitude. Thus cybersecurity has become a hot topic for discussion over the past few years among governments, companies and other organizations. Cyber threats are now an undeniable reality, and attacks can originate from virtually anywhere. Businesses, especially, are seeing increasing threats to their systems and looking for ways to protect their data and the data of their customers.
Due to increased threats to organizations, the cybersecurity market has grown a great deal in a short time, and is expected to continue on this upward trajectory in the coming years. The estimated $75 billion global industry is anticipated to be valued at $170 billion by the year 2020. Specific areas most likely to grow include security analytics, threat intelligence, mobile security, and cloud security.1
Cyber threats are evident across industries globally; however, some markets place a higher priority on security initiatives than others. North America and Europe, in particular, lead as revenue contributors, and Asia-Pacific is likely to become the go-to market for solution providers. By industry, “the aerospace, defense, and intelligence vertical continues to be the largest contributor to cyber security solutions.” There is increased deal and M&A activity in the industry as well. Deals in the millions of dollars or more are now more common. Additionally, seven-figure deals have increased by 40% since last year.2
The vast majority of companies and organizations (91%) have at the very least adopted a security framework. More than two-thirds use cloud-based cybersecurity services (69%) and over half (59%) leverage big data analytics for security. Furthermore, a greater percentage of companies and organizations are collaborating with each other to “improve cybersecurity and reduce cyber-risks,” at 65% today compared to just 50% in 2013. Partnership has its benefits, as companies claim working together “allows them to share and receive more actionable information from industry peers.”3
Survey says: cyberattacks on the rise, cybersecurity slowly becoming a priority for companies and organizations.
“In North America, and certainly in Canada, there is a dearth of talent in the cybersecurity sector. The competencies required are highly specialized, and at the senior level it’s not just having someone who is technologically savvy. The cybersecurity leader must also be well versed in enterprise risk management, corporate governance and in the overall business objectives. For those reasons, compensation levels have soared tremendously.” - Kevin Gormely, Partner, Boyden Toronto
A 2015 survey from the Organization of American States reports that over half of its Member States have noticed an increase in incidents to their computer systems over the past year, while only 7% report a decrease. There is an overall consensus and awareness that threat levels are high. Additionally, three-quarters of respondents report that attacks against infrastructures are becoming more sophisticated, with only 5% saying the opposite.4
No industry is immune. While organizations in the government and energy sectors are targeted most often, the areas of communications, finance and banking, security, and manufacturing also face significant challenges.5 This indicates that there is not one “safe” industry; all must be alert and proactively protect their information and the information of their customers.
“Now more than ever before, because so many high-profile companies have suffered severe security breaches, these critical technical skills are in serious demand to ensure companies are able to save themselves from meltdown. Unfortunately, too many INFOSEC professionals have traditionally come up the audit route and don’t combine the tech savvy with the business nous. It’s the classic dilemma, because someone who’s very talented technically often doesn’t carry the senior executive skills necessary from a business perspective.” - Vicky Maxwell Davies, Partner, Boyden London
Threats appear through a variety of tactics. Phishing is the most common type of attack used against organizations, at 71%; however, many other methods are also popular, including attacking unpatched vulnerabilities, DDos, SQL injection, cross-site scripting, and hacktivist-originated attacks, among others.7 This varied arsenal highlights the fact that hackers are growing increasingly sophisticated, and organizations must enact and enforce greater security measures to protect themselves.
“First and foremost, it’s the board’s responsibility to challenge management to understand the strategic and systematic nature of an organization’s cyberrisk vulnerability and properly allocate resources for risk management. It’s also important to create awareness holistically within a company, going beyond IT to include all executives, HR and team members to treat data with the highest level ofsecurity. Management must understand that this issue is about people and behaviors, not just technology.” - Richard Fudickar, Managing Partner, Boyden Germany
As the chart below indicates, a majority of organizations in both North and South American countries are only somewhat prepared to handle cyber incidents. In fact, there are five nations that say they are unreservedly unprepared, and only two that say they are prepared.
Moreover, government organizations in the countries that say they are only somewhat prepared have not increased their budgets for cybersecurity at all over the past year. These include the U.S., Mexico, and Colombia. Since most attacks cannot be detected using traditional security measures, an increased cybersecurity budget to enable the implementation of new tools is truly vital.9 This disconnect should be a red flag to companies and organizations. It is imperative that resources be allocated to cybersecurity efforts.
Most organizations surveyed (69%) report that they have a cybersecurity awareness program for employees. However, only about half have a disaster recovery plan or a cyber incident response plan, and just over one-third say they have adopted industrial security standards.10 These underwhelming levels of preparedness again indicate that while companies and organizations realize the potential threats and do not feel prepared, they are not taking the necessary steps to better position themselves in the face of threats.
