Federico Charosky, MD of Quorum Cyber, talks to Pete Swift about the maturation of the cyber security industry, and explains how security teams can show business benefits without relying on ROI.
The events of 2018 have served to underline the growing levels of disdain directed at organisations that fail to safeguard the information they have in their care. It has also shown just how detrimental the reputational fallout can be, as Facebook’s shareholders will be painfully aware.
Cyber security is a main theme of DigitExpo, Scotland's biggest IT and digital showcase, which takes place in Edinburgh on November 14.
Federico Charosky, MD of Quorum Cyber, thinks we are entering an age where information security will serve as a core business differentiator. He believes organisations are going to be subject to a new level of scrutiny, and that security standards are going to be a key determinant in public perception and whether businesses succeed or fail.
“There’s no such thing as perfect security. There will always be weakness or vulnerability – ultimately everyone can be breached. But it’s about how you were compromised that is becoming increasingly important. In this respect, we’ve seen the conversation move on and pay a lot more attention to the circumstances that lead to a breach – was it really unfortunate or really incompetent?
"There’s two dimensions to this. If you were a company that genuinely had been doing the right thing and went to responsible lengths to protect yourself but did, ultimately, get breached then you were just really unlucky. But then there’s Equifax, and that’s where we have a big schism.
"How you respond to a breach also shows who you are as a company. If you own up to what happened, take responsibility and notify your customers in a reasonable timeframe. Then I honestly think public opinion will sway in your favour because you were doing the best you could.
"Whereas companies that didn’t take reasonable precautions, didn’t follow up on risks or vulnerabilities, didn’t own up when a breach occurred – and lied or masqueraded the whole thing as a bug bounty exercise – like we’ve seen recently. That’s a company that’s in a different position. They are doing all the wrong things.”
But with such broad parameters, how do we begin to define what constitutes appropriate precautions – how much money spent or time invested is considered reasonable? Particularly when you bring cyber insurance into the fold, if companies are going to get breached regardless, is it not understandable that some would rather invest in insurance than security?
“You don’t look at cars and say why do we bother investing in airbags and seatbelts because we have insurance settlements. You want to make it as safe and low risk as you can. There’s always a certain amount of residual risk that you are going to have to live with, but it’s about having sensible precautions and controls, making sure we do the basics right.
"But where exactly that pendulum swings in terms of determining what is proportionate is harder to define. It’s about maturing as an industry, getting better and being responsible.
"Increasingly, we are seeing business using security as a differentiator, saying that they are more secure than their competitors. So the amount of effort they apply to ensuring high standards is an important element in earning the trust of the customer.”
For that to come to pass in any meaningful sense, will we need an impartial adjudicator that will introduce metrics or ranking systems and offer a credible distinction between the organisations and their respective level of security?
“I do wonder how that is going to play out. The Government would be an obvious choice and, with GCHQ and NCSC, I do think we have a credible and objective source. They are highly competent and the information and advice they provide in the UK is far better than the information given anywhere else by a public body. And, arguably, the Cyber Essentials programme is already serving as a first point of differentiation.
"Ultimately, I’m not sure we’re going to get that one body that will be a source of all the information and rank each organisation, but there will be other identifiers we can use. I think people will vote with their feet and start going to organisations they trust.
"Similarly, insurance premiums will be a good sign. Insurance companies are great at differentiating risk because they accrue so much data to base their decisions on. They’ve been modelling consequence, action and reaction for decades so they have better modelling techniques than anyone.
"There’s no emotion in it either. Insurers make their calculations on cold hard facts, so over time they will have the data to be able to identify those companies that are dramatically more secure than their competitors.”
With this focus on security as a differentiator, is this going to be the turning point for security to become a collective concern for the wider organisation? For many years there has been criticism in security circles that they don’t get adequate support and buy-in from the board. Is this shifting now that organisations are using security as a selling point?
“There is this archetypical idea that the board is uneducated in terms of cyber security – that they are uninterested or disconnected because it’s not a profit and loss conversation. I couldn’t disagree more.
"It’s very convenient for people to blame the lack of support or sponsorship at board level, but I think it’s utter bullshit. In fact, if I look back at the boards I’ve worked with over the past five years, I think, on the whole, everyone has been really willing to engage. Maybe some of the technicalities escape them, but they are completely aware of the risks and they genuinely want to address them.
