Ndte 2

T HE DEFINIT I VE C Y BERSECURIT Y GUIDE
FO R D I R EC TO R S A N D O F F I C E R S
NAVIGATING
T H E D I G I TA L A G E
SECOND EDITION
SECOND EDITION
Navigating the Digital Age:
The Definitive Cybersecurity Guide for Directors and Officers
Second Edition
Publisher: Palo Alto Networks

Editors: Aleksandra Miljus, Mike Perkowski, and Al Perlman. Copy Editor: Rupal Shah
Design and Composition: Tim Heraldo and Jeffrey Rennacker
Produced With Grateful Thanks to: Kristen Batch, Deirdre Beard, Paul Calatayud,
Christopher Coccagna, Elizabeth Cockett, John Davis, Greg Day, Sean Duca, Karine
Gidali, Rick Howard, Danielle Kriz, Dana Loof, Rossana Monzon, Sean Morgan, Aryn
Pedowitz, Michaline Todd, Alison Varela, and Sara Verri.
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers,
Second Edition is published by: Palo Alto Networks, 3000 Tannery Way,
Santa Clara, CA 95054, USA
Phone: +1 408-753-4000 | www.navigatingthedigitalage.com
First published: 2018
© September 2018
Cover Illustration by Tim Heraldo
Copyright in individual chapters rests with the authors. No photocopying: Copyright
licenses do not apply.
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/
company/trademarks.html.
© 2018 NYSE Group, Inc. All rights reserved. New York Stock Exchange and NYSE are
trademarks of NYSE Group, Inc. or its affiliates. For more information regarding registered
trademarks see: www.intercontinentalexchange.com/terms-of-use.
Disclaimer
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Second Edition contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of the date
of its initial publication May, 2018. Although the Guide may be revised and updated at some time in the future,
the publishers and authors do not have a duty to update the information contained in the Guide, and will not
be liable for any failure to update such information. The publishers and authors make no representation as to the
completeness or accuracy of any information contained in the Guide.
This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional
advice. Professional advice should always be sought before taking any action based on the information provided.
Every effort has been made to ensure that the information in this guide is correct at the time of publication. The
views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility
for any errors or omissions contained herein. It is your responsibility to verify any information contained in the
Guide before relying upon it.
GLOBAL CYBERSECURITY EDUCATION FUND
Navigating the Digital Age, Second Edition, is published by Palo Alto Networks. As a
company, alleviating the problem of cybercrime is at the heart of everything we do.
Our goal is to offer cybersecurity education and training to students of all

backgrounds around the globe through the Global Cybersecurity Education Fund.
Which is why every action we take, and your readership of this book, gets us
one step closer to our mission—protecting our way of life in the Digital Age.
Preface
From the Editors
Welcome to the all-new second edition of threat and risks. Part 2 emphasizes lessons
Navigating the Digital Age. We emphasize from today’s world, and Part 3 is designed
“all new” because none of the content in to help you ensure you are covered today.
this edition is repetitive of what was writ- Each part has its own flavor and personal-
ten in the first edition. How could it be? ity, reflective of its goals and purpose. Part
The first edition was published three years 1 is a bit more futuristic, Part 2 a bit more
ago. Welcome to the Digital Age, where experiential, and Part 3 a bit more practical.
three years feels like a millennium. We hope you find each to be thought-pro-
This edition brings together more than voking and valuable.
50 leaders and visionaries from business, One of the pleasant surprises we dis-
science, technology, government, aca- covered in editing these chapters was how
demia, cybersecurity, and law enforce- seamlessly and, at times, brilliantly our
ment. Each has contributed an exclusive authors were able to connect the business
chapter designed to make us think in and technology challenges of cybersecurity to
depth about the ramifications of this digi- the broader issues facing the world at large.
tal world we are creating. But, in retrospect, we probably shouldn’t
An important focus of the book is centered have been surprised. After all, what makes
on doing business in the Digital Age—par- this book so necessary and, we hope, so
ticularly around the need to foster a mu- compelling is the reality that digital tech-
tual understanding between technical and nologies are completely embedded in ev-
non-technical executives when it comes to the ery aspect of our lives. And, as you will
existential issues surrounding cybersecurity. discover in the pages ahead, we’re still only
This book has come together in three at the beginning of our journey in navigat-
parts. In Part 1, we focus on the future of ing the Digital Age.
Unless otherwise stated, all $ amounts are in U.S. dollars.
vii
Table of Contents
vii Preface
Part 1 – The Future of Threat and Risks

Introductions
5 1. Prologue
Tom Farley — Former President, New York Stock Exchange
7 2. To Protect Our Way of Life in the Digital Age,

We Must Reach for a Cybersecurity Moonshot
Mark McLaughlin — Vice Chairman, Palo Alto Networks
Seizing the Opportunities, Understanding the Challenges

15 3. Why Our Digital DNA Must Evolve—Quickly
Salim Ismail — Founder, ExO Foundation; Board Member, XPRIZE
21 4. The Exhilarating, Exciting, and Sobering World of the Internet

of Things: Imagine the Opportunities, and Realize the Risks
Jennifer Steffens — Chief Executive Officer, IOActive
27 5. How Data Grids Will Power the Economy and Influence Our Future
Rama Vedashree — Chief Executive Officer, Data Security Council of India
35 6. The Future of Cloud

Ann Johnson — Corporate Vice President, Cybersecurity Solutions, Microsoft
Why and How We Must Change Our Roles and Behaviors

43 7. Understanding the Exciting, Exponential, and Terrifying Future of
Cybersecurity
Marc Goodman — Author and Global Security Advisor
51 8. Dealing With the Evolving Adversary Mindset

James C. Trainor — Senior Vice President, Cyber Solutions Group, Aon
59 9. The Evolving Role of the CISO: From Risk Manager to Business Enabler
Justin Somaini — Chief Security Officer, SAP
ix
65 10. Cybersecurity and the Board: Where Do We Go From Here?
Mario Chiock — Schlumberger Fellow and CISO Emeritus, Schlumberger
How Work Requirements and Ethical Responsibilities Come Together

75 11. Cybersecurity and the Future of Work
Gary A. Bolles — Chair, Future of Work at Singularity University;
Co-founder, eParachute.com; Partner, Charrette; Speaker and Writer
83 12. The Ethics of Technology and the Future of Humanity

Gerd Leonhard — Author; Executive “Future Trainer;” Strategist;
Chief Executive Officer, The Futures Agency
Part 2 – Lessons From Today’s World

Introductions
95 13. If You’re Not Collaborating With Colleagues and Competitors on
Cyber Threat Intelligence, Beware: The Bad Guys Are Way Ahead of You
Sherri Ramsay — Cybersecurity Consultant; Former Director of the U.S.
National Security Agency / Central Security Service Threat Operations Center
101 14. Compliance Is Not a Cybersecurity Strategy

Ryan Gillis — Vice President for Cybersecurity Strategy and Global
Policy, Palo Alto Networks
Mark Gosling — Vice President, Internal Audit, Palo Alto Networks
Cybersecurity Awareness, Understanding, and Leadership

109 15. Security Transformation As a Business Imperative
John Scimone — Senior Vice President and Chief Security Officer, Dell
115 16. The Importance of Cybersecurity Preparation and Leadership

Stephen Moore — Vice President and Chief Security Strategist, Exabeam
121 17. Data Manipulation, Law Enforcement, and Our Future: Seeking to
Build Trust in Our Digitally Connected Systems
Dr. Philipp Amann — Head of Strategy, Europol’s European Cybercrime
Centre (EC3)
The Convergence and Divergence of Compliance and Cybersecurity

131 18. Why Secure Availability—Not Compliance—Should Be Every
Business Leader’s Goal
Danny McPherson — Executive Vice President and Chief Security Officer,
Verisign
x Table of Contents
139 19. Enabling the Digital Revolution in Europe: Building Effective
Cybersecurity Policy Through Trust and Cooperation
Michal Boni — Member, European Parliament
145 20. Beyond Compliance: The Human Element of Cyber Resilience

Ria Thomas — Partner and Global Co-Lead for Cybersecurity, Brunswick
Group
151 21. Why Corporate Governance Matters So Much in Cybersecurity

Paul Jackson, GCFE — Managing Director, Asia-Pacific Leader,
Cyber Risk, Kroll
Part 3 – Make Sure You’re Covered Today

Introductions
161 22. Welcome to the Frontlines of Business and Cybersecurity
Pablo Emilio Tamez López — Chief Information Security Officer,
Tecnológico de Monterrey
165 23. In Today’s World, Every Company Is a Cybersecurity Company

Mark Anderson — President, Palo Alto Networks
169 24. How You Should Expand Your Cybersecurity Talent Pool:
A Lesson of Supply and Demand
Ed Stroz — Founder and Co-President, Stroz Friedberg, an Aon company
Language
175 25. How to Articulate the Business Value of Cybersecurity
Mark Rasch — Cybersecurity and Privacy Attorney
181 26. Language, Please: How You Talk to Boards and Executives Can Make
or Break Your Cybersecurity
James Shira
187 27. Using the Right Evidence to Make the Right Cybersecurity Decisions
Mischel Kwon — Founder and Chief Executive Officer, MKACyber
191 28. Building Empathy and Trust Among CISOs and Business Leaders
Brad Arkin — Vice President and Chief Security Officer, Adobe
Table of Contents xi
Strategy
197 29. To Get Ahead of Cybersecurity Threats, Focus on Preparedness
and Sustainability
Heather King — Chief Operating Officer, Cyber Threat Alliance
Megan Stifel — Attorney; Founder, Silicon Harbor Consultants;
Cybersecurity Policy Director, Public Knowledge
203 30. Learning and Leveraging the Wisdom of “So What?”

Gary McAlum — Chief Security Officer and Senior Vice President for
Enterprise Security, United Services Automobile Association
209 31. Junk the Jargon: In Today’s World, Money Talks

Diane E. McCracken — Banking Industry Executive Vice President and
Chief Security Officer
213 32. Zero Trust: The Strategic Approach to Stop Data Breaches
John Kindervag — Field Chief Technology Officer, Palo Alto Networks
People
221 33. Making Boardroom Changes Today to Ensure a Cyber-Secure Tomorrow
Kal Bittianda — Head of North America Technology Practice,
Egon Zehnder
Selena Loh LaCroix — Global Lead, Technology and Communications
Practice, Egon Zehnder
William Houston — Advisor, Technology and Communications &
Industrial Practices, Egon Zehnder
227 34. Creating a Culture of Cybersecurity

Patric J.M. Versteeg, MSc.
233 35. Recognizing, Developing, and Deploying Good Cybersecurity Habits

George Finney — Chief Security Officer, Southern Methodist University
237 36. Social Engineering Attacks: We’re All Targets

Yorck O.A. Reuber — Head of Infrastructure Services & CTO,
North Europe, AXA IT
243 37. Hunting for the Cyber Leader With the Best Board-Level Credentials
Matt Aiello — Partner, Heidrick & Struggles, USA
Gavin Colman — Partner, Heidrick & Struggles, United Kingdom
Max Randria — Principal, Heidrick & Struggles, Australia
xii Table of Contents

Process
249 38. How to Manage a Data Breach
Lisa J. Sotto — Partner, Hunton Andrews Kurth LLP
255 39. Incident Response: How to Deal With a Cyberattack

Dr. Andreas Rohr — Chief Technology Officer,
Deutsche Cyber-Sicherheitsorganisation GmbH (DCSO)
261 40. Don’t Wait for a Breach to Build Your Communications Strategy
Robert Boyce — Managing Director, Accenture Security, Accenture
Justin Harvey — Managing Director, Accenture Security, Accenture
267 41. Making Cyber Insurance a Strategic Tool in Reducing Risk and
Improving Resilience
Robert Parisi — Managing Director and U.S. Cyber Product Leader,
Marsh
Technology
275 42. How You Should Use Cybersecurity Technology to Improve Business
Outcomes
Naveen Zutshi — Senior Vice President and Chief Information Officer,
Palo Alto Networks
281 43. Harnessing the Power of Blockchain
Antanas Guoga — Member, European Parliament
287 44. When It Comes to Shadow IT, What You Don’t Know—
and Don’t Prepare for—Can Hurt You
Alice Cooper — Global Head of Derivative Trade Processing IT,
BNP Paribas CIB
291 45. Unlocking Productivity With Security
Siân John, MBE — Chief Security Advisor, Microsoft
Conclusion
299 46. How We Can Change Our Approach to Cybersecurity Today
Nir Zuk — Founder and Chief Technology Officer, Palo Alto Networks
Table of Contents xiii

Contributor Profiles
307 Matt Aiello 313 Gary McAlum
307 Dr. Philipp Amann 313 Diane E. McCracken
307 Mark Anderson 313 Mark McLaughlin
307 Brad Arkin 313 Danny McPherson
308 Kal Bittianda 314 Stephen Moore
308 Gary A. Bolles 314 Robert Parisi
308 Michal Boni 314 Sherri Ramsay
308 Robert Boyce 314 Max Randria
309 Mario Chiock 314 Mark Rasch
309 Gavin Colman 315 Yorck O.A. Reuber
309 Alice Cooper 315 Dr. Andreas Rohr
309 Tom Farley 315 John Scimone
309 George Finney 315 James Shira
310 Ryan Gillis 315 Justin Somaini
310 Marc Goodman 316 Lisa J. Sotto
310 Mark Gosling 316 Jennifer Steffens
310 Antanas Guoga 316 Megan Stifel
310 Justin Harvey 316 Ed Stroz
311 William Houston 316 Ria Thomas
311 Salim Ismail 317 James C. Trainor
311 Paul Jackson 317 Rama Vedashree
311 Siân John 317 Patric J. M. Versteeg
311 Ann Johnson 317 Nir Zuk
312 John Kindervag 317 Naveen Zutshi
312 Heather King
312 Mischel Kwon
312 Selena Loh LaCroix
312 Gerd Leonhard
313 Pablo Emilio Tamez López
xiv Table of Contents