According to a survey of 10,000 IT and security decision-makers, conducted by PwC in conjunction with CIO Magazine and CSO, spending on information security is up year-over-year, and “financial losses from cyberattacks have decreased from $2.7 million in 2014 to $2.5 million this year.” As the chart above indicates, 87% say they have seen at least one or more security incident over the past year, and roughly one-third say they have seen 50 or more incidents at their company or organization.11
“It’s not a question if 9-11 will be repeated, but when it will be repeated. It may not be the same thing as the 9-11 event at the World Trade Center, but it will be similar. Next time it will more likely be of cyber origin, affecting power grids, financial exchanges, transportation assets or public health infrastructure instead of a building tower. The problem remains that key law enforcement and intelligence communities are silo-focused. Unless companies and government agencies take a holistic and focused approach to national cyber risks, we are likely to see a disjointed and ineffective response to a cyberattack.” - Tim McNamara, Managing Partner, Boyden Washington D.C.
“We are looking at a completely new paradigm for security. When you add always on, always connected and couple all of that with the fact that we no longer are keeping data in our own premises, it completely changes how we have to do security.” –Tyler Shields, Security Analyst at Forrester Research
There are numerous reasons for attempts to breach security. According to a survey conducted by FTI Consulting targeting employees in the UK, financial motivation is not necessarily the primary driver behind cyber theft. Employees are actually more likely to steal data from their company when they feel disengaged, rather than solely for financial gain. That, coupled with the finding that most employees don’t expect to be with their employer for more than five years, sets the stage for disgruntled employees being capable of cyber theft. To combat this internal issue, executives must make employee engagement a part of their cybersecurity initiatives and programs.13
“While most organizations have training programs about data risk, our research found 65 percent of employees believe these programs are not adequate and 69 percent believe the greatest threat to data security is still posed by their colleagues.” – FTI Consulting
“Boards of directors and executives face a tremendous challenge in identifying, assessing, and managing risks that may affect – both positively and negatively – the organization’s strategic success.”15 – AICPA
Risk management initiatives also warrant greater attention. In a survey conducted recently by the AICPA (American Institute of Certified Public Accountants), Chief Financial Officers (CFOs) and equivalent senior executives reveal some insight into their companies’ risk management policies, procedures and initiatives. The survey found that nearly six in 10 say that the volume and complexity of risks have evolved over the past five years.
And, 65% were caught off guard by an operational surprise – this is even more so for large organizations and public companies. The survey also uncovered that only one in four is confident that their organization has a “complete formal enterprise-risk management (ERM) process in place.” This is consistent with last year’s findings, indicating that ERM has not been a top priority for executives and no significant developments have been made year-over-year. In addition, less than a quarter (23%) say their organization’s level of risk management is “mature” or “robust” – this is slightly higher for larger companies, public companies, and financial services organizations, at one-third. Additionally, over half of respondents say their organization’s risk management process is not viewed as a “proprietary strategic tool.”16
Nearly seven in 10 say that their board of directors desires increased involvement from senior executives in risk oversight. However, only one-third have a dedicated Chief Risk Officer (or equivalent), and just 45% have a risk committee at the management/executive level.17
“Risk managers have been concerned about being marginalized in their organizations. For years, they have fought for acceptance by upper management to get their distinct perspective and abilities absorbed into the senior decision-making process. Now, in light of current events, more risk managers are taking their seat at the table, and are being tasked with demonstrating how they can safeguard organizations and impact bottom-line performance on a strategic level.” 18 – Bill Coffin, head of publications for the Risk and Insurance Management Society
“With the globalization of businesses and trade, the CSO has to be a global executive capable of developing strategies and implementing programs globally, not confined to his or her territory. The cybersecurity threat can be initiated from anywhere and thinking locally is not an option.” - Magdy El Zein, Managing Partner, Boyden Middle East
“The central role of information places cyber security squarely on the CEO agenda.” –PwC
The C-Suite recognizes the significance of cybersecurity and risk management. According to PwC’s 18th Annual CEO Survey, Chief Executive Officers have grown more concerned with technology-related threats over the last year. 61% of CEOs say they are concerned about cyber threats – including lack of data security – compared to just 48% a year ago. And, cybersecurity technologies are considered a top priority, with nearly eight in 10 CEOs ranking this as strategically important for their organization.20
“Organizations are intensively seeking senior cyber talent, though they are having a difficult time finding the right candidates. It’s a very complicated sector with bifurcated responsibilities. Consequently, there are multiple strategies to address cybersecurity needs among the commercial, military and defense, and intelligence sectors.” -Tim McNamara, Managing Partner, Boyden Washington D.C.