"So I have not come across this idea that boards are disinterested or unwilling to invest. When the risks are communicated effectively, I think the only thing you’ll see is willingness and movement to support them being addressed. I think the real challenge is translating that willingness into tangible operational tasks, and how you make it trickle down to have the desired outcome.”
In terms of the alignment needed to make those strategic goals deliver that desired outcomes, do you think this perceived gap between security teams and the board is narrowing?
“I think the composition of boards is changing because my generation is getting into board level positions. There has been a natural progression where there’s a bunch of guys who grew up with technology in the 80s and 90s now moving into board roles.
"I think the whole distinction between technology and business is being obliterated. It’s not that business people have learned tech, or tech guys have made it to the board. I think there is no fundamental distinction anymore. That has made every individual in business intrinsically geeky because they’re all using technology, managing data, processing transactions and are responsible for privacy and security.
"This has permeated beyond a niche skill that you hire in because it’s everywhere. We are the digital generation so I think tech acumen is innate in the boardroom and is becoming increasingly more so. Particularly with the start-up organisations that were born out of these digital cradles, that distinction is just not there. In fact, it is this lack of distinction that is fundamental to who they are.
"Every company is an IT company now. The fact a bank processes money is almost incidental – same with companies that move insurance or cars. They are all intrinsically becoming IT companies.”
So, fundamentally, you don’t think there’s a disconnect between security, IT and the board.
“I don’t disagree that there’s a disconnect. I just blame us for not moving the conversation to where we need it to be. Not accepting the rules of the game and the fact that you will be measured on ROI is the first mistake.
"Now, I realise that’s hard because as much as we’ve tried as an industry, we’ve categorically failed to find an ROI from security. But the way I think we can measure it is in benefit of investment, because there definitely is a benefit to what you do in security, and we need to articulate it at that level.
"If you make it tangible from that perspective then you can have a really clear basis for outcome from investment. It’s just not a direct monetary outcome, and that’s the only way it differs from ROI. We’re not a direct bottom-line money generator. We are there to keep our customers and the business safe and to maintain the trust.”
In terms of defining those points and making that tangible, if security can’t show definitive figures like an ROI, how can the key benefits be demonstrated effectively?
“Threat models are one method – understanding what a company is up against and exposed to. So a benefit of that is being able to show that the money you spent was able to mitigate the risk and protect against a threat. Through this you can show clear areas where the organisation used to be vulnerable and is now resilient against these attacks.
"And this can be done concisely and graphically to the board to communicate change and progress that’s been made from investment. It’s about providing assurance for where the money has been spent, and I think that is where we’ve been terrible as an industry. I think we as the vendors have failed in the way we’ve gone about providing that assurance.
"Reputation is another crucial benefit, because customer trust is a key currency. This area has become a lot more visible because the volume of hacks and breaches being reported has made it much more apparent how damaging failure in this area can be. No matter what it is your organisation does, it exists in someone else’s ecosystem or value chain, and you need to maintain the trust to keep that place.
"Across the supply chain, customers are placing a lot more weight and doing a lot more due diligence in cyber security. Whereas, before, you would just show a badge, qualification or ISO certification, now there is a much more thorough verification process. They want to make sure you are doing what you say you do, applying the right safeguards, demonstrating that reliability and honesty.”
How do you think most organisations are dealing with this increased scrutiny? Have they had to increase standards and tighten up procedurally or is this just about being more vocal about the processes that were already in place?
“From a company process I think there is now a real sense that people want to get to that level of maturity in security. Companies do want to invest into it and get it right. There used to be a significant gap between what they used to say they were doing, in terms of the measures they took, and what they were actually doing in practice.
"Now they are closing that gap and backing it up with action. Unfortunately, this does mean that they were basically lying before, but there is the positive upside that this is now changing and the situation is improving.
"Regulatory changes have shifted the bar as well. The recent General Data Protection Regulations (GDPR) have presented an interesting opportunity because it’s been a chance for people to clean up – a chance to draw a line, make the change and start doing the things they should have been doing before. In this respect, GDPR is already having an impact. It’s getting people to pay more attention, spend some time and money improving the way they operate.
"And, to be honest, it’s about time we start doing things right.”
This article was originally published on DIGIT.