PART 1
The Future of Threat and Risks
Part 1 — Introductions
1
Prologue
Tom Farley – Former President, New York Stock Exchange
“No issue today has created more con- protect and enable our digital way of life,
cern within corporate C-suites and for now and the future.
boardrooms than cybersecurity risk.” You will see several recurring themes
That was how I introduced the previous that resonate like a beacon across these
edition of Navigating the Digital Age and, pages:
if anything, the sentiment is perhaps even
• Connected digital technologies are at
more profound and urgent today, three
the foundation of every aspect of our
years later. In that time, we have seen just
lives—our business infrastructures to
how fundamentally we rely on connected
be sure, but also our power grids, water
digital technologies, and how on-guard we
supplies, air traffic systems, electoral
must be to prevent cybersecurity attacks.
systems, and national security appara-
We have witnessed attacks on data pri-
tus, to name just a few.
vacy and infrastructure, interference with
elections, the rise of ransomware, and the • We are still at the early stages of our
potentially crippling impact of cyberattacks journey in the Digital Age. The expan-
on businesses all around the globe. We have sion of the Internet of Things, artificial
learned through hard experience that the intelligence, and other “exponential”
status quo in cybersecurity is not giving us technologies will drive dramatic inno-
the trust and confidence we would like to vation over the next few years, while at
feel as we continue to ramp up the pace of the same time expand our attack sur-
innovation in the Digital Age. faces and therefore our risk.
There is much that can be done to
• Because we are on the leading edge of
address the challenges of cybersecurity, and
this rapid expansion of data and tech-
much that must be done. That’s where this
nology, we must move quickly and
book comes in. Starting with the opening
comprehensively to address the cyber-
chapter about the concept of a “cybersecu-
security challenge before it becomes
rity moonshot” and extending to nearly 50
too unwieldly. A deep sense of urgen-
expert-written chapters, this edition strives
cy felt by many of our authors comes
to foster a much greater understanding of
through time and again in the chapters
the challenges we face in navigating the
ahead.
Digital Age, and the steps we must take to
5
• Effective cybersecurity is a combina- all of our dreams and aspirations for the
tion of people, processes, and tech- Digital Age at risk.
nologies. Our business and technolo- If there is a single takeaway we can glean
gy leaders must be on the same page, from the collected wisdom shared in these
speak the same language, and adhere to pages, it is this: When it comes to cyber-
best practices in governance. We must security, failure is not an option. We must
use advanced, automated technologies succeed, and we must succeed collectively,
to level the playing field with our ad- because ultimately we are all connected one
versaries, fighting machines with ma- way or another in the Digital Age.
chines. At the New York Stock Exchange, we
are fully committed to the task at hand. We
• We can do something about cybersecu-
strongly encourage our listed client com-
rity. It will take a coordinated, concen-
munity to do everything in their power
trated effort. It will take cooperation
to address the cybersecurity challenges
across private industry and govern-
within their organizations and to partic-
ment. It will take training, education,
ipate in some of the broader initiatives
experimentation, innovation, inven-
discussed in this book. As we all become
tion. It will take a lot, but it is some-
more interconnected, we become increas-
thing that can be done.
ingly reliant on our external relationships,
As leaders in business, technology, cyberse- whether partner, vendor, regulatory, or
curity, government, and academia, it is our anything else. Cybersecurity is our collec-
job to ensure that what can be done actu- tive responsibility, not only to our employ-
ally is done—and more, when possible. ees and shareholders, but also to society at
Several authors point to cybersecurity as large. The more we can do to cooperate,
the most important issue of our times, and the more effectively we can reduce risk for
it is hard to argue with that assessment. If all of us. The world is not only watching, it
we fail on the cybersecurity front, we put is counting on us to do our best.
6 Part 1 — Introductions
2
To Protect Our Way of Life in the
Digital Age, We Must Reach for a
Cybersecurity Moonshot
Mark McLaughlin – Vice Chairman, Palo Alto Networks
The Digital Age provides us all with the cant obstacle that threatens to slow or halt
privilege of being at the forefront of the this progress. That obstacle, of course, is
ongoing endeavor that has the potential to cybersecurity. The future depends on get-
uplift and shape the lives of people around ting it right.
the globe for future generations. Whether How will history judge us?
we come from business and industry, aca-
demia, or government, we, as entrusted The Challenge of Our Time:
leaders, have a vested stake in protecting A Cybersecurity Moonshot
our way of life in a world that increasingly I believe that, if we are to be judged favor-
relies on connected digital technologies. ably, we have to shoot for the moon. I use
If we do our jobs well, we can help the term “shoot for the moon” purpose-
address some of the biggest issues of our fully because it is not just a metaphor for
time: climate change, hunger, poverty, the task at hand but, in some ways, it is
population explosion, and disease. We can representative of both a model and a mis-
make the lives of individuals better in thou- sion statement. In our lifetimes, and even
sands of ways, big and small—improving before many of us were born, humankind
their healthcare, how they communicate, has shot for the moon—and made it. And
how they learn, what type of work they do, it changed the world.
where they live, how they consume enter- On Sept. 12, 1962, U.S. President John
tainment, and how they make their hopes F. Kennedy pledged in a speech at Rice
and dreams come true. University to put a man on the moon by
But with our privilege comes responsi- the end of the decade. He did so, recog-
bility. In order to see our own hopes and nizing that it was an audacious goal that
dreams come true, in order to ensure that would be viewed skeptically, at home and
our work is truly uplifting and not a bro- abroad. But he also knew it was a worth-
ken promise, we must overcome a signifi- while and necessary endeavor, and he
7
believed it could be done. He also had the unequivocal urgency of the task at hand.
vision to know that coalescing around a Cybersecurity is not just about our future;
single, clearly articulated objective would it is our present. The fundamental under-
have tangible, measurable, and long-lasting pinnings of our security and economy now
benefits. As he stated in his iconic speech: depend on digitally connected technolo-
“That goal will serve to organize and mea- gies: our electrical grids, financial markets,
sure the best of our energies and skills.” military systems, and our infrastructure for
We are now in a similar place. The water, food, communications, and every-
unlimited promise of the Digital Age— thing else we need to live our lives.
and the existential threat that cybersecu- While digitally connected technol-
rity poses to that promise—demands that ogies have enabled us to break barriers
we advocate, evangelize, and undertake a and achieve what was initially thought to
comparable type of effort today: organiz- be impossible, today’s reality is that they
ing and measuring the best of our energies are also under attack—constant, sophis-
and skills around the vision of solving the ticated, unyielding, innovative, and, in
world’s cybersecurity challenge. some ways, merciless attack. Today, hack-
Our goal must be ambitious, sim- ers, criminals, and nation-states can—and
ple, and direct. Real moonshots have do—shutter hospitals, halt business oper-
clear and unequivocal goals, such as Pres- ations, and create political instability on a
ident Kennedy’s goal of putting a man on global basis.
the moon and bringing him back safely. The commercial internet has been around
I believe our “cybersecurity moonshot” for more than 20 years, and the truth is we
should have a similarly simple, yet powerful have never taken the fundamental steps to
goal: Make the internet safe within 10 years. ensure its foundational long-term safety and
It is audacious, I know. I also know security. We haven’t yet done this as a global
there will be naysayers, skeptics, and nit- community, as individual nations, as indus-
pickers: “It’s too ambitious.” “What does tries—including the cybersecurity indus-
‘safe’ even mean?” “How will we ever forge try—as scientists, educators, government
cooperation across the global cybersecurity officials, business leaders, or activists. You
ecosystem?” could say the system is broken, but it’s hard
Asking these questions, in many ways, to break something that never truly existed
addresses the very purpose of stating the in the first place.
goal. These questions articulate for us some It’s not for lack of effort or interest. We
of the most perplexing obstacles we need desperately want the internet to be safe
to address and overcome. Answering these and secure; but, fortunately and unfor-
questions and overcoming these obstacles tunately, technology has been moving at
is, I believe, one of the biggest challenges lightning speed for a long, long time. It’s
of our lifetimes, particularly for those of us hard to keep up. The immediate steps that
in a position to effect change. government and private industry often
take to harden our defenses against poten-
Understanding the Urgency tially crippling attacks are, by their nature,
Before offering specific ideas on how short-term, incremental, and insufficient.
we can organize and coalesce our ener- Even some of the security technologies
gies and skills to achieve the cybersecurity that we now consider to be state-of-the-art
moonshot, we should all understand the may be obsolete within the next year.
We are, frankly, at the edge of a preci- an event, it can cause even more damage to
pice. The potential for a catastrophic event our confidence, our psyches, and our will.
or series of events is very real. Our cur- A second reason for the 10-year time
rent incremental, piecemeal approach to frame comes from what we learned from the
addressing cybersecurity threats after they original moonshot. When President Ken-
happen is simply not sustainable. Left nedy said that the goal was to put a man on
unaddressed, the growing and increas- the moon, he stated very clearly and very
ingly destructive nature of cyberattacks specifically: “By the end of the decade.”
will undermine our digital way of life and This is what made the moonshot mission so
threaten the societal and economic gains audacious and generated such skepticism:
new technology has helped us realize. If “Ten years? How is that even possible?”
we don’t achieve our goals within 10 years, But the time frame became a galvaniz-
it will be too late. Only by thinking big ing force. It empowered the U.S. to mar-
can we achieve a significant and enduring shal unprecedented resources, brainpower,
result. passion, and commitment behind a single
goal. To achieve the 10-year time frame,
Understanding the Challenge the country had to unite and inspire the
There are two elements to the proposed best energies and skills across a broad coa-
cybersecurity moonshot. The first is: Make lition, including government, education,
the internet safe. At its core, we are talking technology, science, and private industry.
about safety and trust: People must feel safe And it worked. Not only did the coun-
online without the fear—whether it’s top- try put a man on the moon and bring him
of-mind or in the backs of their minds— home, but the energy and efforts behind
that they are engaging in an activity that the endeavor also created a wave of inno-
holds any real personal danger to them. vation that changed the world. Inventions
We shouldn’t, at the outset, get too that emerged as a result of the original
deep into the weeds of defining the state- moonshot include solar panels, heart mon-
ment, “Make the internet safe.” Rather, we itors and pacemakers, fire-resistant mate-
should let the process define it, using the rials, cordless instruments, and dozens of
best of our energies and skills to determine others. These innovations have improved
which characteristics are required to make all aspects of our daily lives, from health-
people feel safe when using the internet. I care and safety to alternative energies and
can pretty much guarantee this: We will entertainment.
know it when we have achieved it.
The second element of our mission is: Actions We Can Take Now
within 10 years. Why put a time frame Just as we should not proscribe what we
on our efforts? First is the urgency we dis- mean today by “make the internet safe,” we
cussed earlier: We can’t afford to be com- should not proscribe the models by which
placent in any way about solving the we can achieve our cybersecurity moon-
cybersecurity challenges of the Digital Age. shot. The original moonshot model proved
The potential to make the world better is it could be done with a single country pro-
too important, and the risks are too great. viding leadership, vision, and resources.
Each day that we don’t have a safe inter- That may be a successful model for the
net, there is potential for an event that can cybersecurity moonshot, or perhaps we
cause damage. And every time there is such will discover other models.
To Protect Our Way of Life in the Digital Age, We Must Reach for a Cybersecurity Moonshot 9
However, while we don’t want to • Automation and orchestration:
pre-determine a specific model for the We need software to fight soft-
cybersecurity moonshot, we do know that ware. Humans facing off against
it will take a concentrated, collaborative, machines have little to no leverage.
and coordinated effort among many forces • Coordinated and coopera-
to make it happen, including many “roof- tive intelligence: Sharing infor-
top shots” along the way. Government, mation is critical to our shared
private industry, and academia all have a future. We can achieve this
part to play. As leaders in our fields, we through an automated global
can provide vision, passion, leadership, information-sharing ecosystem.
and commitment. We have the opportu-
• A flexible security model: We
nity, as President Kennedy said, “to orga-
need the ability to choose the
nize and measure the best of our energies
best solutions and access them
and skills.”
when we need them, leverag-
Each of us—whether in private indus-
ing cloud computing and other
try, government, or academia—can take
models that are simple to deploy
action right now. And we can be secure in
and economical to use.
the knowledge that every step we take will
bring us incrementally closer to our ulti- 2. Privacy: Privacy and security are
mate objective. We must begin thinking of mutually reinforcing. When we talk
it as a shared journey, working in our own about trust—about assuring users
areas of expertise, exploring what we can that the internet is safe—privacy must
do to help, now and in the future. What be top-of-mind. People will be reluc-
areas should we be looking at, and what tant to use technology if they believe
kinds of goals can we set? Here are five their financial or health records are in
thoughts about critical disciplines that will jeopardy of being exposed or used in
be foundational to the success of the cyber- a way that would cause them harm.
security moonshot: At the same time, there may be cir-
cumstances in which the greater good
1. Technology: Let’s face it. Our current
can be achieved through the stra-
consumption model for cybersecurity
tegic sharing of information, with-
is fundamentally broken. We must
out exposing the private records of
develop a new model for how we pro-
individuals. Could we stop a terror-
tect our digital assets and interactions.
ist attack or prevent a major security
We must evolve from the conven-
breach that would affect the lives of
tional model, which increasingly uses
millions? Striking the right balance
people to fight machines. We must,
between convenience, safety, and pri-
instead, promote and promulgate a
vacy concerns is an essential element
progressive alternative, built on a pre-
of protecting our way of life in the
vention-oriented approach that will
Digital Age.
allow us to maintain trust in the dig-
ital world. Key elements of this new 3. Education: Education is not just
model include: about building the next generation of
cybersecurity experts, although that is,
indeed, an essential element. It is also between the private and public sectors
about building a society that is much to address the national security con-
more aware of the challenges, oppor- cerns of any and all nations.
tunities, and risks endemic to the use 5. Diplomacy: The fundamental real-
of digital technologies in the 21st cen- ity of the Digital Age, the reason why
tury. Our children are beginning to it can be a tool to uplift and inspire,
use technology at younger ages, and is that we can all be connected, wher-
that provides an opportunity to teach ever we are in the world, with what-
them while they’re young. We need to ever technology we are using. The
think disruptively about how we edu- inherent power of a connected world
cate our children, integrating technol- is staggering. But it is also imposing
ogy and cybersecurity at all levels. We and scary. Not every nation has the
also must do a better job of integrat- same interests. How do we address
ing STEM education—science, tech- these challenges? How do we ensure,
nology, engineering, and math—into for example, global standardization of
our curricula. We must also ensure communications protocols? How do
that our schools have access to mod- we move toward some level of rules
ern technologies, including broad- that guide how nation-states operate
band. And we must realize that educa- in this brave new world? As I said ear-
tion is not just for the young. We must lier, it won’t be easy, but confronting
make sure our leaders in government the difficult challenges is why we must
and business are more cyber-aware, shoot for the moon.
and we must build and train a more
cyber-aware workforce.
Taking the Next Step
4. National security: Cyber is a democ-
These are not just idle thoughts, fortu-
ratized threat wherein the tar-
nately. They are reflective of actions that
gets are not always visible and not
are already being taken today by busi-
always identifiable. And they are not
nesses, governments, institutions, agencies,
just aimed at government. Attacks
and individuals to address the cybersecu-
against financial systems, healthcare,
rity challenges of the Digital Age.
energy—you name it—can have a
On a global level, participating in
devastating impact on the security of
events such as the World Economic Forum
any nation. Viewing national secu-
is a vital and important step we can take
rity strictly as the purview of govern-
to heed the call for strengthening cooper-
ment significantly expands the risk
ation in a fractured world. On the national
profile. Governments are not wholly
level, individual governments are moving
responsible for or wholly capable of
forward. In the U.S., I am privileged to
making the internet safe. In fact, you
co-chair a subcommittee within the Pres-
would be hard-pressed to argue that
ident’s National Security Telecommuni-
governments are at the leading edge
cations Advisory Committee, tasked with
of technology in any area. There-
further defining the cybersecurity moon-
fore, cybersecurity requires a coordi-
shot vision and recommending a strategic
nated, cooperative, and joint effort
framework for how government, academia,
To Protect Our Way of Life in the Digital Age, We Must Reach for a Cybersecurity Moonshot 11
and private industry can jointly operation- action-oriented. We can ask the cybersecu-
alize it. The NSTAC work is a critical mile- rity experts on our teams what steps we can
stone; it’s also a catalyst for a much broader take to make our digital interactions safer.
national conversation and collaborative We can educate and encourage the people
effort, built around a common organizing we work with to be aware of the opportu-
principle, which we know needs to happen. nities and risks of living in these challeng-
On an industry level, organizations ing times. We can be advocates for change
such as the Cyber Threat Alliance are and progress.
bringing vendors together to improve the As I said at the start, it is a privilege for
cybersecurity of our global digital ecosys- each of us to be in a position to contribute
tem by enabling near real-time, high-qual- our leadership, vision, talents, and knowl-
ity sharing of cyber threat information. edge to help deliver on the promise of the
On individual and company levels, all of Digital Age. We must use, as President
us can do our best each day to be more Kennedy said so aptly, “the best of our
collaborative and innovative in ways that energies and skills.” But with that privilege
will establish the building blocks of a comes a responsibility to solve the cyber-
cybersecurity moonshot outcome. We can security challenge. It won’t take a miracle,
make sure we are informed, aware, and but it will take leadership.
Seizing the Opportunities,
Understanding the Challenges
3
Why Our Digital DNA Must Evolve—
Quickly
Salim Ismail – Founder, ExO Foundation; Board Member, XPRIZE
Our world is about to go from less than Our Immune Systems

a billion connected sensors to 20 billion Are Causing Disconnects
to more than a trillion, all in a time frame We are experiencing these disconnects
that will, in retrospect, seem like the veri- because, fundamentally, our systems are
table blink of an eye. In many ways, we are not designed to absorb this amount of dra-
moving faster than our ability to keep pace matic and rapid change. We all rely on
with the change. Thus, we are seeing a dis- protective measures to adapt to change
connect between what we can do and what and mitigate risk, whether we are talking
we want to do. about the biological systems in our bodies
Here are two small, but illustrative, or the cultures and processes we have built
examples: Nearly two-thirds of executives into our organizations. I refer to these pro-
say boards of directors have a vital role to tective measures as immune systems, and
play in digital transformation, yet only they are built into our business and insti-
27% say their boards are advocates for cur- tutional practices just as surely as they are
rent strategies.1 At the same time, 70% of built into bodies.
CEOs say the move to the cloud and digi- In business, these immune systems
tization is outpacing their ability to under- comprise governance procedures we’ve
stand and define the risks.2 put in place, restrictions on how we uti-
The opportunity before us is too import- lize personnel, processes or technologies,
ant for these types of gaps to continue. The or rules that specify how new ideas are pre-
entire human race is at the threshold of an sented within the organization. Whatever
era of exponential change, when technol- they are, they serve the purpose of slowing
ogy will transform all aspects of humanity down and regulating our corporate metab-
into a digital environment—right down to olism. And, in many ways, they work for
our very DNA and cerebral cortexes. More- us. Until they don’t.
over, as data continues to grow exponen- In today’s environment, these immune
tially, it will become interconnected in the systems are contrary to our need to move
cloud to form a cyber mesh of data. quickly and keep up with technology
15
innovation, particularly as we embrace tal interactions and activities are suitably
exponentially accelerating technologies, safe in a world where our very bodies are
such as artificial intelligence and quantum exposed to the potential of a cyberattack?
computing. If we are to fulfill the promise
of the Digital Age, we must overcome the Getting Ready for
limitations caused by our organizational Exponential Disruption
immune systems. Data has already become our most valu-
able currency and will remain the defining
To Fix Cybersecurity, We Must differentiator between organizations that
Remove Roadblocks to Innovation thrive in the Digital Age and those that
We must also, finally and fundamentally, disappear. We’ve seen virtually every indus-
address the immense cybersecurity chal- try disrupted by connected digital technol-
lenges of this new world order and ensure ogies—transportation, media, advertising,
that our immune systems don’t slow us healthcare, music, photography, commu-
down or stop us from making the neces- nications, finance, entertainment, retail.
sary changes. We must remove roadblocks The list goes on—and we’re still at the
to cybersecurity innovation. beginning stage.
For example, many organizations still As we move from less than a billion sen-
have a large number of point products sors to 20 billion to a trillion and beyond,
in place that are not connected with one the potential for dynamic disruption
another and don’t offer sufficient secu- expands exponentially, accelerated by the
rity against modern attack methods. The shift from the read phase of digitization
organization may think they are protected, to the write phase. In this next phase, we
when they actually have gaps. Relying on are talking about the capability of writing
older technologies and not getting rid of code to our bodies, brains, and genomes.
solutions that don’t work is an obstacle to From a biotech standpoint, we are prob-
innovation. The cyber mesh is growing ably within two years of more widespread
exponentially; cybersecurity must keep pace. deployment. From a neuroscience stand-
Why? Here’s the reality: As we expand point, we are perhaps five or six years away.
our cyber mesh of data, as we transform to
a world of more than a trillion sensors, we Real-World Examples,
are exposing ourselves to a potential cyber- Real-World Risks
attack surface the likes of which we have We are already seeing examples of how this
never seen. We are already struggling to next advance in the Digital Age will affect
deal with the world’s existing attack surface. our lives, health, leisure, and work. Think
If we don’t figure out the cybersecurity about healthcare in an age when we can each
challenges of our expanding cyber mesh of have a tiny sensor injected into the fatty
data, we run the risk of being victims of area between our thumb and forefinger,
our progress, rather than beneficiaries. whereby clinicians can easily access identity
How do we move forward? How do we data, medication information, and emer-
embrace progress? How do we create a new gency information. Or when an alert auto-
digital DNA that our immune systems matically sends a message to our physician
won’t reject? And, perhaps most impor- at the first sign of a clogged artery or a leu-
tantly, how do we ensure that our digi- kemia cell entering into our bloodstream.
16 Seizing the Opportunities, Understanding the Challenges

Look at what has been accomplished If data is a resource like oil, then we
by Neil Harbisson, who had a “cyborg need to start thinking about it that way.
antenna” implanted in his brain to help Do we have a Massive Transformative Pur-
him deal with an extreme form of color pose? Can we create one? What would it
blindness. The antenna allows him to feel be? One thing is clear: When it comes to
and hear colors as audio vibrations inside cybersecurity, our current frameworks,
his head.3 Think about extending the mindsets, and immune systems hamper us
capabilities of our human memories with and need to be addressed.
petabytes of data stored somewhere deep
within the cortexes of our brains. Can We Break Down Our Immune
We are also, unfortunately, seeing some Systems to Empower Innovation
of the risks of this new world. In 2017, Securely?
the U.S. Food and Drug Administration Immune systems protect us against radi-
recalled nearly half a million pacemak- cal change. They are wired to give us time
ers because of security flaws that made to adjust and figure out the right out-
them vulnerable to cyberattack.4 Nations comes. Governance is designed to be com-
are already collecting the DNA of govern- pliant with process and regulation because
ment leaders to prepare for the possibility we know it is necessary. But what works
of a targeted cyber-based bio attack.5 And in one context doesn’t work so well in
before we see self-driving cars on the road, another. Immune systems can sometimes
we have to be comfortable that the level be roadblocks to innovation.
of vulnerability is acceptable. We can only To move forward with cybersecurity in
imagine the potential chaos and harm a the Digital Age, we need to break down
fleet of unmanned vehicles could create if our current immune systems so that we are
they were controlled by adversarial forces. encouraging, embracing, and empowering
rapid change and innovation.
It’s Time to Think Big It is certainly possible to engineer
Yet, forward we progress. We are creat- our immune systems to respond quickly.
ing exponentially more volume and vari- When a doctor performs a kidney trans-
ety of data, seemingly by the second. If plant, she administers an immunosup-
we go about our business without making pressant drug so the new kidney has
any changes, we are heading for disaster. time to bed down. Can we create similar
In his chapter, Mark McLaughlin of Palo results in our organizations, whereby the
Alto Networks talks about the need for a normal attack on the status quo is sup-
“cybersecurity moonshot.” pressed and new ideas have time to find
As Mark suggests, if you want to address a foothold?
big problems, you need to think big. Our
organization has studied common traits Can We Create a Process to Solve
among the world’s fastest growing startup the Immune System Problem?
companies and has identified that each of The simple answer is “yes.” I know because
these organizations is able to articulate a our organization has created and imple-
Massive Transformative Purpose. This is mented a successful model that works. The
defined as the higher aspirational purpose process works as follows:
of the organization.
Why Our Digital DNA Must Evolve—Quickly 17