The Chief Security Officer (CSO) or Chief Information Security Officer (CISO) can be a powerful position at companies and organizations that make security a priority and allocate proper resources to its enforcement. Unfortunately, CSOs/CISOs are not always given the esteem they deserve, and are not always considered an equal and integral part of the C-Suite.
The position faces many challenges. There is a general feeling among CEOs and others in the C-Suite that CISOs would be unlikely to succeed in other leadership positions outside of information security.21 This could be related to the technical nature of the CISO’s role, as compared to other C-level functions. Moreover, blame is often cast on the CISO following any breaches of security within the company. In fact, in a survey by ThreatTrack Security of C-level executives at companies that employ a CISO, 44% say that CISOs “should be accountable for any organizational data breaches.” And surprisingly, more than half of respondents (54%) say CISOs should not make purchase decisions for cybersecurity- related expenses.22 This disconnect, where CISOs do not have decision-making authority but are blamed when issues arise, can be a significant barrier within organizations.
Only 26% of C-level executives agree that CISOs should be part of an organization’s senior leadership team.
As the pie chart indicates, only one-quarter of C-level executives agree that “CISOs should be part of an organization’s senior leadership team,” with three-quarters disagreeing. And, regarding CISO decision making, another quarter (28%) say that “a decision by their CISO has hurt their business’ bottom line.”23
Despite the general lack of confidence and respect for CISOs in the recent past, this notion is slowly beginning to change. For example, in the same survey, half of C-level respondents say that CISOs “provide valuable guidance to senior leadership related to cybersecurity.” Additionally, one-third say that CISOs are “being hired to address critical gaps in organizations’ information security capabilities.” And, CEO respondents were more likely to say CISOs should have decision-making authority compared to COOs and CFOs.24
“In the not-so-distant past, the chief information officer seat at the executive table was tentative at best. The role was seen as necessary – we need someone to lead our security efforts – but also tactical.”25
“Companies that have embraced the strategy of giving the CISO a seat at the executive table are better equipped to prepare for any breaches in cybersecurity. Increasing resources, including hiring the strongest CISO available, is a worthwhile investment.“ -Ken Rich, Partner, Boyden New York
As CSOs and CISOs aspire to find their place in the C-Suite, shifting from technical conversations to those focused on business strategy will be critical. A successful CSO/CISO can translate the work they do in a way that CEOs, COOs, and CFOs will understand and find valuable. Additionally, there is a certain perception that the CSO/CISO creates roadblocks because of the layers of security in place. However, they must find ways to enable new technologies, rather than saying “no”, in order to facilitate business and add value in their organization. Another underutilized strategy that can aid CSOs/CISOs is partnering with the company’s internal marketing department. Educating the marketing team, who can often be the biggest security risk due to the public-facing nature of their work, and other employees will be a step in the right direction in achieving company-wide buy-in for increased security efforts.26
Maintaining corporate reputation is a significant task for the CSO, due to the natural business impact of cyberattacks. While breaches are ultimately inevitable, the manner in which a company responds to a breach is truly a test of brand reputation and customer loyalty.27
A CSO must be technically skilled in order to understand security systems and think like potential hackers. They must also understand how to detect attacks that do occur, and then contain and remedy them. Additionally, it is imperative that CSOs be technically curious and never complacent. They must always be thinking ahead about the next threats and new ways to prevent them. The CSO is also tasked with speaking to the press and other stakeholders when breaches occur – therefore they must inspire confidence and trust that the company is handling the situation in the best possible way.28
Over the next few years, the role of the CSO/CISO will shift to focus on holistic business strategy and communication to a greater extent. CSOs and CISOs are likely to come from more diverse backgrounds and from different industries and areas of expertise. While they may be slightly less technically skilled than their predecessors, they will have other important leadership and management skills that are also necessary in this transforming role. The responsibilities of the role will evolve as well; however, the immense pressure the job currently comes with is unlikely to abate.29
“New CISOs originate from other areas of the business already aligned to risk. Fewer will originate from an audit and compliance background but a closer understanding of legislation, governance and ultimately risk is important with a necessary skillset to demonstrate understanding in this area. The traditional route to the role of CISO may also continue with technical, consultant and adviser skills all considered as a good background to the role.” –Neil Thacker, Information Security and Strategy Officer, Websense
“Boards, CEOs and CIOs should be proactively assessing risks with a constant sense of urgency. The costs of data breaches affect not only IT operations but also impact reputation, client relations, suppliers, partners and other stakeholders, in addition to the consequences with regulators.” -Francis Vaningelgem, Managing Partner, Boyden Belgium & Luxembourg
As cyberattacks and data breaches grow more ubiquitous, the demand for cybersecurity professionals dramatically increases. According to the Cisco 2014 Annual Security Report, there is a worldwide shortage of information security professionals, with 1 million open positions.30 According to the 2015 (ISC)2 Global Information Security Workforce Study of 14,000 security professionals,31 the information security workforce shortfall is widening. In 2015, 62% of survey respondents reported that their organizations have too few information security professionals, compared to only 56% when the survey was last conducted in 2013. The reasons for the dearth also changed. In 2013, budgetary restraints were the main reason cited for a lack of security staffing, but as the economy has improved and organizations have placed greater priority on security measures, the main rationale cited for the shortfall in 2015 is a lack of qualified candidates.
