THE TIME TO APPOINT A HEAD OF CYBERSECURITY IS NOW

By John J. Keller, Patrick M. Gray, and Wayne R. Worthington

The escalation in cyber-attacks, leaving hundreds of millions of consumer accounts and personal data naked, is growing at frightening levels and showing no signs of slowing down. So too are physical security compromises—many with lethal consequences. With people everywhere vulnerable to this scourge, and investors seeing their investments melt down, many want to know who should be in charge of turning this around, and is enough being done to find the right leadership to ensure security and protect critical data.

The average data breach costs a publicly traded company $116 million. Equifax spent a whopping $1.7 billion in remediation costs after its 2017 hack. In the first six months of this year, more than 500 data breaches affecting 163 million people were reported. Company and organization IT departments are struggling with tens of thousands of attempts a day and rising — and this is just in the US. Is your data protected, or will you be the next organization in the long list of companies severely impacted by unauthorized access, insider threats, phishing, malware and other break-ins?

Every month another major company makes the news not for its record profits or an exciting new product, but because of a likely avoidable cybersecurity problem. Think Garmin, Equifax, Capital One, Marriott. Just recently Uber announced the personal information of 57 million customers, including names, emails and mobile phone numbers were stolen—in 2016!

Cybersecurity crises seem never-ending.

Now, as remote work in response to coronavirus becomes the new norm, cybersecurity concerns are elevated. With that in mind, and as part of Raines International’s new Security Practice, Raines International spoke with a dozen cybersecurity leaders to identify emerging trends in the field.

In recent years, Raines has observed the convergence of cyber and physical security, as well as a growing need for leaders in this space. Cybersecurity leaders for global organizations with $1-$15 billion in revenue echoed these concerns. This need to blend the two disciplines is manifested in a variety of ways, depending on an organization’s size and industry. Convergence requires organizations to acknowledge that cyber threats are not just the obvious hack into a system, but exploitation of data that may even already be public.

The world’s rush into mobility has made all of us and what we own more vulnerable. And there are growing national security implications. In one famous example, publicly-available Strava running data, generated by military personnel wearing mobile physical activity devices,  unintentionally revealed the location and perimeter of military bases in Afghanistan.

“We design a tool for a specific purpose but hackers will use it to do something entirely different that may have not crossed the minds of those who developed it nor of those who run it in their organizations,” Elad Yoran, Executive Chairman of KoolSpan and CEO of Security Growth Partners explains. Add new technologies into the mix, like the 5G rollout, and any organization with IP or confidential information that is not considering its cybersecurity weaknesses could be found negligent.

Forward-thinking, younger organizations tend to be more aware of the convergence of physical and cyber domains, cybersecurity leaders told Raines, whereas legacy organizations may be a bit behind the curve. One concern is that legacy leaders may be slow to respond to the need of this newer approach as it may eliminate their positions and skill sets. Regardless, the dangers posed by this growing threat should outweigh the career considerations of a relative few. This needs more attention now. “Are people investing enough time and money in this? No,” says Paul Ferrillo, a partner at McDermott Will & Emery, who specializes in cybersecurity and regulatory aspects of cyber security. “America is taking a very long time to understand cybersecurity despite years of it being headline news.”

Once an organization decides it needs a cybersecurity leader, the problem lies in finding the right candidate and creating the right position. This problem is not easily solved due to a major shortage of talent both from a leadership perspective and down the organizational chart. “There aren’t enough qualified people out there,” Ferrillo says. The 2019 (ISC)2 Cybersecurity Workforce Study found that the U.S. has a cybersecurity workforce gap of half a million people. “By combining our U.S. cybersecurity workforce estimates and this gap data, we can calculate that the cybersecurity workforce needs to grow by 62% in order to meet the demands of U.S. businesses today.” (ISC)2, the membership organization for cybersecurity professionals, blogged. Since cybersecurity is relatively a new field with these shortages in talent, organizations may need to be creative and find talent in different industries like physical security, financial, or DevOps backgrounds.

Several executives agreed with Raines that the best CSO is a difference maker who understands risks, threats, and business continuity. The details of where the threats live — whether online or physical — can be taught. Ultimately, organizations need to have a plan before an intrusion because it’s not just an organization’s data or IP that’s at risk. After all, it was not just the hack of 147 million Americans’ personal data that doomed Equifax; stocks plummeted and executives were fired because of the slow detection of the intrusion coupled with nearly $700 million in regulatory fines. Even worse, the intrusion was easily preventable.

With client or customer personal data on the line, an organization can be held to countless regulations and laws.  “When dealing with public and sometimes private companies with lots of personal identifiable information, the question that comes out of the boardroom or C-suite is now what do we do?” Ferrillo says. “How do we handle the breach? Who do we disclose it to? Between federal law, SEC law, HIPAA law, New York law, and California law, there’s all sorts of disclosure requirements and they all have time attributes to them. New York says you need to notify the authorities within 72 hours. That’s not a lot of time when you’re in the middle of a sophisticated malware attack.” As such, organizations must have an aggressive leader and operational cyber structure in place to kill attempted invasions at the doorstep before they can wreak havoc. Same goes for having an efficient alert plan that can quickly take down intruders who still manage to make it inside.

Depending on the size of an organization, one leader may be tasked with both sides of security, while another organization may have one cyber leader and a physical security leader who work in tandem. A third option presents: An organization may appoint a Chief Risk Officer to oversee both physical and cyber security concerns, as well as any other concerns including regulators. “One thing that organizations can do is look at a layer above both cyber and physical security, and think of it as a risk management endeavor of which cyber and physical security are both components,” Yoran tells Raines. Leadership is critical and with the shift to work-from-home, companies need to establish processes to monitor for insider threat and prevent outsider threats. Ultimately, the title of the position does not matter as long as the person is empowered with the authority and breadth of control needed to get the job done.

Institutional Shareholder Services, an advisory firm viewed as the global authority on corporate governance, recommends organizations put cybersecurity executives on the board. “You see it among technologically savvy and technologically back-boned companies,” Ferrillo tells Raines. “You don’t see it enough among the small to medium-sized businesses.” Almost all the leaders Raines spoke with agree that cybersecurity should be elevated to the C-suite as a role reporting to the CEO, and they say C-suite executives should see it that way too. They found that it is also critical that such expertise be elevated to the board level, given the financial and business risk of a cyber intrusion. The current crisis demands more than lip service.

In a time of cost-cutting amidst a pandemic, many organizations may be inclined to address cyber concerns at another time. But the attack on data is underway and relentless. The time is now. “After Equifax, the government and SEC have very little time for companies that don’t pay attention to cyber,” Ferrillo warns. “You’re gonna get fined, you’re gonna get penalized, your market capitalization is gonna go down, and your board could get sued by its shareholders. It’s my view that regulators have no more…tolerance for this.”

Insightful organizations are seeing that action now to build vastly improved security management can ensure more time to focus on building valued cultures, disruptive products and exceptional customer experiences.