• Bring together senior management from implement the model based on their
across the organization. Showcase new own challenges. Heavily regulated indus-
technologies, threats, and opportunities— tries, such as financial services and health-
very much shock and awe—to show that care, have different challenges than orga-
disruptive threats are on the horizon and nizations in industries where regulation is
something must be done. This creates a less of a factor. While the same basic pro-
burning platform for change. cesses and principles apply, the specifics of
each engagement can change, based on the
• Gather 25 young leaders/future lieu-
organization and its goals.
tenants to do the real work over 10
An approach we took in the public
weeks. Divide them into two streams:
sector provides an illustrative model that
» One stream looks at disruptive new could be applied to cybersecurity. We set a
ideas in adjacent industries that could deliberately aggressive objective: Drop the
grow the business by 10x or more; cost of an existing problem by 10 times.
» The second stream examines the Perhaps this is not as audacious as mak-
existing organization and chooses ing the internet safe in 10 years, but it is a
mechanisms to improve the status quo. worthy and difficult goal, nonetheless. We
formed teams to take a problem space—
At the end of the 10 weeks, they pres- such as transportation, healthcare, or
ent their ideas. Senior management funds affordable housing—through four phases:
the ideas that they believe are worth it. We
have seen conclusively that management, 1. Technology layer: The goal was to
leadership, and culture can leapfrog three examine breakthroughs that will drive
years ahead in that 10-week period. the future, looking at new technolo-
In analyzing why it works, we found gies and working with maker spaces,
that the opening workshop acts like an biohacking labs, and fabrication lab-
immunosuppressant drug, similar to a oratories. Areas explored included
doctor performing a kidney transplant. By sensors, 3D printing, robotics, arti-
having the future leaders create new ideas ficial intelligence, synthetic biology,
(with coaching support), they champion and eco-friendly technologies, such
and own those ideas, increasing chances as green building construction and
of adoption in the future. In the past, dis- low-carbon energy sources.
ruptive ideas got funded about 10–15% of 2. Design layer: The goal was to picture,
the time; now, when you break down the imagine, design, and describe technol-
immune systems, we find more than 90% ogy solutions. We worked with artists,
of new ideas get fully funded. science fiction writers, designers, and
media experts to envision and paint
Can We Apply the a future with technologies in mind.
Process to Cybersecurity? Design experts then used human-cen-
Absolutely. There are many different ways to tered design techniques to integrate
approach and implement the process. Indi- that vision into possible products and
vidual organizations could take one approach, services.
regulatory bodies could take another, and 3. Entrepreneurial layer: The goal was
organizations in different industries can to ensure economic sustainability. We

looked at developing funding mech- nectivity. Because we are all digitally con-
anisms to help entrepreneurs raise nected, ideas and innovations can spread
money; created models to ensure the quickly. This can be used for the greater
sustainability of potential solutions good and, as we have seen, can also serve
(via business or taxes); and designed malevolent purposes. As we deploy mod-
business models to solve major prob- els to transform our immune systems,
lems through the combination of hyper-connectivity can be used as a point
design and technology. of leverage. For example, it gives us the
4. Social layer: The goal was to ensure opportunity to work at the edges, where
that the solutions could be imple- immune systems are less likely to create
mented into society. We worked with insurmountable obstacles.
sociologists, anthropologists, regula- Another important point is that we don’t
tory experts, and legal thinkers. We have to solve the problem all at once, all of
explored public-private partnerships, us at the same time, all in unison. Although
conducted experiments and trials, there is a definite urgency to the cybersecu-
and incorporated community leaders rity challenge, we can adopt the principles
representing different social groups, we have developed in specific organizations
classes, and interests. and then share them across a broader spec-
trum. For example, what we learned from
In the City of Miami, we were able to cre- our engagement in Miami can be applied
ate four components to address the spe- to other cities, thus accelerating change by
cific problem of traffic congestion. Perhaps providing ideas, inspiration, and proven
most important, funding has been made implementation techniques.
available for immediate development and Finally, we have to recognize that when
employment. it comes to cybersecurity, we all share a col-
lective purpose, whether we define that as
Are We Ready to Transform Our
a Massive Transformative Purpose in capi-
Cybersecurity DNA?
tal letters, or whether we collectively and
We know the model works, and we know individually create a pathway, step-by-step,
it can work in the cybersecurity space. toward a more secure future—a future
First, we need the motivation to change, in which we can fully embrace the Digi-
which should be well apparent to everyone tal Age without fear that a cyber mesh will
reading this chapter and this book. entrap us, rather than empower us.
As Mark McLaughlin states in his chap-
ter, cybersecurity represents an existential Conclusion
threat to navigating the Digital Age. If we In some ways, the journey ahead of us is
don’t fix it, and fix it now, we expose our- clear. We will, without doubt, move for-
selves to exponential risks we must avoid ward in our inexorable march toward
at all costs. Mark proposes a cybersecurity exponential digitization: We will go from
moonshot as a Massive Transformative a billion to more than a trillion sensors;
Purpose: Make the internet safe in 10 years. we will leverage artificial intelligence and
That is certainly a viable starting point. other exponential technologies; we will
One of the characteristics that makes digitize our brains and bodies; we will
this era’s progress exponential is hyper-con- transform all aspects of humanity into a
Why Our Digital DNA Must Evolve—Quickly 19

digital environment. As a species, we are protections and safeguards in place. To ful-
programmed to proceed, always seeking to fill the promise of the Digital Age, we must
embrace innovation and progress. overcome the limitations of the immune
At the same time, however, the volume, systems we have built to protect us. In
velocity, and pace of change in today’s Dig- particular, we must transform our digital
ital Age is without historical precedent. DNA so we can move forward creatively
We are moving at a speed that threatens and innovatively to address the cybersecu-
to overwhelm us if we don’t put the proper rity challenge before us. Now’s the time.
1
“The Board of Directors You Need for a Digital Transformation,” Harvard Business Review, July 13, 2017
2
“Cybersecurity and the cloud,” Vanson Bourne 2018
3
“Neil Harbisson: the world’s first cyborg artist,” The Guardian, May 6, 2014
4
“Three reasons why pacemakers are vulnerable to hacking,” The Conversation, Sept. 4, 2017
5
“Hacking the President’s DNA,” The Atlantic, November 2012

4
The Exhilarating, Exciting, and Sobering
World of the Internet of Things: Imagine
the Opportunities, and Realize the Risks
Jennifer Steffens – Chief Executive Officer, IOActive
Few technologies have the potential to that can stay ahead of the curve in spot-
impact the way we work, live, play, shop, ting opportunities. They will need to open
and interact like the Internet of Things. their minds to find innovative ways to stop
Imagine the ability to use sensors, embed- threats and build a safe digital environ-
ded chips, process inputs, and other ways ment for consumers.
to “smarten” everything, from our cars
and our health to our physical commu- Can You Imagine It?
nities. Imagine the Heady Stuff
At the same time, let’s keep the excite- There’s no need to recite gaudy statistics—
ment of connected things in perspective. and there are oceans of them—about the
Smart cities, intelligent dialysis machines, explosive growth of IoT market expendi-
and self-replenishing retail shelves all are tures, the number of connected devices,
examples of using IoT to enhance our lives and the economic impact of an IoT-in-
at work and at home. An IoT-enabled hair- fused market ecosystem. Forget about cli-
brush is not. chés like “the tip of the iceberg.” We’re
Capturing, analyzing, and leverag- looking at the Marianas Trench—which
ing seemingly infinite volumes and vari- is deeper than Mount Everest is high—of
eties of data are exhilarating and can help IoT market development. Many of us can’t
fuel innovation for more life-enhancing begin to imagine how big IoT is going to
IoT products. But it also can cause well- become because, like the Marianas Trench,
founded alarm for executives and con- we really don’t see it. Stuff like computer-
sumers if care is not taken to account for ized automotive emissions controls, cash-
bad actors and other threats to intelligent less tolling systems, and retail loss preven-
devices and processes. tion packaging are so much a part of our
Fortunately, best practices are emerg- everyday lives that we don’t even think of
ing to address these IoT issues today, even them as IoT applications.
as the technology is still in its infancy. The For people like me, the heady stuff is
successful organizations will be the ones trying to figure out where IoT will take
21
us in the future, and what it will mean for • Store managers who uncover an orga-
society—for better or for worse. nized retail-theft plot by matching an
Obviously, there are tons of busi- employee’s digital ID with merchan-
ness-to-business applications where IoT dise removed from a shelf, but not ac-
has only scratched the surface, such as counted for as a sale.
inventory control in retailing and whole-
• Consumers who learn that their cred-
sale distribution, manufacturing floor
it card numbers are being used 1,000
workflows, RFID in third-party logistics,
miles away—before their banks’ fraud
and smart power grids. And consumer
departments notify them and cancel
applications are even more plentiful and
their cards.
fanciful because of the way they impact our
lives, including sensor-controlled traffic • City officials who spot a terrorist’s
management, intelligent medical devices, attempt to poison municipal water
smart homes, and connected cars. These sources from across the world using
and similar applications are fast becom- malware uploaded from a burner cell
ing commonplace, and our children will phone.
have trouble imagining a time when they
Undoubtedly, business executives and
didn’t download music from the internet
board members reading this chapter can
to their GoPro camera while gliding down
envision countless other applications and
the mountain on auto-leveling skis.
use cases—if they can just let their imagi-
And then, there are the odd, eccen-
nations run free.
tric, and downright weird (to some people
Of course, there are significant implica-
whose imaginations don’t always stretch
tions for these and other soon-to-emerge
that far), like “bovine management”
IoT applications. Regulatory, legal, pri-
(AKA, smart farming), internet-connected
vacy, and cultural concerns weigh heavy on
toys and, yes, even intelligent hairbrushes.
everyone’s minds—and they should. Still,
But, let your imagination run wild, and
it’s important for decision-makers to not
you’ll begin to consider the vast array of
let fear, uncertainty, and doubt cloud inno-
possibilities to make things more efficient,
vation and opportunity.
affordable, and interesting for us. And for
And that’s why it’s crucial that execu-
business executives and board members
tives and boards keep in mind their lead-
who care less about the technology behind
ership responsibilities: to question and to
those solutions and more about the finan-
ensure their organizations stay ahead of
cial opportunities it affords, these are excit-
rapidly emerging threats, at all stages of
ing times.
IoT product innovation and development.
Just imagine it:
• Machine-learning-enabled telemedi- IoT Threats and Risks: Look Before
cine (think of it as digital house calls You Leap and Make a Connection
on steroids), where doctors can receive Here’s a two-part premise for business
real-time updates on a patient’s heart executives, government leaders, and board
condition before the patient even feels members about IoT:
anything, and the doctor can fix the
Part 1: Let’s agree that just because
problem remotely using a smartphone.
something can be connected doesn’t
mean it should be connected.

Part 2: If something is connected strophic risks. What if hackers were to
because it has the potential to improve access a city’s water purification system
our work or personal lives—or generate through Wi-Fi-based controllers? Or if
revenue for our businesses—we need to someone’s electronic pacemaker was cor-
understand that there are always risks rupted through an RFID-enabled watch?
involved. Or foreign powers manipulated a coun-
try’s national voting systems by download-
In Part 1, my point is that we now have
ing malware from a smartphone to an elec-
the ability to embed, attach, or integrate
tronic voting booth? Or if computerized
technology with everything from indus-
braking systems on our cars and trucks
trial equipment and our municipalities’
were disabled over the internet?
most important services to household
These are not hypothetical scenarios.
devices and our children’s toys. Our elec-
Our company has long been involved in
tronics are smaller and more functional,
testing security vulnerabilities of IoT-based
our algorithms more intelligent and flex-
systems, and our experts have determined
ible, our packaging more inconspicu-
that all the scenarios—and more—are not
ous and even attractive. But organizations
only possible, but in many cases have actu-
and their leaders need to really think twice
ally happened.
about whether intelligent food or robotic
Our researchers have repeatedly demon-
office plants—although technically feasi-
strated that cars can be disabled while they
ble—are what we all need. We all know
are being driven, vulnerabilities of inter-
that consumers, in particular, love shiny
net-connected toys can be exploited, and
new things. But the “if you build it, they
pacemakers can be maliciously hacked.
will come” philosophy has never proven to
And as for smart cities—well, let’s just say
be a sound and profitable business strategy.
our researchers have determined that those
But Part 2 is where we need to really
cities aren’t always as smart—or as “digi-
put our energies, talents, and imagina-
tally safe”—as they’d like to think.
tions. Any time you connect something to
Therefore, it’s important to remember a
another device, a computer network or the
few undeniable facts about IoT risks:
internet, you are opening up potential new
avenues for intrusions and breaches. As • The more “things” we connect to our
business leaders, we naturally worry about network and the public internet, the
the financial, operational, and legal impact more vulnerabilities are created. This is
of hacking IoT systems. particularly true with what our technical
But what about other kinds of more colleagues call “unmanaged endpoints,”
personal risks? How about the risks to our which often lack the robust and auto-
children when their smart toys are hacked mated security our traditional computer
by bad actors to track their locations? The endpoints now include as second nature.
New York Times, in a lengthy article about
• The bad guys are working together,
smart toys for the recent holiday season,
sharing information, tips, tricks, and
pointed out numerous instances of chip-
shortcuts. They are even jointly fund-
and sensor-based toys that exuded vulnera-
ing efforts through their own flavor of
bilities; some of them were even banned by
crowdsourcing on the dark web.
various European government regulators.1
And then there are even potentially • The good guys, by comparison, are
more widespread, insidious, and cata- usually going it alone. Companies and
The Exhilarating, Exciting, and Sobering World of the Internet of Things 23

governments around the world rarely But in our euphoria over discovering
feel comfortable collaborating on se- the ability to connect everything to
curity because it exposes their risks to anything, we must not lose track of the
others, presumably eroding what they increased risk profile our businesses,
see as competitive advantage. government institutions, and citizens
can face. Fixing security breaches after
• The potential for more and more risks
the fact is very costly and inefficient.
is going to expand in direct proportion
In fact, looking at how regulators are
to the dramatic increase in connected
clamping down on organizations that
devices, systems, and business processes.
suffer a security breach, no matter how
In short, doing nothing is not a sound well-intended everyone may have been,
business strategy. I’m sure the regulators it’s vital for security in IoT systems to
would agree, as well. become an essential feature, just as im-
portant as what a connected device can
Addressing IoT’s Problems and do. Some of you may balk at the idea
Fulfilling Its Potential of doing early-stage security integra-
Let me be clear about what I am not say- tion into inexpensive electronic devices
ing: I am not advocating that businesses because of the perceived costs and po-
and public organizations pump the brakes tential impact in time to market. But
on IoT solutions development and deploy- I can assure you that costs and time to
ment. Far, far from it. I am so excited about market will be much worse if and when
the potential for IoT to enhance our lives, you suffer a breach. Get it done right
our businesses, our institutions, and our from the initial design phase.
society that I want to see research, devel-
• Don’t throw a broad, one-size-fits-
opment, manufacturing, marketing, and
all security blanket over your IoT
sales proceed as quickly as possible in order
innovations. As big an advocate for
to meet consumer and business demand.
IoT security and vulnerability defense
In order to do that, those of you read-
frameworks as I am, I am completely
ing this chapter—and in fact, this entire
open-eyed about the need to balance
book—should keep a few principles in
security requirements with product
mind about IoT risk management, reme-
functionality that delivers an outstand-
diation, and security best practices. It also
ing customer experience. The good
is important for business and public sec-
news is that those two ends of the spec-
tor leaders to consider the broader impli-
trum are not mutually exclusive—you
cations of where IoT is going in the future,
can and should have rock-solid security
as it relates to societal and cultural trends.
on all connected devices without mak-
These suggestions are intended for
ing businesses, consumers, or citizens
the entire IoT ecosystem, from technol-
jump through hoops in order to take
ogy creators and enterprises integrating
advantage of these exciting technologies.
IoT into products and services, to govern-
ments, regulators, and “fixers.” • Collaboration is good for everyone.
Industry players, governments, regula-
• Security should be designed into IoT
tors, consumer groups, standards bod-
solutions from the start, not after a
ies: All of these parts of the IoT eco-
breach. I know, it sounds easy, right?
system should work together to explore

exciting new opportunities and to bal- work, there are five things I recommend
ance those opportunities with known you do now to prepare yourself for the
and potential new security frameworks heady times that await us.
to protect everyone. Technology com-
1. Boards should bring in a security
panies have often found ways around
expert—either as a member or as a
their latent competitiveness to create
consultant—so the security voice
technology roadmaps and solutions
is heard loud and clear as new IoT
guides that grow their market oppor-
development programs are discussed
tunity and give customers viable, pro-
and planned.
ductive solutions. Besides, we already
know that the bad guys have put their 2. Decisions about security are too often
heads together to find ways to muck made too low in the organization, by
things up. Don’t let them get a leg up security technicians, IT staff, or oth-
on our efforts because we are too proud ers “close to the flame.” Security is
or too stubborn to work together. a strategic initiative and needs to be
treated as such by non-technical exec-
• Customers are willing to make utives and business leaders.
tradeoffs on things like privacy in
3. Don’t stifle innovation by giving in to
order to use IoT for fun and profit.
fears about corporate-wide breaches
Don’t let them go too far. Not that
and blaring headlines. You didn’t get
long ago, Facebook members were re-
to this level of achievement in your
luctant to reveal too many personal de-
careers by being timid. Be bold, but
tails on their walls. Now, they promote
be smart. Balancing risk with reward
every aspect of their lives (sometimes
is what leaders do.
to their detriment) in order to enjoy
the full experience of social media. 4. If anyone answers your question about
This means your organizations need to security as you roll out IoT solutions
be careful not to let customers’ exuber- with, “That’s how we’ve always done
ance in adopting the “next new thing” it,” show them the door.
put them—or your organization—in 5. “Smart security” approaches are being
harm’s way. Make sure your customers implemented every day at companies
and consumers are aware of best prac- such as Microsoft, the Mayo Clinic, and
tices and smart IoT hygiene in order General Motors, to name just a few.
to remain secure while still getting the Strive to add your organization’s name
most out of technology integrated into to this impressive and growing list.
everyday work and home lives.
Conclusion
A Few Ways for Business Leaders IoT isn’t about to transform our society;
and Board Members to Stretch Their it’s already doing it. Every day, more and
Imaginations more applications emerge that make every-
Whether you’re a CISO at a global finan- day devices smarter and more utilitarian
cial institution, a board member of a non- than one could have ever imagined.
profit educational foundation, or the CEO Which brings us back to one of our
of a technology company committed to core themes: Imagine.
connecting every node on the global net- Nearly 50 years ago, John Lennon sang
The Exhilarating, Exciting, and Sobering World of the Internet of Things 25

about a different kind of world, one with Unlike Lennon, I’m a business executive
infinite possibilities for all of us. I’m pretty who loves finding the intersection between
sure he didn’t specifically envision the role technology, customers, employees, work,
that sensors, self-driving cars, and intelligent and play. But just like the famous Beatle,
household products would play in chang- I’m a dreamer. I can imagine the powerful
ing how we live, work, and play. But he did and transformative role that IoT—and its
encourage us to stretch our imaginations: eventual spin-off technologies—will play
in our society.
“You may say I’m a dreamer
Just don’t ask me why we need a smart
But I’m not the only one.”
chip in a hairbrush.
1
“Don’t Give Kids Holiday Gifts That Can Spy on Them,” The New York Times, December 8, 2017

5
How Data Grids Will Power the
Economy and Influence Our Future
Rama Vedashree – Chief Executive Officer, Data Security Council of India
In less than two decades, since the begin- ago, I was optimistic about the commit-
ning of the third millennium, digital data ment of interested stakeholders in ensur-
has transformed everything. ing that the digital economy and, in fact,
It started with the sheer volume of data, our digital lives, would be safe and secure.
which became multiplied by the many dig- However, a number of factors are coalesc-
ital formats and media forms. The inter- ing to give us concern. The fast-paced digi-
net and cloud have enabled digital data tization momentum across the world, rap-
to become connected into a global data idly growing economies like India’s and
grid, which has enabled us to gain intri- China’s, and the recent World Economic
cate insights into one another, as well as Forum’s “Global Risks Report 2018,”
how our world works, plays, interacts, and which cites cyber risks and data theft/fraud
governs. It has reshaped the very nature of as global risks, are together a wake-up
our communities at the local, regional, and call for action at the global, regional, and
global levels––enriching our economies, national levels.
enabling collaboration across the world, Still, two years later, I am even more
and allowing us to enjoy more productive optimistic about our ability to harness
lives at work and at home. this massive wave of data, in all its many
In turn, accessibility to this cyber forms and connections, for the good of our
mesh of connected and connectable data global societies. Of course, I am also realis-
has elevated the potential for cyber risk tic about the need for intelligent cyber risk
and “digital deluge.” It has created an identification and mitigation practices in
important sense of urgency for an eco- order for us to build and prosper from the
system of enablers—governments, enter- “digitization of everything.”
prises, educational institutions, and advo- At the core of this ability to build and
cacy groups—to work together toward the benefit from a cyber mesh of data are five
common goal of making our digital uni- key concepts:
verse safer.
1. Developing a global data grid to shape
When I took on the role of CEO of the
and fuel the global economy.
Data Security Council of India two years
27
2. Using data as the new currency for wikis, blog sites, and personal e-diaries––
today and, especially, the future. that encompasses everything from family
3. Weighing the ramifications of Big genealogy and hobbies to open source soft-
Data in shaping the enterprise and ware communities.
consumer of the future. In global data grids, information will
increasingly be shared from sector grid to
4. Balancing our innovation ecosystem
sector grid, promoting increased collabo-
with the reality of data monopolies.
ration that utilizes common information
5. Enabling cybersecurity and privacy or generates new insights from previously
imperatives to co-exist in a data- unseen data. This will rapidly evolve into
driven world. a global, real-time data grid, with compa-
Where we go from here is dependent on a nies, government agencies, and consumers
whole host of factors, many of which have collaborating on data creation and access.
yet to emerge and are difficult to predict Think about the promise offered by
with certainty. But we know this for sure: data-centric compliance mandates, such as
Digital data is going to change the world the U.S. Health Insurance Portability and
in even more dramatic ways than it has Accountability Act (HIPAA), which allows
done since the invention of first-genera- patients to take their personal health infor-
tion computing. mation with them, regardless of which doc-
tor, medical facility, insurance company, or
Data Grids: Powering the Global healthcare service they use. Now, multiply
Economy that potential exponentially across indus-
The concept of grids—interwoven, mesh- tries and around the world. We see simi-
like systems and processes for a wide range lar global data grids being formed in areas
of industries and applications—is well such as higher education, tying together
known and widely understood in our soci- both physical and virtual learning centers,
eties. Grids exist and function smoothly as well as university-sponsored research
for such applications and sectors as power laboratories, public policy think tanks, and
and electric, financial systems, aviation, community development programs. Con-
and many others. sider, for instance, the increasingly global
Now, a new type of grid has emerged—a footprint of major universities, such as
global data grid—which merges the tre- Harvard, Stanford, Oxford, and Le Sor-
mendous surge of information with all the bonne—all of which have built and are
connected points in other grids. This cre- leveraging their own global data grids.
ates exciting, powerful business models That is where we are going.
that weren’t available just a few years ago.
Data As the Currency of the Future
For instance, think of how the free flow of
data across physical and digital storefronts A generation ago, there was a lot of talk
has spawned the age of multi-channel about, “Oil as the new currency.” Today,
retailing that knows no geographic bound- however, there is increasing evidence that
aries. data is, in fact, becoming our new cur-
Global data grids also exist for the amaz- rency; and that trend is likely to accelerate.
ing growth in user-generated content–– Consider these data points from industry
everything from social media platforms, research:

• By 2020, the value of the European “If all the things we used to do
Union data economy is projected to hit (in banking) make no profit anymore, where
739 billion Euros, representing 4% of is the money to be made in the future? And
European Union gross domestic prod- the answer is: data.”
uct (GDP)—more than double its por-
tion of GDP just five years earlier.1 The Big Impact of Big Data
• “Digital industry”—global data-cen- Will Get Even Bigger
tric market segments—will increase its It is easy to be amazed at the mas-
annual profit margin potential by more sive growth of digital information. The
than $1.4 trillion annually by 2030.2 much-discussed Big Data movement is
now mainstream, and it has enjoyed enor-
• Digital transformation will contribute
mous popularity as organizations learn
more than $1 trillion to the Asia Pacific
how to harness this growing amount of
GDP by 2021, driven heavily by artifi-
data for a wide range of use cases.
cial intelligence, the Internet of Things,
But the sheer volume of data growth is
Big Data, and other data-driven initia-
not the issue. Organizations need to find
tives.3
new ways to efficiently access the right
Of course, trying to get a handle on the data from the right point in the global data
financial contribution of digital data isn’t grids in order to make a real difference in
new. In fact, global consulting giant McK- how we work, play, and interact. Without
insey wrote about this issue as far back as a strategic plan—and the right tools—for
2013, when it raised the notion of separating harnessing all that data, organizations will
the economic impact of digital capital from drown trying to “drink from the fire hose.”
that of tangible technology assets, such as Big Data—augmented by related
hardware, software, and IT-enabled services. data-generation trends, such as mobil-
It is clear, however, that it will not be ity, wearables, virtualized infrastructure,
long before we no longer are writing arti- e-commerce, IoT, distributed workforces,
cles or papers with the headline, “Data is collaboration platforms, enterprise content
the New Currency” for a very pragmatic management, and others—has only begun
reason: Data is rapidly establishing itself as to scratch the surface of what it can do.
the currency of record for all global indus- That’s due to a number of factors, such as the
tries. It is, in fact, becoming the “new oil.” formative stages of data-mining tools and
In healthcare, financial services, manufac- the early development of powerful, secure
turing supply chains, retail, utilities, gov- algorithms that turn raw data into action-
ernment services, and in all other market able insights. Big data’s growth, as impres-
sectors, data is being monetized in a wide sive as it is, also has been limited by enter-
range of applications. And we have only prises’ desire to keep capital expenses as low
tapped the surface. as possible, which is problematic for Big
Perhaps typical of the impact of data Data use cases that require more compute
on markets, industries, and economies is a power, more storage capacity, more net-
recent blog post by banking industry con- work bandwidth, and more data centers.
sultant Chris Skinner, who wrote: But as prices on IT infrastructure con-
tinue to fall, and as cloud service providers
How Data Grids Will Power the Economy and Influence Our Future 29
become the new data centers for large and and serve their commercial and consumer
small enterprises alike, Big Data will accel- customers. For example:
erate its ability to capture, store, manage,
• Analytics engines are going to become
analyze, and share data from a wider and
considerably more powerful, more af-
more diverse set of inputs.
fordable, and easier to use, often inte-
Take healthcare as an example. To say
grating with analytics engines of social
that data is exploding in the healthcare
media feeds and other consumer plat-
space is stating the obvious. One recent
forms.
study said healthcare data is growing faster
than ever—nearly 50% annually.4 That is • Consumers will make real-time de-
due to a variety of factors, including regu- cisions based on multiple data feeds
latory mandates, digitization of healthcare shaped by independent—yet connect-
business processes and workflows, the rise ed—analytics engines. This will ex-
of applications such as telemedicine, and pose them to more new products, ser-
the insistence of healthcare practitioners vices, suppliers, and relationships than
on using their own personal devices to ever—and they will not have to invest
create and share information about their a dime of their own money to take ad-
patients and their practices. vantage of those analytics engines.
Healthcare is just one prime example
• Delivering services to commercial and
of an enormous opportunity for improve-
consumer clients will become faster
ments, touching on both patient bene-
and more personalized than ever, im-
fits (in the form of improved medical out-
proving the user experience and driv-
comes and better long-term health) and
ing enhanced customer satisfaction—
commercial success for hospitals, practi-
leading to even more consumption.
tioners, and insurers. Public health, for
instance, is a fast-growing specialty that As that happens, the Big Data trend we’re
relies heavily on data from across the currently experiencing will not seem so big
healthcare data grid, as are other exciting after all, compared to what we will experi-
use cases, such as global telehealth practices ence in just 5 to 10 years from now.
and infectious disease control. And appli- How big could it be? Consider the fact
cations around medical imaging, such as that the worldwide population stands at
PACS and DICOM, are in the early stages about 7.5 billion people in 2018. Now,
of both commercial opportunity and dra- how many “things” do each of us use every
matic improvements in patient care. Man- day that could have important informa-
aging radiology images and other unstruc- tion that we access or share? 10? 50? More?
tured data in a global healthcare grid is
literally a life-saving development and helps Are Data Monopolies and
realize the vision of universal healthcare. Innovation Mutually Exclusive?
Whether it’s healthcare data, informa- With so much attention and energy stem-
tion about banking transactions, up-to- ming from important developments, such
the-minute feeds on traffic congestion, or as the internet, social media, and cloud
real-time insights into the health of com- computing, it should come as no surprise
mon household appliances, Big Data is that “data monopolies” have emerged—
going to reshape the very nature of how disproportionately large collections of data
organizations in all industries do business held and managed by a handful of innova-

tive, ambitious, and powerful enterprises. in mind that this doesn’t need to be an
The commercial success of compa- “I-win-you-lose” scenario.
nies like Facebook, Google, Twitter, Ama- We also need to understand the appro-
zon Web Services, Alibaba, Tencent, and priate role of government in protecting
other industry titans are remarkable exam- individual rights and avoiding the delete-
ples of the combination of smart busi- rious effect of data monopolies. Our gov-
ness decisions, commitment to innovation ernmental agencies and regulators should
and research, bold bets on new technolo- avoid going down the path of heavy pen-
gies, and a little bit of good luck. The fact alties and overly regulated data access and
that these and a relatively small number usage, opting instead for collaboration
of other organizations collect, hold, and among all stakeholders to strike that del-
leverage massive amounts of data is not, icate balance between commercial inno-
by definition, something to fear. It is, of vation and individual privacy of personal
course, something to acknowledge; we data.
must understand its implications. In fact, I believe industry players will
After all, the broad collection of per- increasingly band together to collaborate
sonal data undoubtedly sparks concern on smarter, more efficient compliance pro-
over privacy rights and confidentiality. tocols, and will team with government
That was a big driver behind the European agencies, regulators, privacy advocates, and
Union’s landmark General Data Protection standards bodies to do so. While this may
Regulation (GDPR), which may influence seem like an unusual alliance, I believe it is
and shape data privacy regulations in other a more efficient and effective way to ensure
regions of the world. responsible compliance measures without
And, if data is the new global currency, stifling innovation.
it’s not surprising that some people are
raising concerns about “whoever controls Protecting Our World and Our Data
the data has the power.” But there is an Against Digital Threats
important balance that needs to be struck As excited as I am about the possibilities of
between preserving the privacy of indi- using all this data for the common good of
vidual data and allowing businesses and our societies, I am also realistic about the
governments to use data in a responsible, growing footprint of cyber threats. Every
innovative way to better serve their con- year, the incidence, impact, and innova-
stituents. tion of cyberattacks increase, and there’s
This is not a black-or-white issue. It’s no reason to think they will abate in the
highly nuanced, with the need for a deli- coming years.
cate balance to ensure that protecting data Again, data—and proper access to it—
doesn’t lock out innovation, or that har- is key to ensuring that applications, ser-
vesting data to create new goods and services, and entire economies are safe and
vices doesn’t imperil our individual identi- secure. If that sounds like “data that pro-
ties and rights. tects data,” you are right. In order to pro-
The tension among companies, govern- tect our most important data—personally
ments, regulators, and consumers is inevi- identifiable information, financial records,
table, with each group trying to promote medical records, intellectual property, and
its own interests. But we need to keep more—we will need to develop new tools
and services to discover and remediate data protect individuals, businesses, and gov-
vulnerabilities. ernments, we must find ways to promote
Yes, threat intelligence and other sub- more data sharing and greater collabora-
scription-based services help to identify tion. Take terrorism, for example. Fighting
threats and promote joint problem solv- both physical and digital terrorism requires
ing. But we need to do more. Too often, cooperation among a vast network of
we have incident feeds that are limited in agencies, organizations, and data sources,
their impact or ability to promote reme- all around the world. We must continue to
diation because they lack access to critical push for ways in which governments, par-
data about threat sources, points of attack, ticularly in areas of law enforcement and
weak points at the network’s edge, indica- national defense, work together.
tors of compromise, and more. We should also strive to step up deliber-
Again, the notion of balancing security ations and consensus building around the
needs with privacy expectations is relevant application of international law and gov-
here. But it goes even farther. After all, erning states in cyberspace, at both the
there’s nothing preventing us from lock- UNGGE (UN Group of Governmental
ing down everything tighter and tighter— Experts) and bilateral levels. The recently
servers, mobile devices, applications, cloud mooted “Digital Geneva Convention” and
services, and more. Doing so, however, other proposals need attention to ensure
seriously degrades the user experience and that states do not violate established norms
stifles innovation in data-driven goods and in cyberspace. This is necessary, not only
services. to identify and weed out cyber criminals,
Data must continue to flow, reliably but also to protect and preserve individual
and securely, through networks that are liberties, particularly as many governments
increasingly global and susceptible to the have built offensive cyber capabilities.
efforts of bad actors. Restricting data traffic In an era of digital economies and dig-
to the point of choking it impacts our data ital lifestyles, we need to treat security as a
economy locally, regionally, and globally. core feature and requirement in all prod-
That’s why the European Union is working ucts and services, from the onset of the
on regulations to unlock the data held by design phase. Our communities, econo-
European institutions, and the U.S. federal mies, and constituents demand it, and it
government has an open data initiative. will be on our hands if we don’t deliver it.
This concept is evident in the rise of
data marketplaces, or data supermarkets, Conclusion
which enable new companies to build Our societies and our lives have been dra-
markets where public data is available. In matically impacted by developments as
these scenarios, specific users can easily basic as the discovery of fire, as well as
combine that data with other, free data sets simple and complex inventions such as
for improved insights and unearthing new the wheel and hydroelectric power. But
business opportunities and societal value. I believe there is no development with
Ensuring this cross-border data flow is greater long-term implications for our
going to require a more collaborative effort world as new applications for digital data.
among commercial, governmental, regula- Data is more than seemingly random
tory, and consumer bodies. In fact, to pro- collections of ones and zeros. It is informa-
mote best practices in cybersecurity and to tion, currency, social fabric, safety, knowl

edge, confidence, and innovation. When continue to use data in heretofore unimag-
created, shared, and managed for the good inable ways for the common good.
of our communities, our families, and our Technological advancements may allow
industries, it acts as an exhilarating source us to connect more things to each other,
of hope for a better world. And when com- but the real power and beauty of a con-
bined with smart, collaboratively devel- nected society is its ability to use grids of
oped security safeguards, it gives our best data to bring us closer together as people,
and our brightest the opportunity to as communities, and as nations.
1
“Building a European Data Economy,” Digital Single Market, 2017
2
“Digital Industry: The True Value of Industry 4.0,” Oliver Wyman and Marsh & McLennan, 2016
3
“Digital Transformation to Contribute More Than US$1 Trillion to Asia Pacific GDP By 2021,” Microsoft and IDC, 2018
4
“Report: Healthcare Data is Growing Exponentially, Needs Protection,” Healthcare Informatics, 2014
6
The Future of Cloud
Ann Johnson – Corporate Vice President, Cybersecurity Solutions, Microsoft
When I think of the future of cloud com- economic value of the cloud economy.
puting, I automatically think of my teen- But I have seen the future of cloud, and
ager. Then I smile. Broadly. it is bright. (Yes, even accounting for the
Cloud and my teenager have a lot harsh reality of cyber threats. I’ll explain
in common, especially as they continue why in a bit.)
to grow in size and capabilities. The rate
of their physical advancement is noth- Good News for Business Leaders:
ing short of astonishing, and every time Cloud Will Transform Your Organization
you look around, they are doing amaz- My vision of the cloud’s future starts in the
ing things that seemed inconceivable just past—when enterprises began experiment-
a short time ago. ing with cloud-based services, such as SaaS,
Just as I marvel at my teenager’s rapid or when employees began deploying early
physical and intellectual development, versions of shadow IT by storing work
the skyrocketing adoption rates and wide- data on cloud-based file-sync-and-share
spread embrace of cloud for mission-critical sites. Organizations soon realized that the
applications are nothing short of inspirational. cloud was a good resource for doing things
Of course, my teenager doesn’t improve like application testing and development,
organizational agility, scale exponentially or promoting cross-group collaboration
to keep up with new workloads, or come without having to deploy dedicated infra-
with a predictable subscription-pricing structure.
model. And as much as I hope and plan for In this phase, I thought of the cloud as
a smooth transition to a lifetime of health, helpful. It was an interesting and opportu-
happiness, and a solid career path for my nistic tactical resource that allowed orga-
child, I truly don’t have a clue what the nizations to reduce the cost and speed the
future holds. time of delivering IT resources. It helped
Not so for the cloud, however. us keep a handle on FTEs that would oth-
I don’t need a crystal ball to predict erwise need to be allocated to support new
what the future holds for the cloud. Oh, digital initiatives.
I may not be able to see around the cor- Our positive experiences in using the
ner for every technical nuance that will add cloud gave us confidence that we could
more value to the cloud or to pinpoint the start using it for more important services
35
and applications that were at the very heart that is aspirational, inspirational, and yet
of our day-to-day business activities. Soon, practical. In “A Cloud for Global Good,”
our most important applications were he talks in very pragmatic terms about the
migrated to the cloud—building on the intersection of the cloud, emerging tech-
tactical benefits of first-generation cloud, nologies, and all stakeholders in creating a
becoming a strategic asset in increasing IT society that benefits more people in new,
and organizational agility, and instantly transformative ways.
scaling resources in reaction to new busi- This vision will be supported by the
ness opportunities or challenges. integration of such technical trends as arti-
Today, cloud has morphed from helpful ficial intelligence (AI), machine learning,
to important, a strategic way to not only let quantum computing, and mixed reality.
us do more with less, but to ensure we can Already, these factors are changing the very
utilize our people for the things that make nature of the cloud, with bigger and better
a difference. changes to come.
In the future, however, cloud will take
the next step. In fact, the cloud’s utility, The Symbiosis of Cloud and AI
capability, and resilience are rapidly accel- Not surprisingly, the global push for deeper
erating—due in no small part to a few key insights into all that data flooding our net-
technologies I’ll introduce shortly. Five works and the cloud has driven organiza-
or 10 years from now, we will look at the tions to turn to artificial intelligence. AI, as
things that make us excited about cloud well as machine learning and other deriva-
today as quaint. That’s how much things tives, is transforming what we can do with
will change. data, enabling us to make better decisions,
In short, the future of cloud will com- with bigger impact, faster, and more reli-
plete its revolution from helpful and ably. And we have only scratched the sur-
important to a difference-maker. The face.
cloud of the near future will be transfor- In many ways, cloud is the ultimate
mational. It will open up all kinds of possi- sandbox for AI-enabled workloads and
bilities in the era of digital transformation AI application development. The abil-
that will not only improve IT and business ity to handle massive and rapidly growing
efficiency, but will also change the way we amounts of rich data makes the cloud an
work, live, and play. ideal laboratory for AI solutions.
The cloud of the future will make Consider just a handful of possibilities
our organizations and our communities still emerging or soon to take shape, thanks
more connected, more useful, more agile, to the marriage of AI and the cloud:
and, yes, more secure. It won’t be easy, of
• Healthcare: Hospitals, practitioners,
course. It will take a continued commit-
and related organizations need to solve
ment to experimentation, investment of
the interoperability problem that is still
time, money, and people; a willingness to
hampering the delivery of coordinated
change decades-long organizational and
care. In the face of EMR mandates, a
personal behavior; and an ability to create
growing regulatory footprint, and the
a vision based on what you can’t yet see,
drive for essential applications like
but you can begin to imagine.
telemedicine and population health,
Brad Smith, Microsoft’s President, has
healthcare organizations will turn more
put the cloud’s future into a framework

to the cloud and AI to use that moun- cussed digital divide, more work needs
tain of data more efficiently. Or, just to be done. The cloud is going to be the
consider the possibility of predicting linchpin in bringing new education-
and preventing future pandemics be- al opportunities to students in rural
fore they take their devastating toll on communities with historically limited
our societies and our planet. access to transformative technologies,
due to factors such as location, culture,
• Retail: Brick-and-mortar retailers and
or budget.
online sellers want to sharply reduce,
or even eliminate, merchandise theft, • Transportation: Airlines spend billions
fraud, and shrinkage—a $100 billion- of dollars annually simply due to an in-
a-year problem for physical stores and ability to keep operations intact—and
potentially much larger in the era of an revenue flowing—during bad weather.
increased swing toward e-commerce Using an AI-hypercharged cloud will
and omnichannel retail. More robust give them instantaneous knowledge
and turbo-charged analytics will allow about rapidly changing weather con-
them to link inputs from IP surveil- ditions, which will enable them to
lance, inventory management systems, be more predictive in scheduling and
item-level RFID, and anti-theft pack- routing, with less inconvenience and
aging—all in the cloud. danger to passengers and work crews.
• Government: Municipalities all At the same time, AI is turning the
around the world are striving to re-en- cloud into a richer, more functional, more
gineer how they deliver social services, efficient environment for knowledge cre-
such as identifying and remediating ation, collaboration, and utility. Over the
sources of domestic abuse. The mar- next few years, cloud service providers and
riage of the cloud’s infinite computing private cloud developers will benefit from
horsepower and AI’s deep insights into AI in eye-popping ways.
cascades of seemingly disconnected For instance, AI will make cloud adop-
data makes that not only possible, but tion and utilization more appropriate and
highly likely. efficient for regulated environments, par-
ticularly for demonstrating compliance
• Financial services: Can the industry
and for spotting potential anomalies before
eradicate insurance fraud and securities
they become regulatory headaches. Audit
trading violations, absent mountains
trails will become cleaner, more precise,
of paperwork or without trampling on
and more efficient in the cloud through the
individual privacy rights? The combi-
use of AI and machine learning engines.
nation of cloud and AI will make it
This is heady stuff—a true symbiosis.
happen, all without necessitating tons
Not only will AI, machine learning, nat-
of CapEx and on-premises systems de-
ural language processing, and cognitive
velopment.
computing advance rapidly because of the
• Education: While there is no question cloud, but the cloud will become richer,
that infusing technology into educa- more robust, and more useful as its eco-
tional curricula and arming our teach- system is embedded with AI-related tech-
ers, staff, and students with technology nology. It will be the ultimate win-win sce-
have helped to bridge the much-dis- nario.
The Future of Cloud 37