In this landscape, there has been a rise in CISO and CSO hiring within the executive suite, and there are no signs of a slowdown anytime soon. Companies recognize that cybersecurity is not simply a function of the IT department, but rather an area that warrants focus in and of itself.32 To effectively build robust network security programs or enhance preexisting ones in a risk-fraught world, companies across all industries are targeting leaders that can adapt at a moment’s notice.33
There is no definitive career path to becoming a CISO or CSO. In general, the ideal candidate must be well-versed in all parts of a business, not technology alone. According to Bruce Schneier, CTO of Co3 Systems Inc., “If you want to be a CISO you need tech skills and people skills and that’s pretty hard to find.”34 CSOs will not only need to be able to communicate to the IT department, but also to the C-Suite, the legal department, and even the PR/marketing department, in the event of a crisis.
Additionally, CSOs need to be able to keep up with ever-evolving technological and political landscapes. On the technology front, cloud computing, BYOD (bring-your-own-device), and mobility trends in the workplace are constantly forcing companies to rethink their practices as the boundaries between corporate networks blur and the outside world poses new security challenges.35 A CSO must have the skillset to protect valuable company systems and data as technology changes and is adopted. On the political front, a CSO must be able to deal with the issues related to compliance with corporate security policies, especially when it is difficult to limit corporate use of cloud computing to approved certified cloud providers and very simple to access work emails on a personal cell phone.36 In today’s workplace, CSOs must create a secure environment while also giving employees some level of freedom and flexibility.
Prior leadership experience and certain credentials are also desirable in a CSO candidate. While it is not required to have served on the executive board of another company, having expertise on a smaller scale as a project manager, technical lead, or even a mentor to a team helps candidates stand out.37
Within computer science, information security, IT management, or another related field, as well as a graduate degree such as an MBA.38 Proven technical and business acumen demonstrate an ability to understand how cybersecurity fits into the greater context of a company’s operations. Certifications, such as the Certified Information Systems Security Professional (CISSP) credential, are also viewed favorably. According to Certification Magazine, a “CISSP [credential] is to information security what the CPA is to accounting. While job descriptions might not state a formal requirement for the credential, candidates lacking the certification face an uphill battle.” Furthermore, ISACA’s Certified Information Security Manager (CISM) certification – which requires passing a 200-question exam on security governance, risk management, security incident management, and compliance – may also enhance the qualifications of a CSO candidate.39
Lastly, CSOs must be able to establish a sense of authority within a company and be a cultural fit.40 Along with the other executives in the C-Suite, CSOs must exert influence and have a public presence within the company.
“In life sciences and healthcare, cybersecurity is a high priority, though international Swiss companies tend to be better prepared to tackle the issues than local players. In addition, more executive committees and supervisory boards are focused on better collaboration in terms of cybersecurity strategy, particularly given the increasing threats to patient and other sensitive data. An important part of this stronger focus includes the right people, and that often means new talent with the right skills and experience.” -Sabine Brunthaler, Partner, Boyden Switzerland
While obtaining financial data is often the primary goal for hackers, some now methodically attack medical data.41 Because credit card companies, banks, and financial institutions have been a target for many years, they have evolved and have learned ways to protect customer data and prevent cyberattacks. However, the same cannot be said about institutions dealing with medical data, such as insurance companies and hospital systems. The argument can also be made that medical data are far more valuable than a stolen credit card, making them even more enticing for hackers.42
Despite the potentially straightforward solutions that now exist, there are industry-specific complications that make cybersecurity initiatives challenging to implement for healthcare enterprises. For example, each insurance company, hospital, clinic or office has its own system and interface. Implementing cybersecurity solutions will not be seamless across these often different platforms, and yet these organizations work together and share data, leaving apparent holes of which hackers can easily take advantage. Adding to the dilemma, the Affordable Care Act requires electronic health record implementation.43 Together, these issues make cybersecurity initiatives a challenge for the healthcare industry, despite the growing need for security.
According to a survey from the SANS Institute of professionals involved in promoting better security and privacy in healthcare organizations, the industry faces some significant weaknesses. More than four in 10 respondents say that current data breach detection solutions are ineffective; over one-third say training and awareness initiatives are ineffective; and over half consider the negligent insider as the chief threat. Survey respondents are aware that there is a deep need to increase cybersecurity efforts and make them a priority. Respondents also display consensus in reporting drivers of security and compliance, which include the following:
“Cybersecurity has become a critical focus and top priority for all financial services firms. It is no longer ‘if’ they will get attacked – it’s when and how often. Firms, until recently, reacted in crisis mode, but are now hiring top talent, brilliant technologists to put standards and processes in place to be ahead of the hackers and protect their customers. This will remain a priority as technology is ever-changing.” -Jeanne Branthover, Leader of Boyden’s Global Financial Services Practice and Managing Partner, Boyden New York
The financial services sector has been a target of cyberattacks for many years, since the types of information to which banks have access are both highly confidential and valuable to hackers. Regulators have stressed the importance of taking risk management very seriously.46 According to PwC’s State of Information Security Survey for 2016, three key findings stand out for the financial services sector in the coming year.
First, assessing third-party security capabilities will be a challenge. Because financial services companies share data and information with third-party vendors, it is important to be aware of vendor security efforts. Second, the use of mobile devices and apps for banking and payments has significantly increased among consumers, and these transactions must be secured. This is a major priority for financial services companies, and advanced authentication is one way in which they have begun to minimize risks. Finally, financial services companies are concerned with complex attacks from abroad. Some actors appear to be working in conjunction to attack companies, and there is speculation that organized crime in other countries is entering the realm of cybercrime.47
Some financial services firms are proactive on this front, even using cloud-enabled cybersecurity tools and services and big data analytics, as well as advanced authentication and biometrics.48 In fact, Bank of America, under the direction of CEO Brian Moynihan, says there is no spending limit for its cybersecurity team. Moynihan says the bank will spend approximately $400 million on cybersecurity this year. He explains that while this policy is rare and even unprecedented, it is imperative in order to prevent financial and customer data from falling into the wrong hands.49
“There has been a great degree of formal and informal cooperation among the large Canadian financial institutions around cybersecurity issues including the sharing of information and best practices. There is recognition by these organizations, many of which are direct competitors, that they are all likely to be victims of a cybersecurity breach at one time or another. These players recognize that in the case of cybersecurity, it’s preferable to cooperate rather than compete.” -Kevin Gormely, Partner, Boyden Toronto
“I go to bed every night feeling comfortable that the group [cybersecurity team] has all the money – they never have to ask. The only place in the company that doesn’t have a budget constraint is that area.” –Brian Moynihan, CEO, Bank of America
The consumer and retail industry has also been a target of cyberattacks in the recent past. As technology and the use of mobile increase, more customer data and payment information are at risk. In fact, in 2013, 95% of attacks were in the consumer and retail sector alone.50 Understandably, these breaches significantly impact consumer confidence, which also negatively impacts the bottom line. For example, one company saw a 46% drop in profits immediately following a data breach. Despite the clear risk for retailers, companies in the industry have been slow to adopt cybersecurity strategies. This is especially perilous considering that the majority of attacks originate with outsiders who attempt to penetrate company networks, and succeed.51
“The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident.” –IBM’s Global Retail Solution Lead
One strategy that banks and credit card companies are utilizing increasingly to make transactions more secure is two-factor authentication. Retailers adopt this method to protect customer payments, especially when transactions are completed online or via mobile.52 A few more of the largest priorities and expected trends through 2016 in the industry include:
The following firms epitomize the changes taking place across a set of diverse industries facing cybersecurity threats.