Turbo-Charging the Cloud of the And you can only imagine what kind
Future With Quantum Computing of mind-blowing advancements we’ll see in
Remember how excited we used to get cloud computing’s performance and scal-
when a new family of microprocessors ability when we introduce quantum com-
came out, allowing us to have faster PCs puting into the cloud’s infrastructure.
and take advantage of new software func- Consider the opportunities a quan-
tionality? We have Moore’s Law to thank tum-spiked cloud environment can support:
for much of that, as well as the very smart • Development of new clean energy
engineers at chip-maker and software com- sources that are more cost-efficient and
panies. that produce better yields than current
Now, get ready for a quantum leap— generations of wind and solar energy.
pun intended—in power. Quantum com-
puting is going to transform the cloud of • Research into new food production
the future with an infrastructure overhaul processes that will literally wipe out
we’ve never seen before. global famines.
I won’t get into the physics of qubits • Uncovering exciting new ways to pre-
or what quantum computing will mean dict, prevent, and treat potential health
for your data center operations. What you problems years before they surface.
need to know, however, is that the cloud is
about to become even faster and more use- • Delivering personalized, customized,
ful for applications that will be developed, affordable one-on-one education that
deployed, and run in the cloud. is motivating to students and invigo-
For instance, consider research labora- rating to teachers.
tories looking for new ways to calculate Quantum computing is going to be the
nuclear binding energy. If you don’t know new physical engine of the cloud. And the
anything about nuclear binding energy, cloud will never be the same.
you’re not alone. But what you can prob-
ably surmise is that this is an application Securing the Cloud of the Future
that is fed by massive amounts of data, I worry about security. A lot. And not
and also needs more horsepower than ever just because “security” is in my job title.
to execute and turn that data into some- Because when I think of security, I again
thing actionable. Enter quantum com- think of my teenager.
puting. Already, researchers at Oak Ridge Parents are hardwired to worry about
National Laboratory are using cloud-based their children’s security. Our worries
quantum computers to conduct simula- evolve, become more complex and closer
tions and calculations that would other- to the surface as the kids get older. Not sur-
wise have required untold investments in prisingly, I have broken out in a cold sweat
hardware, software, and FTEs, just in the more than once when I think about my
experimental stage. teenager’s security.
Of course, quantum computing has yet Yes, I worry all the time about my teen-
to become commercialized, but that’s not ager’s physical and emotional security. But
far off. So, when the technology becomes I also have a measured sense of optimism
mainstream, quantum-driven applications and confidence about the future of digital
will find their home in the world’s biggest security. And that’s because I’m incredibly
data center—the cloud.

upbeat about what the cloud community rity or as users fail to adopt proper secu-
of suppliers, agents, and users has been rity hygiene.
able to do with security, and what we are With such a broad attack surface, in an
all likely to do as we move into the trans- always-on environment, fraudsters have
formative future of the cloud. already exfiltrated data and caused cyber
Let’s be clear: I’m no Pollyanna when it mischief. So it’s up to us to do more. A lot
comes to the target-rich environment that more.
the cloud has become and what it will be Already, some things are happening.
in the future. One of the best is the imminent demise of
Those of us who have studied technol- passwords. Whether you store your dozens
ogy are very familiar with Metcalfe’s Law, or hundreds of passwords in a spreadsheet,
which posits that the value of a network on sticky notes, or in a digital wallet, pass-
increases exponentially in relationship to words no longer are sufficient cybersecu-
the number of people attached to it. Think rity defenses.
about the hundreds of millions of peo- So passwords are giving way to biomet-
ple using the cloud every day. Now, mul- rics and other steps in multi-factor authen-
tiply that by whatever number you like. tication, making it harder for bad guys to
Five? Twenty? One hundred? Think about penetrate our firewalls and grab our per-
a much, much larger cloud community, sonally identifiable information, intellec-
measured not only in the number of users tual property, and digital assets of every
but also, more importantly, in the num- format. Still, we cannot underestimate
ber and diversity of “things” connected to the intelligence, creativity, and determi-
the cloud. The potential threat vectors pre- nation of hackers, whether they are lone
sented by hackers, organized cyber-crim- wolves (which they rarely are), part of dig-
inal gangs, and bad state actors over the ital crime syndicates, or state-sponsored
next several years are breathtaking. Not bad actors.
breathtaking as in surveying the Alps, trek- They are coming after us in the cloud,
king through the rain forest, or roaming and they will amp up their efforts in the
the American heartland. I mean breathtak- cloud of the future. There’s good news,
ing as in “gulp.” however: We’re all ramping up and for-
So, it’s important for all of us to know tifying our cloud security frameworks in
what we’ll be up against as we necessarily anticipation of more penetration attempts.
and deliberately rely and depend on the First, a fundamental truism is that AI
cloud. will be a big-step change for cloud security,
With more and more data—and with which we desperately need.
more of that data deemed mission criti- Already, cloud environments are being
cal—created, stored, and managed in the fortified with machine language engines
cloud, bad actors will naturally take aim. to analyze global data points in the hun-
Developments like the Internet of Things dreds of billions of cloud-based transac-
are a great example of why: The fact that tions. AI and machine learning normalize
the IoT represents a multi-trillion-dol- the data (remember, it’s all unstructured,
lar target makes it a gigantic target for the from spreadsheets and email to cat videos
bad guys. This is becoming even more an on Facebook) and push out attack indi-
issue as “smart things” are connected to the cators that are more meaningful, timely,
cloud without sufficient integrated secu- and accurate. This will make our detection
The Future of Cloud 39

efforts far better—an order of magnitude I’m not predicting that we’ll never
better, in fact. have breaches or that we won’t have blar-
Using AI on top of those machine lan- ing headlines about loss of personally iden-
guage engines will speed scenario model- tifiable information. But I have seen the
ing, giving already-stretched security ana- future of cloud, and it is secure.
lysts the ability to spot trends faster and Now, if I could only feel more confi-
make better decisions. dent about my teenager’s security when
Then, you’ll be able to take virtual reality I’m not there, too.
technology and let your security experts—
and your business users, too—visualize the Conclusion
threats in a consumer-friendly manner. After my child was born, I was over-
And none of that happens without a whelmed with a sense of amazement for
global cloud operating at hyper-scale speed. that tiny life-form. But I was so consumed
Security is one area that really benefits by my new child’s everyday needs—eat-
from a large, wide, and deep cloud envi- ing, changing, bonding, sleeping—that I
ronment, because with the right analytics rarely allowed myself the luxury of dream-
tools and enough processing power, global ing about the future.
decision-making becomes easier and more But as my child entered the exciting
accurate. world of teenage-dom, I began to focus on
Cloud security also will become much what the future held and how my teenager
more automated; again, machine language would make a mark on the world.
tools will drive huge process improve- I feel the same about cloud. In its for-
ments in developing and deploying auto- mative years, I was thrilled by the many
mated defenses. This will take considerable benefits of cloud computing to extend
pressure off overworked security admin- the resources of traditional IT organiza-
istrators and security operations centers tions, to let business users take charge of
to manually detect and thwart attempted their digital destinies, and to let billions
intrusions as simple as garden-variety of people connect, collaborate, and build
viruses or as insidious as malevolent ran- global communities. In those days, that
somware. was enough to keep most of us really busy.
In short, the cloud of the future is Now, as the cloud has evolved from
going to be a digital fortress, more robust a helpful business tool to an important
and resilient than ever. Cloud security will resource, to the point where it is now trans-
be more intelligent, more automated, and forming so much of our work and personal
more discerning, driven by advances in AI, lives, I am exhilarated when I allow my
machine learning, quantum computing, imagination to run free and envision what
and other transformative technologies. the cloud of the future looks and feels like.
Cloud security also will be designed and Maybe my teenager will even help shape
implemented with more of an eye toward the cloud of the future in some meaning-
a positive user experience, making secu- ful way. But I know one thing for sure: The
rity steps less obtrusive to the user and less cloud will change the world much, much
likely to impact our business productivity more profoundly in the coming years than
or our personal enjoyment. it already has changed mine.

Why and How We Must Change
Our Roles and Behaviors
7
Understanding the Exciting, Exponential,
and Terrifying Future of Cybersecurity
Marc Goodman – Author and Global Security Advisor
I used to be a cop. It was a great job, and so-true reactions of executives and boards
I loved it. Then one day, my policing of directors to cyberattacks.
career changed drastically—all because I Finally, you need to find and exploit
knew how to use the spell-check feature in the secrets that will help you change the
WordPerfect. balance of power between the good guys
Yes, that impressive demonstration of (you) and the bad guys (the ones robbing
technical acumen put me among the “dig- you) by throwing out the old playbook on
ital elite” in policing back in the day, and cybersecurity and beginning anew.
it became the catalyst for a highly enjoy-
able and challenging career in cyber crimi- The Power of Exponentials
nology. Now, as I spend my time research- Learning about the power of exponentials
ing and consulting about next-generation can change your view of the threats, your
cybersecurity threats in the real world, I responsibilities, and most importantly
have to admit: I’m profoundly concerned. your cybersecurity strategies for the future.
Concerned about the seemingly limit- What do I mean by exponentials?
less ways we are dependent on technology Exponential technologies—computers,
and the equal number of ways it can all go robotics, AI, synthetic biology—all obey
wrong. Moore’s Law and thus double in their
However, despite these worries, I capabilities every year or so. To conceptu-
remain optimistic about the future and our alize what these rapid changes look like,
ability to make significant strides in the business leaders have devised a number of
battle against cybercrime. In order to get terms to describe the phenomenon, includ-
there, a few things need to happen, which ing non-linear thinking, inflection points,
we’ll cover in this chapter: hockey-stick curves, or force multipliers.
First, you must understand the Conversely, linear point-to-point
enemy—specifically, the threats, the vul- advancement of actions and develop-
nerabilities, and the criminals. ments is comforting to us. It’s reassuring to
Next, you must acknowledge and believe that we have some knowledge—or
evaluate the traditional, tried-and-not- perhaps even some control—of where we
43
are headed. Linear expectations and pre- ing cyber crime at scale. They’re using our
dictions are comforting, but they are dead smart tools against us in order to scale their
wrong when applied to technology, a seri- malevolence at a rate far greater than we
ous mistake that has direct implications on could have imagined. Well, start imagining.
how we approach cyber risk. There is a ton of software out there to
automate cyberattacks. Distributed deni-
Understand Your Enemies: al-of-service (DDoS) is a great example:
They’re Different Than You Think It’s automated mischief. They’ve even wea-
Most organizations look at recent attacks ponized the cloud—our cloud—to execute
on their information assets and usually DDoS attacks and other digital warfare.
think linearly. “Yes, DDoS attacks are The automation of cyberattacks rep-
increasing, and so are phishing attempts,” resents a disturbing and highly problem-
the CISO may tell the CEO or the board. atic development, adding mightily to the
“But we’re on top of it, and here’s what arsenal of cyber criminals, enabling bad
we’re doing.” In other words, most organi- actors to fully automate even the most
zations see the problem as having a linear complicated of crimes, such as hijacking
path, requiring a linear approach to solu- and ransom offenses, combined with great
tions. Spend slightly more money on mal- effect the explosion of ransomware attacks
ware prevention, conduct more training in recent years.
on security hygiene practices, have users Holding someone or something hostage
change their passwords more often. Last for money has been around for millennia,
year the problem was this, now it’s that, but the analog version of ransom-based
so let’s plot our defenses based on the fact crimes took a lot of work. You needed to
that threats are increasing in an orderly lin- identify the target and study their move-
ear fashion. ments, then hire some guys with guns,
Wrong. Linear thinking about threats stalk and grab the victim, stow them away,
and enemies must give way to exponential reach out to the family, warn them not to
thinking, because the pace of everything contact the police, agree on a location for
is accelerating, and it’s doing so way, way the money exchange, line up a pigeon to
faster than we had imagined. Linear think- actually pick up the money instead of you,
ers believe autonomous vehicles are pure arrange a getaway vehicle, and hope you’re
hype and will never take off. Exponential not caught.
thinkers know they are already here. Exponentials in the form of automated
When it comes to the bad guys, there’s a threats make it much, much easier. They’re
big problem. They are thinking and acting taking a highly complex crime and encod-
exponentially, while we’re defending our- ing it in software. It’s pretty easy to do—
selves linearly. Moore’s Law means nothing you don’t need a PhD in computer sci-
to them. They’re Moore’s Outlaws. ence—and it’s really cost efficient. You can
The second thing to keep in mind about buy a ransomware kit on the Dark Web for
the impact of exponentials on cyber risk about $10, and the average ransomware
is the rate at which automation is taking payout is pegged at $163,000. Now that’s
place. You want to talk about a force mul- what I call a return on investment.
tiplier? Automation in its many forms— And there’s no limitation on how much
algorithms, scripts, machine learning, ransomware you can launch. Again, expo-
and natural language systems—is creat- nentials are at work.
44 Why and How We Must Change our Roles and Behaviors

Now, let’s raise the stakes way, way desic dome embedded in a kaleidoscope.
higher—the Internet of Things. Talk about That’s how many new angles, dimensions,
a potential bonanza for the bad guys think- and perspectives you’ll need.
ing and acting exponentially. Actually, the One thing I learned many years ago
IoT itself is a great object lesson in expo- when I got into law enforcement was to
nentials. Look at the exponential growth try and understand the mindset of the per-
in the number and diversity of connected son I was trying to catch. I was taught great
things; tell me that doesn’t look like a clas- lessons about profiling and getting inside
sic hockey stick. And the incremental eco- the head of the bad guys, and the veterans
nomic value of IoT is going to run into on the force shared great knowledge with
the trillions of dollars. Think that’s not an me about suspects’ “tells” in their behavior
inviting target? and appearance.
I call this the third dimension of cyber Not surprisingly, there has been a lot of
threats. In the beginning, we had comput- effort trying to get into the minds of cyber
ers. They were these big, ugly, gray boxes criminals: What makes them tick? What
shoved into climate-controlled data cen- are their motivations? What are their fears?
ters or parked on someone’s desk. Then All great questions. Unfortunately, there
we got mobile—notebooks, tablets, and aren’t a lot of easy answers.
smartphones. And finally, we realized we Remember the popular meme of the
could put a chip in everything. TV used early days of the internet: “On the internet,
to be a vacuum tube, now it’s a smart, no one knows you’re a dog.” Well, when
ultra-high-resolution display with more you’re being attacked, you are rarely sure
intelligence than a supercomputer. who is doing the attacking, so pondering
Computing is now fully mobile and the mindset and motivation of the attacker
ubiquitous, and all those endpoints are doesn’t do you a lot of good. Bits and bytes
vulnerable. Your kids’ toys have become are flying at your corporate network, and
turned against them; chips for speech syn- you’re not really sure if it’s a competitor, a
thesis and cloud connectivity have become member of an organized cyber-crime ring,
ways to triangulate your child’s location a disgruntled employee, or a state actor.
by truly evil people. We’re going to add Here’s where our new friends—expo-
50 billion new devices—probably more— nentials—come into play. My experience
to the internet by 2020, and it’s all being has taught me that many business execu-
done insecurely. tives and boards still cling to the old stereo-
Is there anything you can do about it? type of the attacker profile. They too often
Read on. think it’s some pimply kid in his parents’
basement. He (or on rare occasions, she) is
Consider Your Biases and Your imagined as a lone wolf with social prob-
Actions: It’s Time for a Refresh lems or feelings of inadequacy in tradi-
For CISOs, C-suite executives, and board tional institutions such as schools or busi-
members to defeat an increasingly sophis- nesses. I’m here to tell you: Come to that
ticated and determined cyber adver- conclusion at your own risk.
sary, new ideas and dramatically differ- You must discard those stereotypes and
ent approaches are necessary. Forget about adopt a new mindset of your own that is
thinking outside the box. In fact, throw the radically different from that most execu-
box out. You’ll need to think outside a geo- tives have historically used. You must con-
Understanding the Exciting, Exponential, and Terrifying Future of Cybersecurity 45

sider that your latest cyber adversary is CISO, CIO or a technical consultant, but
fully capable of, and committed to, tak- the result is the same: They are counting
ing down your organization. The sooner on the tech people to ensure the organiza-
you accept that notion, the sooner you’ll tion is cybersecure.
be on your way toward a more relevant and That has to change. If board mem-
potent cybersecurity strategy. bers lack the skill set to ask the right ques-
Another example of exponential think- tions or to push back on issues they don’t
ing you should employ in an effort to understand, they need to find a way to get
break down old biases and consider new those skills into the boardroom. Remem-
actions is the notion of fear. (Not your fear, ber: Even if board members want to ask
the cyber criminal’s fear.) probing questions, the CISO has been
Your strategies should not be built on known to push back. They may make
ways to heighten their fear of being caught their case before the board, but the CISO
and prosecuted; they won’t work. And the often answers board members’ seem-
reason they won’t work is devilishly simple: ingly elementary questions with buzz-
The criminals have nothing to lose. words and industry speak. And because
There’s a very pragmatic reason for that the board members don’t want to come off
by my own estimations: The chances of a as uniformed, they don’t probe further and
cyber criminal being arrested, prosecuted, assume all is well.
and jailed is something along the lines of Instead, board members need to do
one in a million. Literally. more to understand their cyber risk pos-
The chance that they’re going to be ture and exposure. They need to educate
caught and punished is the exception rather themselves and not be intimidated by
than the rule, due to the nature of inter- technical experts who may throw around
national law. A cop in Milwaukee simply buzzwords to block them.
can’t arrest somebody in Russia, France, or Boards also should consider establish-
China—and all cybercriminals know this. ing a dedicated cybersecurity commit-
They do not fear you, your defense strat- tee with a tech-savvy board member as its
egies, your detection tools, law enforce- chair. After all, boards have committees
ment, or the criminal justice system. for compensation, governance, and audit.
Finally, business executives—and espe- Isn’t cybersecurity just as essential a board
cially corporate boards and board mem- responsibility?
bers—need to adopt an exponentially dif- Another idea—and this one is radical,
ferent posture when it comes to taking not because it’s so strange but because it’s
responsibility for cybersecurity. so rarely used—is the notion that boards
First, let’s acknowledge that, while and senior executives need to practice their
boards are made up of very smart and suc- responses and reactions to data breaches.
cessful people, they are not digital natives, All companies have been hit with data
for the most part. They are probably 55 breaches; some know about it, some don’t.
to 70 years old, on average, and have not But boards must lead the way in prepar-
grown up in business or in life attached ing for that eventuality so they can limit
to digital devices. Many of them are not the financial, operational, legal, and brand
up to speed on technology, so they rely damage that often occurs.
on “trusted partners” to filter questions of I don’t mean having a cybersecurity
technology for them. That might be the response playbook or a disaster recovery pro-

tocol that gets dusted off and updated once is also room for hope, given the tremen-
a year. I’m talking about digital war games. dous amount of attention these threats are
As we all know, these are routinely done receiving. I am heartened by the increas-
in other industries, markets, and walks of ing understanding I am seeing and hearing
life. Law enforcement and the military from many executives, board members,
practice them all the time, often with ter- and technical experts about addressing the
rifyingly real approaches that often make issue of cybersecurity.
it nearly impossible to tell if the scenario In particular:
is real or simulated. Of course, the airline
1. The questions I’m being asked by exec-
industry does this routinely. Do you think
utives and CISOs are much smarter,
an airline pilot suddenly asks himself after
more focused, and more results-ori-
10 years of flying, “Hmmm ... I wonder
ented. Many of you reading this chap-
what would happen if an engine were to
ter have come to grips with the under-
go out at 35,000 feet over the Pacific?” Of
standing that legacy approaches bring
course not—they practice for this event all
legacy results—and that the bad guys
the time.
are playing with algorithms while too
Organizations need to run exercises
many cybersecurity defenses were
that include members of the board, CEO,
designed in an era of mainframe com-
CISO, general counsel, heads of market-
puters.
ing and sales, CFO, and investor relations
team. The board should actually run the 2. There is a heightened sense of urgency
exercise and take it very seriously. Actions on nearly everyone’s part. Some of it
should be monitored, recorded, evaluated, is motivated by a desire to avoid ban-
and shared with team members, and corner headlines in The Wall Street Jour-
rective measures should be taken to address nal or having executives paraded in
inadequacies. yellow jumpsuits out of federal court-
houses. But whatever the motivation,
Reasons for Some Optimisim everyone is taking this very, very seri-
I’ve talked a lot about threats, chal- ously and has a wide-open apprecia-
lenges, roadblocks, and hurdles. Many of tion of the heightened stakes.
these have been magnified and spiked in 3. Organizations are starting to come
urgency, frequency, and impact as a result around to the sophistication, intelli-
of the concept of exponentials. And you’ll gence, creativity, and determination
remember early on in this chapter that I of cyberattackers. Stereotypes about
expressed my deep concern over what’s attackers’ mindsets and motivations,
happening. I think you’ll agree I have good so deeply rooted in digital folklore
reason to think this way when it comes to and some really bad movies, are finally
cyber threats. melting away.
But remember: I’m also very optimis- 4. There is a growing understanding
tic about what the future holds, espe- and acknowledgement that being
cially to all the positive benefits technolo- cyber-secure isn’t about having the
gies will undoubtedly yield to the world of best technology—as important as
medicine, education and the global econ- that is—but it’s more about exponen-
omy. While I have highlighted many of tially changing the way we think and
the threats from cyber threat actors, there behave collectively.