Uber is a US-based transportation company that connects millions of riders to drivers through a mobile app. Currently, the company is valued at more than $50 billion and operates in 300 cities across 56 countries.54 In April 2015, the company hired Joe Sullivan, former Facebook Security Head, as its CSO. At Facebook, Lynch helped defend the company from hackers looking for users’ valuable personal information, and prior to that, he led security operations at eBay and PayPal and prosecuted cybercrime at the Department of Justice.55 His hire indicates that cybersecurity has become a greater area of focus for Uber as the company rapidly expands along with their data infrastructure.56
“I’m excited about Uber’s mission of revolutionizing transportation and, like Travis and the leadership team at Uber, firmly believe building world-class safety and security are critical to that mission. I had the good fortune to work at two amazing companies – eBay and Facebook – when they were growing rapidly. I look forward to bringing the best practices that I’ve learned along the way to Uber and doing defining work in bridging the divide between the digital and physical worlds. There’s a great foundation of safety already in place; my goal is to make it even stronger.” –Joe Sullivan, Chief Security Officer, Uber
In June 2014, Target – the second-largest discount retailer in the United States – hired Brad Maiorino, who served as a CISO at General Motors and General Electric. At Target, he oversees the company’s information security and technology risk strategy. He came at a crucial time in Target’s history, as the company had previously experienced a data breach that impacted the payment card data and information of millions of customers. He reports directly to the CIO. Maiorino’s appointment underscores a concerted effort to overhaul the company’s information security practices and have an advocate for IT security investment at the executive level.57
“Having led this critical function at two of the country’s largest companies, [Maiorino] is widely recognized as one of the nation’s top leaders in the complex, evolving areas of information security and risk. As an organization, we have made a commitment to our guests and our team that Target will be a retail leader in information security and protection. We believe [Maiorino] is the right person to lead that change.” –Bob DeRodes, Chief Information Officer, Target
Since 2013, Jim Routh has been spearheading Aetna’s cybersecurity strategy, first as the company’s CISO, and since 2015, as its CSO. Formerly, he served as the Global Head of Application and Mobile Security for JP Morgan Chase, and was a CISO for KPMG, DTCC, and American Express. When Routh joined Aetna, the company was facing a barrage of email spam and cyberattacks, millions of which were using Aetna’s name to scam consumers into providing their personal information.58 Since joining the company, Routh has endeavored to educate its board members about the importance of cybersecurity and managing risk. According to the Wall Street Journal, Routh has helped Aetna approach security breaches as investable business risks that need to be managed, much like fluctuating currency prices and the threat of lawsuits.59
“We’re transparent about the risks to pretty much anyone inside the company because knowing the risk is the first step towards mitigating and managing that risk long term.” –Jim Routh, CSO, Aetna
NATS is a UK-based provider of air traffic control services. Each year, the company handles over 2.2 million flights and 220 million passengers in UK airspace alone, in addition to working with more than 30 countries across Europe, the Middle East, Asia and North America.60 According to NATS, air traffic control services face cybersecurity threats such as being a soft target for hackers, who could potentially spoof a fake aircraft by transmitting a fake signal.61 In 2014, NATS hired Andrew Rose as its CISO and head of cybersecurity. Prior to joining NATS, Rose served as the Principal Analyst for Forrester Research’s Security and Risk practice, and as a CISO in the legal sector.62 In his role at NATS, Rose is less involved with on-the-ground decision making, and instead focuses on communicating the importance of spending money on cybersecurity to the executive board of the company.
“My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market. It’s all about getting the board’s head in the right place so that they’re okay with spending money and putting resources into this, and they realize the benefit in it. I don’t think I am alone as a CISO operating at that level, and I think more CISOs will have to do that in future.”63 –Andrew Rose, CISO, NATS
FTI Consulting (NYSE: FCN) is a global business advisory firm dedicated to helping organizations protect and enhance enterprise value in an increasingly complex legal, regulatory and economic environment. Boyden sat down with two of FTI’s cybersecurity and risk management experts from the US and Europe for their perspectives.
Scott Corzine is a Managing Director at FTI Consulting in New York. He is in the Global Insurance Practice in the Forensic & Litigation Consulting segment and co-heads the Risk Management Consulting group. Corzine is considered an expert in operational resilience, business continuity and IT disaster recovery management, cybersecurity, and emergency and crisis management.
Alejandro Sánchez is a Senior Director in FTI’s Brussels office. He is the former Head of Cabinet of the Spanish Secretary of State for Security as well as the former Head of the Spanish delegation to the EU Standing Committee on Operational Cooperation on Internal Security. Sánchez is also a member of the American Chamber of Commerce EU Security and Defence Committee.
Boyden: What are companies facing cybersecurity threats doing to protect themselves?
Corzine: Across the board, in some cases more aggressively and proactively than others, companies are stoking up their weaponry to keep the bad guys out, as assessments highlight areas of technical vulnerabilty. When the bad actors create a new offensive weapon, defenses have to be upgraded.
So, as the bad guys get better at how they attack, the good guys are getting more aggressive with how they defend themselves, in an endless and unavoidable cycle of escalation. That includes all the “toys” that companies buy around perimeter defense, access control, intrusion detection, and all those kinds of issues. Good companies are spending aggressively on those defenses, some as much as 10 percent or more of their IT budgets. Lesser companies often are spending less aggressively, averaging less than five percent of IT spending.
Boyden: Are boards and senior management taking greater notice in terms of their actions?
Corzine: Ten or 15 years ago, in the directors’ board book that they receive before every quarterly company meeting, the meaty sections were on financial results, manufacturing operations, executive compensation and the like. Risk management might have been all of a paragraph or a page.
Today, smart companies are spending a lot more board attention and C-Suite preparation on risk management, and cybersecurity is certainly a key topic.
But, it goes further than that. Directors are interested in the implications of any personal D&O liability exposure. A significant data breach – and a bungled response by management – can immediately impact share price and reputation, and it takes somewhere on the order of 80 weeks on average to begin reputation recovery.
So, in addition to having faith in their CIO and having a CISO in place, we’re seeing boards hiring outside. Also, third-party experts are coming in and independently “kicking tires,” reporting to the board on alignment with an information security standard or framework, and then benchmarking the organization against its industry peers. This typically can lead to a vulnerability remediation plan and a more robust cyber incident response plan. It’s all part of an increased emphasis we’re seeing on governance, risk and compliance at the board level around operational risk, especially cybersecurity.
Sánchez: I’m convinced that it has become a bigger priority for most companies. If you follow the amount of cyberattacks that big companies receive – as well as small- and medium-sized companies – and discover at the end of the year that you have spent a lot of money in order to remedy the situation, boards and companies realize they must invest in resources and human capital to avoid the same situation down the line. The CIO, CISO, HR and the communications teams must be closely linked to the senior executive levels.
Boyden: Do you see cybersecurity as something organizations know they need? Or do you see some reluctance in implementing measures that they know may be necessary?
Corzine: Cybersecurity should be on everyone’s radar. In the US, you still have a continuum of companies from the ones that are quite aware of how vulnerable they are, down to companies that are still of the old “ostrich” mindset, where they think, “Hey, we haven’t been hacked yet, so we must be safe and we must be doing something right.”
But the problem is that there are essentially two kinds of companies in the world, in our view – companies that have been hacked and know it, and companies that have been hacked that haven’t figured it out yet. So, if it’s not on their top line of awareness from a risk management perspective at the board level, they’re probably doing something wrong.
Boyden: How does resilience play a role in cybersecurity strategy?
Corzine: Because vulnerability to a hack is so pervasive, “resilience” is a rational objective for CISOs and for boards. “Prevention” is a nice aspiration, but an irrational objective that will forever be thirsty for funding. We believe that some of organizations’ IT security spend needs to move from the prevention and detection side over to the response and recovery side, in terms of a budget remix.
The costs for reputation recovery can be staggering. Hiring a top cyber forensics team, paying for crisis communications expertise, and having experts who can prepare executives for regulatory or Congressional testimony, are all key relationships companies should explore, because it’s hard to do all that internally after they’ve suffered a breach.
Banham, R. (2015). Rising Trends in Risk Management. Retrieved from: http://online.wsj.com/ad/article/managingrisk-trends
Beasley, M., Branson, B. & Hancock, B. (2015). 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities. Retrieved from: https://www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/ downloadabledocuments/aicpa_erm_research_study_2015.pdf
Bednarz, A. (2015). Cisco estimates a million unfilled security jobs worldwide. Retrieved from: http://www.networkworld.com/article/2893365/security0/shortage-of-security-pros-worsens.html
Bonderud, D. (2014). Cyber Security Challenges: How Do Retailers Protect the Bottom Line? Retrieved from: https://securityintelligence.com/cyber-security-challenges-how-do-retailers-protect-the-bottom-line/
Boulton, C. (2015). More CISOs Needed to Battle Cybersecurity Threats in 2015. Retrieved from: http://blogs.wsj.com/cio/2014/12/18/more-cisos-needed-to-battle-cybersecurity-threats-in-2015/
Boulton, C. (2014). Target’s Lack of CISO Was ‘Root Cause’ of Systems Breach. Retrieved from: http://blogs.wsj.com/cio/2014/09/30/targets-lack-of-ciso-was-root-cause-of-systems-breach/
Bowman, H. (2015). 2015 Consumer Markets Trend: Cybersecurity/Retail Fraud. Retrieved from: https://blogs.perficient.com/consumermarkets/2015/04/21/2015-consumer-markets-trend- cybersecurityretail-fraud/
Bruemmer, M. (2015). The CSO’s New Role: Guarding Company Reputation. Retrieved from: http://www.securitymagazine.com/articles/86158-the-csos-new-role-guarding-company-reputation
Chapple, M. (2015). IT job profile: So you want to be a CISO. Retrieved from: http://certmag.com/job-profile-want-ciso/
Cisco. (2014). Cisco 2014 Annual Security Report. Retrieved from: http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
Deign, J. (2014). What Might it Take to Be a Chief Security Officer in 2014? Retrieved from: http://newsroom.cisco.com/feature-content?type=webcontent&articleId=1304414
Drinkwater, D. (2015). What will the CISOs of 2020 look like? Retrieved from: http://www.csoonline.com/article/2989823/it-careers/what-will-the-cisos-of-2020-look-like.html
Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations. Retrieved from: https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state- cybersecurity-health-care-organizations-35652