A Few New Rules for Changing the from MIT or Berkeley. Think about
Rules recruiting people with these demonstrated
One of the biggest areas of concern among skills from non-traditional corners of your
both technical and business leaders is the organization. People like field service engi-
startling, yawning chasm between the neers or accounts payable clerks. Or truck
number of cybersecurity professionals drivers and copywriters. There are tons of
needed today and over the coming years people in your organizations with the req-
and the actual number of digital experts uisite personal attributes and mindsets—
available to fill those positions. Some esti- if not necessarily the deep technical exper-
mates put this gap at 1 million people by tise—that can be harnessed to fill that
2020, while others think it may be several growing gap. Don’t worry. I’m sure you’ll
times higher. I encourage you to plan for have a ton of great security engineers who
the high end of that shortfall range—and will be at the top of their field when it
then increase it. comes to knowledge about tunneling or
We also know, from the basic economic reverse malware engineering. But you’re
theorem of supply and demand, that sal- going to need a lot more assets and greater
aries of cybersecurity professionals are ris- diversity of those assets. So think exponen-
ing much faster than IT industry norms. tially.
That means that even the people you have Focus on the user experience of secu-
on staff—men and women you’ve already rity. Another part of cybersecurity that
invested in heavily—are being approached needs an exponential shift in mindset is the
and poached by headhunters as you read cybersecurity user experience and design.
this. That also means that even if you are This is an area that is ripe for innovation, if
fortunate to hire good people, chances are for no other reason than so much of what
you will not be able to keep them too long. has passed for security alert software has
Organizations therefore need to take dra- been woefully inadequate.
matic steps to ensure they have a pipeline How many times do your employees
of talent constantly coming to their firms get some pop-up message on their screens
to fill these positions. I’m not just talking while they’re looking on the internet or
about upping your college graduate recruit- working on email, and what they see is
ing budget for computer security majors ugly and confusing? The design of security
(although you should certainly do that). warnings is abysmal and painful. Users too
Re-evaluate how you identify can- often default out of the windows because
didates. I’m talking about rethinking the the warnings get in the way of them doing
profile of the kinds of people you hire and their work, and they don’t see why it’s a big
train for those roles. For instance, think deal to let the warning slide.
about the kinds of people who succeed in It’s not enough that our security pro-
any organization: What qualities do they tocols work in theory—they have to work
possess? Intelligence. Work ethic. Com- where the rubber meets the road at the end
munications skills. A willingness to ask of a keyboard used by somebody in your
“dumb” questions. An ability to learn from company in sector 4G. And that requires
mistakes. a good understanding of human behavior,
These and other qualities are not nec- something infrequently accounted for in
essarily limited to computer science grads organizational cybersecurity strategies. Set-

ting a policy is only the first step. Making Cybersecurity needs to be crowdsourced
sure it is reasonable, understood, and fol- to include all hands on deck. It’s not just
lowed is a whole different ball of wax. the responsibility of a few dozen or even a
Rethink and re-architect the organi- few hundred technical experts locked up in
zational chart. Lastly, rethink your orga- your IT organization.
nizational approach to cybersecurity by Cybersecurity is not just “their” prob-
getting rid of whatever you call the cyber- lem. It’s an “everybody” problem. It’s not
security department on your organiza- a department; it’s an attitude. If you don’t
tional chart. When you put a nice, neat expand your idea of how to solve the prob-
box around cybersecurity, you’re sending a lem by ensuring that everyone has skin in
message: These are the ninjas of cybersecu- the game, you are on your way to losing the
rity. They have the magic potion, the elixir game. And the stakes of losing, already quite
that will defeat the cyber thieves. It’s their high, are about to become astronomical.
concern, not yours. The good news is, there is much we can
Throughout this chapter, I have argued do to protect ourselves and our organiza-
that we need a much broader and more tions from digital threats. The first, and
radical way of thinking about your cyber perhaps most important, step is to begin
defense team, one that takes into account to think exponentially—because in the age
the exponential nature of our world. of Moore’s Law, every minute counts.

8
Dealing With the Evolving Adversary Mindset
James C. Trainor – Senior Vice President, Cyber Solutions Group, Aon
The views presented in this chapter are my named Hal Martin, pleaded guilty to
own and not those of the Federal Bureau of stealing a massive amount of confiden-
Investigation. tial security information, including NSA
cyber-hacking tools. While there are ongo-
Incident #1: On Nov. 24, 2014, employees
ing questions about the plea agreement,
at Sony Pictures opened their computers to
there is no question that the stolen tools
the sound of gunfire, scrolling threats, and
were used in the devastating WannaCry
a skeletal image now commonly referred
ransomware attack in May of 2017.4
to as the “Screen of Death.” By the time
the cyberattack was over, more than 3,200 Incident #5: In September 2016, a Kosovo
computers and 830 servers were destroyed, citizen named Ardit Ferizi was sentenced
highly confidential files were released to 20 years in a U.S. prison. He pled guilty
worldwide, and 47,000 Social Security to accessing a protected computer with-
numbers were compromised.1 out authorization to steal personal iden-
tifiable information from approximately
Incident #2: In 2010, the FBI announced
1,300 individuals, including members of
that hackers were using passwords and
the military and government personnel.
other security measures to illegally trans-
Ferizi stole the information with the goal
fer thousands of dollars at a time, from
of handing it over to ISIS.5
bank account to bank account. The attack,
known as GameOver Zeus, affected hun- What these five incidents have in com-
dreds of thousands of computers to the mon is that they caused extensive finan-
tune of more than $100 million.2 cial and reputational damage and/or had
the potential to significantly compromise a
Incident #3: In the Fall of 2015, a hacker
country’s national security.
impersonating a phone company employee
gained access to the private email account Different Types of Attacks
of John O. Brennan. At the time, Brennan
Here’s what they don’t have in common:
happened to be the director of the U.S.
the motivation and mindset of the perpe-
Central Intelligence Agency.3
trators. Each of these incidents represents a
Incident #4: In January 2018, a former different category of cyberattack that busi-
U.S. National Security Agency contractor, nesses, governments, and law enforcement
51
agencies must be prepared to prevent and ment was able to respond quickly. Within
address. These are: days, the FBI identified the perpetrators
and, within six weeks, President Obama
1. Nation-State: North Korea targeted
signed an executive order issuing sanctions
Sony Pictures because of the pending
against three North Korean organizations
release of a comedy called The Interview.
and 10 individuals.
2. Criminal: GameOver Zeus was one Responding to this type of breach
of many criminal attacks that earned required an understanding of the legal
the alleged mastermind, Evgeniy M. and regulatory environment, the techni-
Bogachev, a $3 million bounty from cal environment, privacy issues, media-re-
the FBI for his capture. lated issues, and more. Preventing a breach
3. Hacktivist: The Brennan attack was of this size and scope is just as challenging,
the work of an organization called if not more so. It has been difficult enough
Crackas with Attitude (CWA). The to understand the mindsets of each of the
five alleged perpetrators ranged in age individual types of adversaries. It becomes
from 15 to 24. even harder when these adversaries have
4. Insider: The Hal Martin attack is multiple motivating factors and sponsors,
viewed by many in law enforcement such as government-backed attacks for
as a potential catastrophic event both profit and geo-political warfare.
because it makes all potential adver- Another reason I consider the Sony
saries more dangerous. attack to be historic is because it portends
what we can expect in the future, where
5. Terrorist: Ferizi was captured after
there is a blending of mindsets, behaviors,
posting a tweet that stated, “We are
motivations, and techniques from all types
extracting confidential data and pass-
of adversarial actors. We are already see-
ing on your personal information to
ing examples across the globe from vari-
the soldiers of the khilafah, who soon
ous nation-state actors––principally from
with the permission of Allah will strike
North Korea, but also from Russia and
at your necks in your own lands!”
China.
At the same time, those who would do
Understanding the Evolving harm for profit, politics, or principle are
Adversary Mindset becoming more sophisticated all the time,
I spent more than 20 years at the U.S. Fed- with easier and cheaper access to tools and
eral Bureau of Investigation, and in my technologies. We are even seeing the emer-
last role as Assistant Director of the Cyber gence of cybercrime-as-a-service. And we
Division in Washington, D.C., I led the are giving our adversaries a larger poten-
team that developed and implemented the tial attack surface, with innovations such as
FBI’s national strategy to combat cyber- the Internet of Things (IoT), the growth of
crime. One of the cases I worked on was big data analytics, and our exponential use
the Sony attack, which was historic for of massive social media platforms.
many reasons.
For one, it involved a wide range Responding to the
of malicious acts against Sony, includ- Evolving Environment
ing intrusion, destruction, and threats to As the threat landscape evolves, and as it
employees and the public. The govern- becomes harder to distinguish between
52 Why and How We Must Change Our Roles and Behaviors

a threat from a nation-state and a threat botnets, causing heightened concern over
from a criminal enterprise, the onus is on a potential distributed denial-of-service
all of us to be better prepared so we can (DDoS) attack on critical infrastructure.
prevent attacks and respond quickly and One company has warned about a massive
appropriately when there is a breach. Of botnet that is recruiting IoT devices to cre-
course, that is much easier said than done. ate a cyber storm that could take down the
In my experience, many company exec- internet.6 This is not to say we shouldn’t
utives feel that cybersecurity is too broad move forward with IoT innovation. But
and all-encompassing, and that it can be we must be aware of increased vulnerabili-
overwhelming. They don’t know where to ties. Securing IoT devices is different from
start; they have a hard time measuring the securing traditional PCs, laptops, and
return on investment for cybersecurity; smartphones. We must quickly get smart
and they are concerned about escalating about how we use these devices and how
costs. An exception to this is companies we secure them. Do we really want to cre-
that have experienced a cyberattack. Those ate an army of toasters that our adversaries
are the companies that have a sense of great can use to attack us?
urgency and purpose.
Regulatory/Legal: The risk of fines, neg-
All of us reading this book, all of us
ative publicity, and other penalties tends
who are passionate about protecting our
to be a fairly strong motivator for orga-
future and making it safe to navigate the
nizations to focus on cybersecurity with
Digital Age––we all need to adopt a sim-
a greater degree of urgency. In Europe,
ilar sense of urgency. Our adversaries are
we are seeing that compliance with Gen-
getting bolder and more sophisticated. We
eral Data Protection Regulation (GDPR)
have gone from Sony, where there was an
is forcing organizations to do a full assess-
attack on freedom of expression and busi-
ment of their security profiles to ensure a
ness operations, to attacks on democratic
variety of protections. These include pro-
processes and elections. It won’t stop there.
viding data breach notifications, ano-
We are seeing an increase in ransomware,
nymizing data to protect privacy, safely
extortion and, eventually, we can expect to
handling the transfer of data across bor-
see more attacks that threaten the loss of
ders, and others. It is important to recog-
human life.
nize that while GDPR is a product of and
Given the changes in the mindsets, moti-
requirement within the European Union,
vations, tools, technologies, and behaviors of
it impacts any company around the world
our adversaries, how do we respond? What
that possesses the personal data of EU res-
are the steps we can take now to be better
idents. This is a good thing. In the U.S.,
prepared, to be true to the exciting prom-
questions are being raised whether any reg-
ise of the Digital Age, while recognizing and
ulations—and what kind of regulations—
fighting back against the inherent dangers of
could have been used to either prevent or
an evolving adversary mindset?
mitigate the massive Equifax cyberattack
I suggest we start by focusing on these
that affected more than 140 million Amer-
key areas:
icans. It is the hope of many that Equifax
Connectivity: As we expand our connec- turns out to be a cautionary tale of what
tivity, we also expand our attack surfaces. can happen when there is a lack of govern-
Adversaries can harness IoT devices as ment oversight.7
Dealing With the Evolving Adversary Mindset 53

Vulnerability awareness: Ransomware spear phishing attacks with malicious
attacks are continuing to grow, with many links or attachments.
instances still going unreported or underre- 3. Exploitation: Attackers deploy an
ported. We are also seeing that spear phish- exploit against a vulnerable appli-
ing and social engineering tactics are get- cation or system, typically using an
ting more crafty, more targeted, and more exploit kit or weaponized document.
advanced. In 2017, attackers deployed new This allows the attack to gain an ini-
spear phishing tactics against organizations tial entry point.
across all sectors, including major tech-
4. Installation: Once they’ve established
nology companies and government agen-
a foothold, attackers install malware
cies. Hackers tricked employees at inter-
to conduct further operations, such as
national energy companies into opening
maintaining access, persistence, and
documents to harvest usernames and pass-
escalating privileges.
words, granting access to power switches
and computer networks. Fraudsters tar- 5. Command and control: With mal-
geted UK students with an email scam to ware installed, attackers then actively
steal personal and banking details. At the control the system, instructing the
same time, the spread of misinformation next stages of the attack. They estab-
continues, and data integrity attacks are lish a command channel to commu-
on the rise––impacting the market value nicate and pass data between infected
of companies and our ability to respond devices and their own infrastructures.
to natural disasters, and influencing pub- 6. Actions on the objective: With con-
lic opinion. trol, persistence, and ongoing com-
munication, adversaries can act upon
Disrupting the Attack Lifecycle their motivations. This could be data
This is also an important time to invest in exfiltration, destruction of critical
cybersecurity education, awareness, and infrastructure, theft, extortion, crim-
training. The more we understand about inal mischief, or some combination of
how attacks work, the better job we can do all the above.
at lessening their impact––regardless of the Being able to leverage knowledge about
motivation and mindset of the adversary, the attack process provides an advan-
and regardless of our roles and responsi- tage for defenders because attackers must
bilities within our organizations. The way be successful at each step to succeed. The
attackers work is to follow a series of six defender only has to “see and stop” the
stages that comprise what we refer to as the adversary at any stage to cause the adver-
“attack lifecycle.”8 These are: sary to fail. To be able to do this success-
fully, an organization needs to have a holis-
1. Reconnaissance: This is the planning
tic approach to addressing cyber risks. In
stage, during which attackers research,
general terms, this includes:
identify, and select targets.
2. Weaponization and delivery: Attack- • Increase visibility.
ers determine which methods to use • Reduce the attack surface.
to deliver malicious payloads, such
as automated tools, exploit kits, and • Prevent known threats.

• Discover and prevent unknown threats. cation, training, and awareness is a nec-
essary step in that direction. But there is
• Quantify risk.
more work to be done.
• Transfer risk. As participants in a global economy, as
nations, as individual companies, and even
When discussing cybersecurity, I often
as individuals, we can all create an atmo-
compare it to healthcare. If I eat well, exer-
sphere of cybersecurity cooperation and
cise, don’t smoke, and see the doctor reg-
collaboration. A model for the future, at
ularly, I reduce the likelihood of getting
the policy level, is the U.S.-China cyber-
sick. But we all get sick, and that’s when
security agreement, which was signed in
health insurance comes in to cover the
2015 and renewed in 2017. Under terms
costs associated with an illness. The same
of that pact, the countries have agreed to
thing applies in cyber. If an organization
refrain from state-sponsored cyberattacks
performs the first four steps successfully,
on one another’s private-sector companies.
then a safety net of cyber insurance can
As organizations and institutions––
help mitigate catastrophic financial conse-
companies, academia, government agen-
quences.
cies––we can all be more proactive in shar-
How do you accomplish these objec-
ing threat intelligence so we can prevent
tives? Disrupting the attack lifecycle and
attacks and react in real time to minimize
reducing risk relies on a combination of
the damage of successful attacks. As indi-
technology, people, and processes.
viduals, we can take advantage of cyber-
• The technology must be highly auto- security education and training to ensure
mated and integrated across all network that we are following best practices, based
environments, including fixed, mobile, on our roles, responsibilities, and vulnera-
physical, on-premises, and cloud, from bilities within our organizations.
the perimeter to data centers, branches, For example, I strongly encourage
endpoints, and IoT devices. board members to be aware of and adhere
to the five principles of cyber-risk oversight
• The people must receive ongoing se-
developed by the National Association of
curity-awareness training and be edu-
Corporate Directors in the U.S. These are:
cated in best practices to minimize the
likelihood of an attack progressing past 1. Directors need to understand and
the first stage. approach cybersecurity as an enter-
prise-wide risk management issue, not
• The processes and policies must be
just an IT issue.
in place and enforced for rapid reme-
diation should an attacker successfully 2. Directors should understand the legal
progress through the entire attack life- implications of cyber risks as they
cycle. relate to their company’s specific cir-
cumstances.
Preparing for the Future 3. Boards should have access to cyber-
security expertise, and discussions
One of the ideas that recurs throughout
about cyber-risk management should
this book is the maxim that cybersecurity
be given regular and adequate time on
is everyone’s responsibility, as discussed in
board meeting agendas.
chapter 10. Investing in cybersecurity edu-

4. Directors should set the expectation that a moving target. While adversarial moti-
management will establish an enter- vations and intentions may have been
prise-wide cyber-risk management frame- identifiable in the past, we are now deal-
work with adequate staffing and budget. ing with an environment where there is a
5. Board-management discussions about melding of the mindsets. What may seem
cyber risk should include identifica- like a cybercrime for profit, or a hacktiv-
tion of which risks to avoid, which ist attack, may in reality turn out to be a
to accept, and which to mitigate or state-sponsored event or an attack initiated
transfer through insurance, as well by a company insider.
as specific plans associated with each Recognizing that the motivations of our
approach. adversaries are evolving is an important
step in the right direction. It helps us all to
be more aware. This awareness should also
Conclusion
translate into a professional and personal
We live in interesting times. Each day, it responsibility to take action: Whether that
seems, brings headlines of a new cyber- is to undertake cybersecurity training, to
attack or threat (see graphic on page 57). hire experts for board meetings, or even
In 2016 alone, the FBI’s Internet Crime just to make sure we are using two-factor
Complaint Center (IC3) received nearly authentication.
300,000 complaints.9 In February 2018, We can’t always predict criminal behav-
the Center for Strategic and Interna- ior. But we can be educated, aware, and
tional Studies estimated that global losses proactive in making sure that we are doing
of cybercrime in 2016 were approximately everything we can to mitigate and mini-
$600 billion. This is an increase from $445 mize risk. As we look to the future of cyber-
billion in 2015.10 security in the Digital Age, that should be
Exacerbating the challenge is the real- our mindset.
ity that the mindsets of our adversaries are
1
“The Attack on Sony,” 60 Minutes, April 12, 2015
2
“GameOver Zeus Botnet Disrupted,” FBI.gov, June 2, 2014
3
“Student pleads guilty in hacking ring that targeted CIA Director John Brennan,” Politico.com, Jan. 6, 2017
4
“A Stolen NSA Tool Is Being Used in a Global Cyberattack,” The Atlantic, May 12, 2017
5
“ISIL-linked Hacker Sentenced to 20 Years in Prison,” The United States Attorney’s Office, Eastern District of Virginia, Sept.
23, 2016
6
“New botnet could take down the Internet in ‘cyberstorm,’” says Checkpoint, Internet of Business, Oct. 23, 2017
7
“Equifax Breach Puts Credit Bureaus’ Oversight in Question,” NPR, Sept. 21, 2017
8
Lockheed Martin has registered the term: Cyber Kill Chain®, which describes a similar framework in seven phases: Reconnais-
sance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives
9
“2016 Internet Crime Report,” FBI Internet Crime Complaint Center (IC3), June 2016
10
“Economic Impact of Cybercrime: At $600 Billion and Counting—No Slowing Down,” Center for Strategic and International
Studies, Feb. 21, 2018

TYPES OF ATTACKS AND DATA
Types of Data
• Customer Information
Business Email
• Intellectual Property Compromise (BEC)
• Legal Information
• Merger & Acquisition
• Military Technology DDoS
• PII, PCI, PHI
• Policy Information
• Trade Secrets Destructive Attacks
Types of
Attacks
Doxing
Espionage
Extortion
Ransomware
Theft of Data
© Aon Corporation. Used with permission.

This image may not be reproduced or used in
part or in full, without Aon’s written consent.
Website Defacements

9
The Evolving Role of the CISO:
From Risk Manager to Business Enabler
Justin Somaini – Chief Security Officer, SAP
One of the first things I do in my role as good description of my job, nor the job of
Chief Security Officer is reach out to the my peers and colleagues around the globe.
heads of other departments to find out Not in 2017, not in 2018, and certainly
how I can integrate myself into their oper- not in the years ahead.
ations. In one more extreme instance, I The role of the CSO, or as many pre-
asked if I could join the sales department fer, the chief information security offi-
on a part-time basis. Not as a salesman, cer (CISO), has come a long way in the
thank goodness, but in my role as CSO. 20-plus years since the CISO title was
The head of sales was a bit perplexed, but first created. Today it is evolving at a faster
agreed. For a year I participated in sales pace than ever before. The CISO now
meetings and even went on sales calls. must identify himself or herself as a busi-
I learned about conversion rates and ness enabler and, just as critically, he or she
vicariously experienced the unimaginable must be recognized in the same way by
thrill of closing a big sale and the crush- others—from the boardroom to the exec-
ing pain of losing one. By the time the year utive suite to the various lines of business
was up, I had a solid understanding of how and departments that keep the organiza-
our sales organization worked and, per- tion focused, functioning, and moving for-
haps even more importantly, I had devel- ward on a day-to-day basis.
oped close working relationships with a How could I enable sales if I didn’t
number of key people in the department. understand sales? Or marketing, human
You may be thinking: You’re a chief resources, finance? How can I enable the
security officer. Why would you spend business if I don’t have a firm understand-
a year in the sales department, even part ing of how the business works, what moti-
time, when your job is to protect the com- vates the teams, what the corporate culture
pany from security breaches and ensure feels like in the trenches?
that it remains compliant? These may seem like fairly obvious
I would answer that merely protecting questions, but they are not necessarily the
the company from security breaches and questions most CISOs have asked in the
ensuring compliance is actually not a very past. Looking to the future, I believe these
59
are the kinds of questions that will increas- reason organizations are more inclined
ingly define how CISOs operate. They will to include security early on in develop-
also be a factor in who fills those key roles ment processes and why we are seeing
and how security practitioners interact the rise of SecDevOps. In addition, secu-
and collaborate within their departments rity must support business and technol-
and across the organizations at large. If the ogy innovation—think Big Data analytics,
CISO is empowered to enable the busi- the Internet of Things, social networking,
ness, he or she must speak the language of and machine learning, to name a few—to
business and be conversant with the basic enable true competitive differentiation and
activities and values of the business. potential market disruption.
There are other ways to drive business
The Transition to Business Enabler enablement. If we build better, more reli-
The CSO is a continuously evolving role able security protections into solutions
that drives a continuously evolving skill than our competitors do, we can build cus-
set. In order to be successful, practitioners tomer loyalty and help retain existing cus-
need to be proactive in maturing the role tomers. If we can create security solutions
as well as themselves. Twenty years ago, that are seamlessly aligned with the com-
the job was basically to manage the firewall pany’s direction, we can create differenti-
and secure the perimeter. You didn’t have ated products, services, and potential rev-
to know much about what you were pro- enue streams. For example, the company
tecting, as long as you knew which tech- comes out with a new service that offers
nology solutions would do the best job of advanced security monitoring and alerts
keeping the bad guys at bay. for an additional $10 a month. If we can
The world today is much different. drive operational efficiencies and effective-
Digital technologies and connectivity have ness, we can help the organization accel-
infused every aspect of the business. This erate speed to market and reduce overall
elevates risk, but it also elevates the value costs.
and importance of the cybersecurity func-
tion. The CISO increasingly has a seat in The Evolution of the CISO
the executive suite because security is no How do we get there from here? What are
longer just about risk; it’s also about com- the skill sets that will differentiate the best
petitive differentiation. CISOs from the rest? What do business
The most fundamental way in which leaders and board members expect from
security can act as a differentiator is by their CISOs, now and in the future? How
removing hurdles to enable and empower can we ensure that we are truly enabling
the sale of products and services to the cus- the business, while still performing our
tomer. When I think of my objective at fundamental responsibility of having a
SAP, it is to have a secure company and secure company and a secure customer?
a secure customer. It’s pretty straightfor- I suggest we start by focusing on three
ward, yes. But making it happen is any- specific areas:
thing but simple.
1. Ensuring that we are extremely
For example, security should be able to
disciplined in the things that
empower faster, more agile and more reli-
are known: This should encapsu-
able product development. That is one

late the basic tasks of the cybersecu- aware of these responsibilities and chal-
rity domain—controls, vulnerability lenges; it also requires that we become
scanning, patch management, appli- excellent and proficient in communicat-
cation security, and more. We need to ing, collaborating, interacting, and manag-
be absolute professionals in these tasks ing our inter-relationships within the orga-
and functions. If you can’t deliver on nization.
the basics, you can’t deliver, period.
Clearing the Lines of Communication
2. Becoming proficient in address-
ing today’s more expansive expecta- It is not simple to evolve from the kind of
tions: For example, we can talk about cloistered, poorly communicative security
risk management, but we need to department that has characterized many
actually define it and articulate it for organizations into an operation that is fully
our organizations, so decision-makers engaged and adapted. You need to have the
understand what they are investing buy-in, support, and prioritization of the
in, and why. We must be proficient security function across the organization,
in empowering specific initiatives whether that is sales, marketing, devel-
that are impelling our organizations opment, customer support, or any other
forward, such as cloud computing, business function or department.
modernizing legacy applications or The only way to get that buy-in is
enabling secure mobility, digital trans- through translating and communicat-
formation, and other organizational ing the language of security so that busi-
imperatives. ness people understand it. CISOs have to
step outside of the security domain and
3. Analyzing, predicting, and prepar-
see what value they can add throughout
ing for the future: Technology is
the organization. In my experience, there
moving at a rapid pace, to be sure, but
are four fundamental objectives the CISO
there are certain things we can predict
must be thinking of when communicating
about the future with pretty clear cer-
within the organization:
tainty. We know that the Internet of
Things is something we must make 1. How can cybersecurity help generate,
secure. We know that IT consumer- protect, and ensure revenue?
ization will continue to redefine cus- 2. How can cybersecurity help retain
tomer expectations. We know that existing customers?
jurisdictional fiefdoms are continuing
3. How can cybersecurity help differen-
to impact how we think about secu-
tiate against competitors?
rity. We know that technologies such
as artificial intelligence and machine 4. How can cybersecurity drive opera-
learning will help drive innovation, tional efficiencies and effectiveness?
within our own organizations and To do this, you need a security team
among our adversaries. that is transparent, forward-leaning in
We must be thoughtful and proactive engagement with the organization and,
in advancing security into these domains perhaps most important, deeply knowl-
before they become a problem. Business edgeable about how the business is run and
enablement is more than merely being what the various departments truly do.
The Evolving Role of the CISO: From Risk Manager to Business Enabler 61
How can the CISO expect the company to looking for credit. I look for people who
understand the risks, if we can’t transpar- have a basic curiosity. We are a horizontal
ently explain what the reality is? We need function across the business. I want some-
the rest of the organization to see the world one who wants to ask: How does the busi-
through our eyes. ness operate? How does it grow? And I cer-
tainly want someone who is curious about
CISO: The Next Generation security technology. If you’re not curious
Every business and every culture is differ- about new technology, you’re not going to
ent. A for-profit organization is not going take the time to explore new ways of doing
to have the same goals and objectives as a things. In cybersecurity, we always have to
non-profit. A company with a global cus- be willing to adopt new technologies and
tomer base is going to operate differently new solutions to solve new problems.
than a company whose customers are If I have to go around telling peo-
regionally located. ple what they should be doing, I am not
One of the many things I learned doing my job very well. I want people to
in my year with the sales organization be unsatisfied with what they have, who
was that our sales teams in South Amer- are waiting for me to move on so they can
ica had much different motivations and step into my role. You can’t teach someone
ways of operating than our sales teams in to be a CISO; they have to be able to do
North America. Would I have been able to the job, to learn, and to adapt, and they
truly understand this if I hadn’t taken the have to be forced to grow. They have to be
time––and had the interest––to learn in self-critical and very open mentally. Curi-
great detail how the organization worked? osity is amazingly important. In order for
Tomorrow’s CISOs will have to be on you to convince the rest of the business to
intimate terms with every aspect of the take security seriously, you must under-
organization. I think it is wise for secu- stand what motivates them and how you
rity professionals to follow the intent of can better influence them. In order to do
an MBA rotation program and spend a that, you’ve got to get to know them.
quarter inside the marketing organiza-
tion, a quarter inside sales, a quarter inside Steps to Take Now
finance, a quarter inside HR or manufac- How does any executive get defined as
turing, or some other department cen- being successful? You have to make your
tral to the overall operations of the busi- number, whatever it is. In security, because
ness. You get a basic, simple education over we don’t generate revenue, we’re often
time. It’s not academic. It’s real. You get to measured in terms of risk mitigation, not
watch the everyday lives of your constit- necessarily business enablement. If you are
uents. It helps you change your security successful, you may have no incidents. If
model and mindset. you have no incidents, people will think
People often ask what characteristics to there’s no need to invest in security. So you
look for in potential CISOs. The first thing have to communicate: Let us show you
I look for is someone with a strong moral how we are being attacked and how we are
compass. I look for people who will do blocking these attacks.
things beyond their responsibilities. If she Once you really understand the busi-
sees something wrong, she fixes it, without ness, you can talk the talk much more

effectively in the language of business • If you don’t already do this, read the
enablement. For example, many compa- company’s financial reports religiously.
nies are looking to drive business in China. They will give you valuable informa-
Security needs to be part of that discus- tion about your business that you won’t
sion. We have the power and potential to always be aware of during the normal
help the company overcome hurdles, and course of day-to-day activities.
if we can overcome those hurdles, we can
• Reach out to your peers and build some
help the company acquire new customers
kind of “state of the union” report, or
and open up new revenue streams. That is
annual cybersecurity report, or a com-
how you win the hearts and minds of exec-
pelling infographic. Give them some-
utives and that is how you motivate them
thing that is interesting and informative,
to give you a seat at the table.
so that people with either little time or
Here’s one more measure of success that
lack of interest will spend some time
may not be obvious to CISOs who are not
with it and learn something from it.
yet focused on business enablement: Do
We must be looking at how we change
your peers in the organization include you
our language so that it resonates with
in relevant discussions? Do they like you or
non-security people. Develop a cadence
hate you? Do they see you as obstruction-
of different deliverables and materials,
ist or do they see you as part of the culture
using all of your resources, including
of change? If people don’t want to include
online. Then track what works best in
you, you are not going to be able to help
your organization, both with your peers
them. It puts the onus on CISOs and their
and with the executive board.
teams to be more engaging, open, and
inclusive. • Look at your team and your culture.
The path to business enablement is a Are you open about the problems of
journey. There are simple steps we can each cybersecurity? If necessary, have a cy-
take immediately, and it doesn’t necessarily bersecurity town hall meeting. Keep
mean spending a year in the sales depart- open office hours for everyone to come
ment, although, if you haven’t done it, I by and air grievances or simply com-
highly recommend it. The things security municate about real issues and oppor-
professionals can do now to be more pro- tunities. Your team will see the change
active in supporting business enablement in tone and direction, and they will
include: naturally follow suit.
• Send an email to the heads of sales and • Take a hard look at yourself. Do you
marketing, and tell them you want to love what you do? What really moti-
learn. Ask if you can sit in on weekly vates you? Are you curious about the
sales calls. That one step will go a long overall business? Where do you spend
way. They will understand who you your time on a monthly basis? Most of
are and what you do. Right now, they us avoid the things we hate and go to
probably have no concept. Identify the things we like. Are you self-criti-
people in the organization with whom cal? What do you resist, what do you
you need to build relationships, and find to be stressful, do you avoid hav-
ask them what you can do to help. ing critical conversations with your
boss or peers?
The Evolving Role of the CISO: From Risk Manager to Business Enabler 63
Conclusion To prepare ourselves and our organiza-
This is a great time to be a cybersecurity tions for the future, we must understand
professional. Our role in our organiza- and speak the language of business enable-
tions, and the world, is becoming more ment. We must be curious about how the
critical and more highly valued. It also business works, and we must be articulate
means we take on more pressure and have in explaining how we can help. We must
more responsibility. Doing things the way evolve and we must do it quickly. The Dig-
we’ve done them in the past just won’t cut ital Age isn’t waiting for anyone.
it in today’s environment.

10
Cybersecurity and the Board:
Where Do We Go From Here?
Mario Chiock – Schlumberger Fellow and CISO Emeritus, Schlumberger
“Everyone is responsible for cybersecurity.” security. So how do board members gain

Perhaps more than any other phrase, knowledge and insight so they can have a
this may turn out to be the defining axiom positive impact on the organization? How
for the next phase of the Digital Age. As we do they adjust to a rapidly changing world,
become more dependent on digital con- where innovations such as artificial intelli-
nectivity, we concurrently become exposed gence and the IoT are making cybersecu-
to additional risk. No one can afford to be rity a constantly moving target?
the weakest link. Each organization must And, perhaps most importantly, how do
ensure that each of its people, whether board members define the role they take—
employees, contractors, or anyone else now and in the future—so they are not just
affiliated with the business, understands a part of the “everyone is responsible for
what he or she must do to protect the orga- cybersecurity” paradigm, but they are actu-
nization and its digital assets. ally leaders in defining and executing it?
It starts right at the top, with the board.
Board members, perhaps more than any- The Evolving Role of the Board
one else, can set the cybersecurity agenda The onus on boards to get smart about
and tone for the entire organization. Not cybersecurity is a relatively recent phenom-
only can they set the agenda, I would argue enon. In the past, boards looked at guid-
that they must set the agenda and risk tol- ing a company from a business perspective
erance. They represent a critical line of when it came to risk management. As an
defense within the organization’s overall example, perhaps an organization had spe-
cybersecurity posture. Beyond that, board cific intellectual property that was highly
members are increasingly vulnerable tar- valuable and at risk for theft. This would
gets of cyberattacks. The actions they take have been of concern to the board and, as
can have a huge impact on the organiza- part of their oversight responsibilities, they
tion, both practically and symbolically. would have insisted that management have
The challenge, however, is that boards a plan to ensure its protection.
of directors are typically not selected But cybersecurity is a different world.
because of their deep expertise in cyber- Risk comes in various forms, flavors, and
65
factors. We are now dealing with ransom- Chapters 3 and 11. It’s not just a question
ware, data breaches, and DDoS attacks, of what we can accomplish with those tech-
among others. We are dealing with poten- nology innovations, it’s also a question of
tial attacks that can cripple our operations, what our adversaries will be able to accom-
expose us to lawsuits and regulatory fines, plish with those innovations.
destroy our reputations, irreparably dam-
age customer goodwill, and prevent us Getting Smart About Cybersecurity
from going forward on our journey toward In this new world, in this ever-changing
digital transformation. environment, if you sit on a board, you
We are also in a world where it becomes and your fellow board members must get
increasingly important to quantify risk and smart about cybersecurity.
to determine where we are vulnerable. It’s You can’t exercise oversight if you don’t
not just our employees, for example, to know what questions to ask, or even worse,
whom we have to extend protections. Hal if you choose to put your collective heads
Martin was an outside contractor when in the sand and pray that corporate man-
he stole the NSA tools that were used in agement knows what it’s doing when it
the WannaCry ransomware attack in May comes to cybersecurity. In today’s cyber-
2017.1 The Lockheed-Martin attack in security environment, and tomorrow’s,
2011 was linked to a third-party vendor.2 boards must be proactive, not reactive.
In a similar way the attackers of the Tar-
get breach first got an ID from an HVAC Step 1: Understand and Define the
contractor.3 We are now seeing attackers Board’s Role
breaching our resources, such as high-per- The first step in getting smart is to under-
formance supercomputers or cloud stand and define the board’s role. The
resources, to use them for nefarious pur- board’s primary responsibility is oversight.
poses such as theft of cryptocurrency. Boards do not have to enact cybersecurity
In this new world, attacks can come policies, but they have to understand which
from anywhere, at any time, and without policies are in place, if they are being moni-
any warning. Our cyber world is drastically tored, and how they are being enforced.
different than it was five years ago—just If the organization is not doing enough
as it will be drastically different five years to protect vital assets or to ensure regula-
from now when we will have, literally, bil- tory compliance, boards have a fiduciary
lions more connected sensors and devices. responsibility to at least ask questions and,
Plus, we will have had five years’ worth if they are not satisfied with the answers,
of advances in artificial intelligence, then to take action. In the typical gover-
machine learning, robotics, and other nance responsibilities for cybersecurity, the
“exponential” technologies, as discussed in board is the second line of defense, as follows:
LINES OF DEFENSE
FIRST LINE SECOND LINE THIRD LINE

• Internal Controls • Risk & Compliance • External Consultants
• Line Management • Board of Directors • Cybersecurity Advisors
Oversight

Step 2: Get the Right Advice Step 3: Personalize Cybersecurity
Recognizing that the chief responsibil- Board members need to be aware that they
ity is oversight, the next step is for the are valuable targets for adversaries, and
board to become educated about cyberse- they must be role models for others in the
curity. Collectively, the board must have organization when it comes to following
the knowledge, awareness, and insight to best practices in cybersecurity.
ask the right questions. Then, the board If you are on the board of an organi-
should be able to interpret the answers and zation, you have access to vital data that
put them into the context of the organiza- could be of extreme value to adversaries.
tion’s overall risk profile when it comes to You also likely have a wide range of per-
cybersecurity. missions to access even more data. Finally,
How does the board attain that knowl- adversaries may assume that board mem-
edge and insight? Relying on reports and bers are more “old school” and perhaps
briefings from executive management is less “cyber-aware” or sophisticated, so
essential, but may not be enough. Some they may target them for attacks. Remem-
boards may seek to use their own expert, not ber the axiom, “Everyone is responsible
just to interpret what management is say- for cybersecurity,” which means everyone
ing and doing, but also to understand which should take the proper precautions.
questions to ask management—and when. Your devices, personal emails, and social
This is not a totally foreign concept for media accounts are all areas where you can
boards, but it is perhaps new when it comes be compromised. And you must always be
to the world of cybersecurity. Boards have cognizant of the risks. For example, trav-
traditionally hired third-party companies eling to certain countries can expose your
to conduct financial audits to assure that organization to significant risk. When
there is no fraud or other breaches of fidu- traveling, be careful with your IT assets. It
ciary responsibility by management. may be worth leaving unnecessary data or
So why should cyber risk be managed equipment at home. You should also take
any differently? I see many boards trying special care with mobile devices and net-
to oversee cybersecurity from the perspec- work connections. Big Brother may be
tive of a financial audit. This provides a watching.
limited view. Auditing is about compli-
ance: Being compliant doesn’t make you Establish the Necessary Checks,
secure, and being secure doesn’t make you Balances, and Processes
compliant. Getting smart and staying smart about
The organization’s overall cybersecurity cybersecurity are not one-time activities.
profile should be considered, and as such, Rather, they are ongoing processes that
some boards opt to hire outside experts, as require constant care and upkeep.
they’re perceived to have unbiased views. Boards are generally good at making
This should include an analysis of the peo- long-term decisions. They may have an
ple, processes, and technology. It should annual meeting with an annual budget and
also include regular meetings with the full a full year to react to changes. In the case
board and/or board committees, as well as of cybersecurity, that does not work. The
ongoing engagement with executive man- landscape is much too dynamic. Taking a
agement. year to react to anything is not reacting at
Cybersecurity and the Board: Where Do We Go From Here? 67

all. It’s more like falling asleep at the wheel Words like “automation” and “efficiency”
when the bus is going 110 miles an hour. are essential in today’s cybersecurity world.
So, boards need to be agile; they also need I often advise that the days of doing man-
to be proactive and, when necessary, reac- ual security are over. If we do things manu-
tive to current trends and events. ally, the bad guys are going to beat us every
Another challenge for boards is in time. Security in the 21st century has to
speaking the right language. Frankly, this is be automated and boards need to under-
less of a board problem and more of a prob- stand that.
lem for CISOs and other security profes- Another important point: We have
sionals. Board members don’t want to talk to be smart about our technology invest-
in jargon. They don’t want to hear about ments. When we buy or build something
code or patches. If the conversation gets too new, we must get rid of the older technol-
geeky, they tune out. While it’s up to board ogy. Your organization does not need to
members to be up to speed on the import- compile technology. In fact, when it comes
ant trends and issues regarding cybersecu- to cybersecurity, that approach will actu-
rity, it is not their responsibility to know ally work against you.
every product name and specification. Finally, it is important for boards to
Board members don’t care how many have a sense of history. In order for com-
servers have been patched, they care about panies to enable their people, processes,
risk. The language should be more along and technologies to evolve for the future,
the lines of, “This will happen if we don’t it is quite beneficial to understand where
stay up to date on patching, i.e., the busi- they’ve come from and what trends may
ness may shut down for an hour or a day be driving future changes. For example,
or a week, which will cost us X amount antivirus was a big part of cybersecurity
of dollars.” The language must shift from 25 years ago. Modern CISOs should be
security and technology babble to busi- talking about endpoint protections rather
ness terms that board members speak and than antivirus.
understand. We shouldn’t need translators
sitting in on board meetings. Prepare for the Future
Board members also need to understand Cybersecurity is about preparation. As
that you do not become more secure simply mentioned, 80% of risk can be eliminated
by spending more money. IT and security through basic cybersecurity hygiene. But
managers may want to hire more people how can we prepare for the future when
and deploy the latest and greatest advanced we can’t always predict what the future will
technologies. In certain circumstances, bring?
that may, indeed, be appropriate. But the We know that the Internet of Things
people directly responsible for cybersecu- is growing exponentially, that technolo-
rity within the organization must be smart gies such as machine learning and artifi-
about it. I am a big believer that 80% of cial intelligence are becoming more main-
risk can be eliminated through basic cyber- stream. We know that our adversaries are
security hygiene (see related story: The becoming bolder and more aggressive,
Basics of Cybersecurity Hygiene). not merely motivated by the opportu-
When it does come to technology, nity to make money, but also spurred by
however, the board should listen for spe- issues such as geopolitical disruption. We
cific language coming from their teams. know that the models we’ve traditionally