FTI Consulting. (2015). Strong Employee Engagement is First Line of Data Defense Against Cyber Crime. Retrieved from: http://research.ftistratcomm.com/2015/03/25/STRONG-EMPLOYEE-ENGAGEMENT-FIRST-LINE- DATA-DEFENCE-CYBER-CRIME/
Hulme, G. V. (2015). Survey says enterprises are stepping up their security game. Retrieved from: http://www.csoonline.com/article/2988168/security-leadership/survey-says-enterprises-are- stepping-up-their-security-game.html
Kalanick, T. & Sullivan, J. (2015). Joe Sullivan Joining Uber As First Chief Security Officer. Retrieved from: http://newsroom.uber.com/2015/04/joe-sullivan-joining-uber-as-first-chief-security-officer/
King, R. (2015). Cybersecurity at Aetna Is a Matter of Business Risk. Retrieved from: http://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/
Li, S. (2015). The Next Cybersecurity Target: Medical Data. Retrieved from: http://www.theatlantic.com/technology/archive/2015/03/the-next-cybersecurity-target-medical- data/388180/
Lynch, D. (2015). Uber Hires Facebook Security Head As Chief Security Officer. Retrieved from: http://www.ibtimes.com/uber-hires-facebook-security-head-chief-security-officer-1868758
MacMillan, D. & Demos, T. (2015). Uber Valued at More Than $50 Billion. Retrieved from: http://www.wsj.com/articles/uber-valued-at-more-than-50-billion-1438367457
Morgan, S. (2015). Worldwide cybersecurity market continues its upward trend. Retrieved from: http://www.csoonline.com/article/2946017/security-leadership/worldwide-cybersecurity-market- sizing-and-projections.html
NATS. (2015). Company Website. Retrieved from: http://www.nats.aero/
O’Daniel, A. (2015). Moynihan: BofA’s cyber security given unlimited budget ‘to keep us safe’. Retrieved from: http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security- given-unlimited.html
Palm, S. (2015). Risk Trends to Watch for in 2015. Retrieved from: http://www.americanbanker.com/bankthink/risk-trends-to-watch-for-in-2015-1071972-1.html
PwC. (2015). 18th CEO Survey 2015: Key Findings. Retrieved from: https://www.pwc.com/gx/en/ceo-agenda/ceo-survey/key-findings/technology.html
PwC. (2015). Cybersecurity challenges in an interconnected world. Retrieved from: https://www.pwc.com/us/en/retail-consumer/publications/assets/pwc-gsiss-2015-industries-retail- consumer.pdf
PwC. (2015). Supersizing cyber security investments. Retrieved from: http://www.pwc.com/us/en/health-industries/behind-the-numbers/cyber-security-prevention.html
PwC. (2015). The Global State of Information Security Survey 2016 – Financial services summary. Retrieved from: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/industry/financial- services.html
PwC. (2015). The Global State of Information Security Survey 2016: Key Themes. Retrieved from: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html
SC Magazine. (2015). Andrew Rose: Chief Information Security Officer and Head of Cyber Security. Retrieved from: http://www.scawardseurope.com/judges/andrew-rose/
Schlein, T. (2015). The Rise of the Chief Security Officer: What It Means for Corporations and Customers. Retrieved from: http://www.forbes.com/sites/frontline/2015/04/20/the-rise-of-the-chief-security-officer-what-it-means- for-corporations-and-customers/
Shaw, K. (2014). In High Demand, CISOs Need Boardroom Skills to Succeed. Retrieved from: http://www.itbusinessedge.com/blogs/charting-your-it-career/in-high-demand-cisos-need-boardroom- skills-to-succeed.html
Sheidlower, N. (2015). The Rise in the Demand for CISOs. Retrieved from: http://www.securitycurrent.com/en/analysis/ac_analysis/the-rise-in-the-demand-for-cisos
Suby, M. & Dickson, F. (2015). The 2015 (ISC)2 Global Information Security Workforce Study. Retrieved from: https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-%28ISC%29%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf
Thomson Reuters. (2015). Top Compliance Trends for 2015. Retrieved from: https://risk.thomsonreuters.com/infographic/top-compliance-trends-for-2015
Threat Track. (2015). No Respect: Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers. Retrieved from: http://www.threattracksecurity.com/resources/white-papers/chief-information-security-officers- misunderstood.aspx
TrendMicro. (2015). Report on Cybersecurity and Critical Infrastructure in the Americas. Retrieved from:
Tripwire. (2015). Why Hackers Are After The Healthcare Industry. Retrieved from: http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-anthem-why- now/
Veracode. (2015). 3 Ways CISOs Can Improve Security’s Reputation. Retrieved from: https://www.veracode.com/blog/2015/05/3-ways-cisos-can-improve-security%E2%80%99s- reputation
Walker, G. (2013). Is air traffic control a soft target for hackers? Retrieved from: http://nats.aero/blog/2013/10/is-air-traffic-control-a-soft-target-for-hackers/
Zweig, D. (2015). What payers can learn from Aetna’s CISO. Retrieved from: http://www.fiercehealthpayer.com/story/what-payers-can-learn-aetnas-ciso/2015-09-03