applied to cybersecurity must be adapted security. They also need to be educated
and modernized to address a new risk envi- on some of the new technologies, as
ronment that is constantly and dynamically well as the importance of automation.
changing.
• Prepare for the worst. Crisis man-
From the vantage point of the board,
agement, incident response drills, and
what can we do, how can we ensure that
cyber-incident simulations are needed
we as individuals and as leaders of organi-
at all levels, including the board. Start
zations can be better prepared? Here are
small and simple, and then increase the
some suggestions:
severity and sophistication to bridge
• Focus on risk mitigation. If you the gap between technology and re-
can identify risks, you can take steps sponse.
to quantify them. There are certain
• Translate security into business lan-
flex points when risk is heightened––
guage. Organizations should have a
during a merger or acquisition, for
business-oriented equivalent of a cy-
example. Be aware of these flex points
bersecurity framework for board mem-
and take the proper steps to mitigate
bers. This would spell out the organiza-
risk when appropriate and necessary.
tion’s security model in a non-technical
Every company has a different view
manner that focuses on risk, using
of the types of risks they are willing
business terms that board members can
to take. It is critical, as a board mem-
easily relate to and understand.
ber, to understand and help define the
company’s overall risk acceptance. I would like to stress two additional
points that are important for board members:
• Invest in education, training, and
awareness. Just as everyone is respon- 1. Public-private partnerships can be
sible for cybersecurity, so should every- extremely valuable. Our government
one participate in education, training, and law enforcement agencies, as well
and awareness programs. These pro- as our regulatory bodies, have access
grams need to expand beyond employ- to information and resources that can
ees and contractors. Remember, it can help every organization be better pre-
take just one person failing for a breach pared to prevent and/or respond to
to succeed. attacks. I encourage every board mem-
ber to be an advocate for public-pri-
• Measure, monitor, and mitigate risk.
vate partnerships. Sharing informa-
CISOs and CEOs need to be able to
tion within an industry and with the
develop measurements so that board
government can help reduce the mit-
members can monitor progress and
igation burden on any one entity.
ensure that the organization is moving
in the right direction when it comes to 2. You don’t always need a very large
cybersecurity. security team. As we keep hammer-
ing home in this chapter: Everyone is
• Develop high-level framing. Board responsible for cybersecurity. If you
members need a high-level framing of get enough people buying in to that
risks and opportunities to be educated concept, you can create great virtual
regularly on the fundamentals of cybersecurity teams that can work together

to mitigate risk. This approach is espe-
cially valuable at a time when nearly THE BASICS OF
every organization is facing a short- CYBERSECURITY HYGIENE
age of experienced security personnel.
This approach can also help develop Organizations can significantly
cybersecurity expertise for the future. reduce risk by focusing on cyber-
security hygiene. Board mem-
Conclusion
bers can help protect themselves
There is another way to communicate the and their organizations by being
concept that everyone is responsible for aware of the basics, which are:
cybersecurity. We can be more direct about
it and say: You are responsible for cyberse- • Keep operating systems
curity. It doesn’t matter to whom you say patched and current; make
it; it applies. In fact, when applied to board sure each OS (operating sys-
members, it seems to take on a deeper tem) is a supported version.
meaning, doesn’t it? It states the reality • Keep third-party programs
that as a board member, you have a certain patched and in their current
responsibility, not just for your own per- versions.
sonal cybersecurity protections, but also to
the organization as a whole (see graphic on • Remove unused programs and
page 71). sample code from production
servers.
It’s a difficult challenge, to be sure,
especially in this fast-changing world. But • Don’t leave default configura-
it’s a challenge every board member should tions intact—especially default
be ready to take on with passion, enthusi- passwords.
asm, and commitment. The future of the • Back up all data and configu-
Digital Age is in our hands. Let’s make sure ration files.
we are prepared.
• Install protection software
and anti-malware, keep an
application whitelist, and
1
“A Stolen NSA Tool is Being Used in a Global Cyberat-
tack,” The Atlantic, May 12, 2017 perform integrity checks.
“Lockheed attack should put U.S. on high alert,” InfoWorld, • Deploy encryption in transit
2
June 6, 2011
and at rest.
3
“Target attack shows danger of remotely accessible HVAC
systems,” Computerworld, Feb. 7, 2014 • Use secure passwords (do not
embed in code / do not store
unprotected).
• Proactively manage and moni-
tor access privileges.

CYBERSECURITY MUST BE ON EVERYONE’S AGENDA
Board
CEO
CFO
Executives
What is the potential
impact of a cyber breach?
Mitigate risk
$
Information Business
Technology All We need to
We manage the Employees & use the data
IT infrastructure Third Parties We need to use
& software the technology
We need to protect IT We need to
protect the data
and technology
CIO Operations
Business Systems Marketing
Helpdesk HR
Data Centers Legal
IT Security HSE
IT Operations Supply Chain
• Networks Operational
• Servers Technology
• Desktops

How Work Requirements and Ethical
Responsibilities Come Together
11
Cybersecurity and the Future of Work
Gary A. Bolles – Chair, Future of Work at Singularity University; Co-founder,
eParachute.com; Partner, Charrette; Speaker and Writer
Throughout human history, technology compensation. And the fundamental risks

has transformed work. From the wheel to associated with worker backgrounds and
the internal combustion engine, techno- capabilities require a new way of think-
logical advances have repeatedly changed ing about skills and capabilities that can be
how, when, and where we work. But the supported by next-generation technology
pace of technology-infused work is dramat- infrastructure.
ically accelerating. From consumer-driven What will it mean in the near future,
mobile phones to blockchain-enabled con- when machines that use artificial intelligence
tracts, technology is an increasingly criti- act more like humans, and blockchain-en-
cal part of work, redefining a wide range of abled payments mean organizations may
work-related processes. not even know who—or what—is perform-
The transition from an agricultural to ing specific functions? How will changes in
an industrial economy meant a dramatic how we perceive digital identity and trust
transformation in the very nature of work. inform the way we manage, compensate,
But this transition took nearly a century. and, perhaps most importantly, secure our
We are today transitioning to a digital workers and workplaces?
work economy, and in a blindingly short Today’s reality is that exponential tech-
period of time. As technology increasingly nologies are dramatically transforming the
infuses, enhances, and—in many cases, world of work, requiring an entirely new
replaces—human work, business and tech- cybersecurity mindset. Decision-makers,
nology leaders need to anticipate, under- ranging from enterprises to governments,
stand, and ultimately leverage the macro need to understand the fundamental
changes affecting the world of work. dynamics of this rapid shift in the world of
For example, the increasing number of work and the inevitable impact on cyberse-
remote workers and non-traditional work curity. They must also determine the kinds
arrangements means that the binary sta- of strategies they can follow to not only
tus of an employee or non-employee dis- mitigate those risks, but also to effectively
sipates, requiring new approaches to prepare themselves to leverage a more
everything, from identity to payment of dynamic and adaptive workforce.
75
The Basic Building Blocks of Work Kurzweil applied this analysis to a range
To truly understand these changes, it is of technologies and found they often pro-
helpful to think of work as a set of build- gressed along the same kind of exponen-
ing blocks. Work is fundamentally three tial curve. In fact, the interaction of these
things: human skills performing tasks to exponential technologies accelerated their
solve problems. individual development even more rap-
Whether the problem is a dirty floor or idly. For example, technologies, such as
an enterprise requiring a new market strat- machine learning (often called artificial
egy, our role as workers in any environ- intelligence, or AI), robotics, high-per-
ment is to solve problems. Humans are tri- formance computing, and LIDAR (laser-
al-and-error machines, and the reason we based radar), all combined to enable a sci-
are paid as workers is to use our skills to ence-fiction-class product known as the
solve a broad range of problems. self-driving car.
Yet many of the tasks we perform in The rapid development and adoption
our work are repetitive, requiring mini- of connected digital technologies has had
mal creativity. Such mundane work uses a seismic impact on a range of industries,
little of what makes us unique as humans, in which market leaders had traditionally
and, in fact, technologies such as software maintained dominance due to their “bun-
and robotics can often perform these tasks dled” business models—an idea originally
with better accuracy and precision. Many suggested by John Hagel, now at Deloitte’s
of these repetitive tasks are also more eas- Center for the Edge. For example, lead-
ily outsourced, performed by workers in ers in the newspaper industry integrated
other geographies who often accept lower functions like a physical plant, content
pay for the same activities. creation, content curation, distribution,
The combination of automation and and ad sales, and that vertically integrated
globalization operates hand-in-hand to combination provided huge market advan-
allow work to be “unbundled”—split into tage. Along came the internet, and those
separate tasks and spread among a combi- formerly integrated components were
nation of remote workers and distributed unbundled, allowing new market players
technologies. like Google and Facebook to quickly gain
tremendous market power through new
The Impact of Exponential Technologies business models. Media industries became
All of these fast-paced changes in the world “re-bundled” around online ad market-
of work would be seismic enough on their places, leaving only small pieces of the
own. But they are fueled by the rapid rise reshaped market pie for incumbents.
of “exponential” technologies. In the same way, exponential technolo-
Inventor and futurist Ray Kurzweil was gies will continue to unbundle work, break-
fascinated by the growth curve of Moore’s ing apart the traditional construct of a job,
Law, the observation by Intel co-founder and allowing tasks to be performed by con-
Gordon Moore that microprocessor price/ stantly changing combinations of local and
performance was doubling every 18 to 24 distributed workers, technology-infused
months. Kurzweil realized that this dramatic work, and often, work performed by tech-
sequence of the increase in value was actually nology. Today, humans drive for Uber, and
logarithmic, starting out linearly, but turning tomorrow autonomous vehicles will obvi-
into a “hockey stick” of growth over time. ate the need for traditional drivers.
76 How Work Requirements and Ethical Responsibilities Come Together

As work itself becomes unbundled, the effectively performed—and, most espe-
same kinds of mechanisms apply to the cially, by whom.
re-bundling of work. New kinds of value This flexibility gives rise to a range of
are being created in the digital work econ- “direct” alternative work arrangements,
omy, allowing the enterprise to solve exter- including part-time temporary, full-time
nal and internal problems in ways that temporary, part-time permanent, piece
were never before possible. These tech- work, team-allocated work, and gig work.
nology-infused processes provide a broad And it allows a range of indirect worker
range of exciting new ways to perform relationships as well, such as problems
work and to enable dynamic new strategies solved by workers through crowdsourcing,
for channeling human energy. “cloud work,” and prize platforms. These
kinds of arrangements serve to “soften the
The Rise of Alternative walls” of organizations, allowing a wide
Work Relationships variety of workers and business partners
For example, unbundled work enables to dynamically bind around the problems
a broad range of work contexts, each of defined by the enterprise and its customers.
which can bring unique advantages to the
enterprise. The Blockchain-Enabled Workforce
In the past, the traditional “one per- Suppose a manager determines that her
son, one job” approach meant that the team won’t be able to make a critical cus-
enterprise workforce often wasn’t opti- tomer deadline to deliver new designs for
mized. Workers with a broad range of a website. She works with the team to
skills and capabilities were often restricted quickly define a set of success characteris-
to performing a limited set of tasks that tics for the project, and posts it to a work
employed only a subset of their capabili- marketplace.
ties. A tremendous range of human poten- A response immediately comes back
tial has for a long time been left unrealized, from the marketplace, from a worksource
locked into an inflexible, industrial-era with a high trust rating. The manager is
model of work, often characterized by able to see the worksource’s trust rating
repetitive and uncreative tasks. sources, and finds that other managers in
With this poorly optimized model, her company have used this worksource
enterprises took on substantial costs. before. The worksource response includes
Tasks performed by each worker weren’t a series of questions about the delivera-
always distributed efficiently. Even with bles. The manager answers these questions,
an increasingly mobile workforce, work- defines a set of preferred project mile-
ers were less likely to be located where stones, and offers several payment options.
new work was needed. And coordination Because the project involves a new product
between workers remained far less efficient offering, one of these options is an inde-
than it could have been. pendent coin offering (ICO) that allows
Think of this as a huge amount of capa- the worksource to participate in future
bility in the enterprise left on the shelf: an income from the product.
unrealized set of assets that rarely reached Satisfied with the dynamic work agree-
its potential. Yet, in a world of unbun- ment, the manager finalizes the contract,
dled work, enterprises are able to distrib- which is immediately placed into an open
ute work when, where, and how it is most distributed ledger. The manager is able
Cybersecurity and the Future of Work 77

to see all of her existing work contracts, blockchain-based open ledgers, such as Bit-
including those of her current team, and to coin and Ethereum, means that new busi-
manage the deliverables of the project and ness relationships—from paying a worker
compensation for the worksource. And she for an hour’s work to buying another com-
may not ever know if the worksource is a pany—will be performed using a complex
person, a team, or a piece of software. web of digital currencies. Business and IT
That’s the world of work on blockchain decision-makers will need to experiment
technology. Now, imagine an entire orga- with these value transfer mechanisms to
nization based on these kinds of digital continually determine how they can best
agreements, built on distributed ledgers. meet the needs of the enterprise.
Since an organization is already a set of
agreements between employer and worker, Machine Learning / AI Transforms Work
these “distributed autonomous organiza- As we’ve seen, AI and robots don’t take jobs,
tions”—which exist today—provide new per se: They perform tasks. But those tasks
ways to incorporate workers into the prob- can add up. As an increasing amount of for-
lem-solving processes of an enterprise. merly human tasks are performed by tech-
nology, decision-makers—from workgroup
A Brave New World of Digital Identity managers to chief human resource officers—
Technologies, such as smart worker con- will need to determine whether the rela-
tracts, also represent an opportunity to tionship between humans and technology
incorporate new identity models. is complementary or competitive. In other
Open distributed ledgers simultane- words: Is technology an enhancer of human
ously support anonymity, verification, work or a work replacer (see page 82)?
responsibility, and value transfer. Anonym- Much of innovation today is focused
ity allows workers to perform work with- on automating human work, because the
out necessarily becoming deeply integrated processes and costs associated with existing
into an organization’s enterprise systems. work are reasonably well known. Whether
Verification allows the enterprise to con- we’re trying to reduce the costs of a waitress
firm the worker’s capabilities and portfolio, or a warehouse worker, we can currently see
and lets the worker confirm that the enter- the tasks they perform and understand the
prise is a trustable entity. Responsibility costs of paying them for those tasks. Auto-
means that the contract has built-in con- mating such tasks with software or robots
firmation that the worker has performed therefore has the potential to reduce known
the required work and that the enter- costs and increase efficiency.
prise will provide compensation as agreed. Yet this approach potentially creates
Value transfer means that the actual work a zero-sum mentality, reducing human
product is given to the enterprise and the labor to a set of easily replaced processes.
worker gets paid. Instead, we have the opportunity to turn
The ways in which value is transferred the same amount of innovative energy to
blurs the lines between IT and operations, enhancing human work.
creating both new headaches and new In fact, productivity software is already
opportunities for the enterprise. Today, doing this. There are few accountants
most value transfer is calculated and per- today, for example, who can craft a pivot
formed on the basis of country-based table by hand. That’s what Microsoft Excel
currencies. But the rise of ICOs built on is for. Picture an architect using augmented

reality glasses that overlay a building with technologies, operating with increasing
the schematic of its internal infrastructure. autonomy, and creating greater complexity
Or imagine having an AI learning partner as the interactions between independent
that continually gives you advice on new programs generate unpredictable interac-
skills you can develop, and helps you find tions. Enterprises that can anticipate such
the right learning opportunities to rapidly complexity and create flexible strategies,
hone those capabilities. By focusing on allowing them to leverage software that
technologies and strategies that enhance becomes increasingly “smarter,” will gain
human workers, the enterprise workforce competitive advantage.
gains superpowers that can bring tremen-
dous competitive advantage. Rethinking Hierarchy As the
Organization Becomes Unbundled
Machine Learning / AI Becomes Work Our current approach to managing large
Inevitably, however, the lines between organizations of workers through a pyra-
technology and humans will continue mid-based hierarchy actually comes from
to blur. Beyond the strategic issues for the Prussian Army, when “moving men
humans and work, enterprise strategists and machines” required strict adherence to
will increasingly have to contend with orders handed down through the ranks. In
software performing a range of new tasks a time when the leading communications
and increasingly appearing like humans. In technology was a carrier pigeon, the only
our blockchain-enabled work process, the way to ensure that messages were accu-
remote worker is assumed to be a human. rately transmitted was to demand obedi-
But what if it isn’t? ence to a hierarchical command structure.
Today these are often called bots; Yet in an era of ubiquitous communi-
tomorrow they may be AI companions, cations technologies that instantly span
and the next day they will be AI work- the globe and software that increasingly
ers. Software’s ability to emulate the activ- infuses a range of business processes, orga-
ities and interactions of humans will mean nizational hierarchies no longer ensure
that traditional processes for validating an the greatest use of enterprise resources.
actor’s humanness—from simple mech- Instead, flexible workgroups that dynam-
anisms like captchas, to complex chal- ically bind around external and internal
lenge-response sequences—will become problems are the greatest human assets the
less secure. In some cases, these new soft- organization can have. Rather than think-
ware actors will be welcomed and inten- ing of such a self-organizing enterprise as
tionally integrated into workflows. But in a hierarchy, picture it instead as a network
other cases, they will be autonomous sys- of networks, with Venn diagrams of work-
tems intent on compromising the secu- groups overlapping with each other as they
rity of the enterprise. Identifying which is perform the work of the enterprise. In the
which will become a core enterprise skillset. digital work economy, even the organiza-
In fact, these technology components— tion itself is becoming unbundled.
from AI applications to robots—will
increasingly be seen as having “identity,” Security Ramifications of
with a set of known capabilities and a the Digital Work Economy
capacity to make decisions. They will func- In the brave new world of unbundled
tion as part of the “stack” of enterprise work, with technology infusing an increas-

ing amount of human activity, a huge though, blockchain-based work processes
mindshift is needed. will create entirely new risks, opening secu-
The fundamental underpinning of rity holes through which sensitive infor-
human-based security, digital identity, has mation and other digital assets can be rap-
a range of new ramifications in the digi- idly compromised.
tal work economy. Even though the tradi- In fact, these new technologies will fun-
tional context of the employee involved a damentally reshape the enterprise’s under-
variety of roles in the organization—and standing of trust, down to a completely
therefore a variety of security models—the granular level. Whether the relationship is
new range of alternative work relationships as simple as confirming that an email mes-
means the enterprise security fabric needs sage was truly sent by a particular person,
better flexibility and greater comprehen- or as involved as a set of complex payment
siveness than ever before. transfers using digital coins, exponential
What are the range of activities and technologies will drive an entirely new
roles that workers will perform, and how approach to trust in the world of work.
will their access permissions be deter- Enterprise IT and business decision-mak-
mined? Who decides when and how a ers will need to develop a comprehensive
new worker becomes integrated into the understanding of all the contexts of trust
enterprise’s information fabric? How will that matter, from physical security to digi-
enterprise decision-makers determine the tal data access, and for a range of potential
aggregation of access rights across mul- stakeholders far broader than ever before.
tiple projects and geographies? How will
permissions held by workers in flexible Strategies for Security in the Digital
arrangements be automatically aged and Work Economy
removed? How will organizations deter- Solving the security challenges of the dig-
mine whether a worksource, human or ital work economy with dynamic pro-
otherwise, can be trusted? cesses and policies means the enterprise
These are just a few of the security ques- can be agile and adaptive. Ignoring them
tions raised by the new world of work. will mean, at best, an inability to integrate
Enterprises that invest in strategies to incor- problem-solvers into the organization’s
porate these dynamically changing issues process of delivering value to customers,
will be far better prepared to understand putting the enterprise at a tremendous
and leverage new work-related technologies. competitive disadvantage. At worst, it will
For example, as dynamic work con- mean creating a widely expanded attack
tracts are built on blockchains, enterprise surface that will add exponential risk to
security strategists need to stay deeply any organization.
informed about the ways in which dig- Critical capabilities will include:
ital trust is being transformed. At their
• A fluid infrastructure for identity:
best, agreement processes that support the
Enterprise identity data models must
rapid, new creation of solutions and fric-
continually allow for new players and
tion-free transfer of payments will provide
roles to be rapidly defined, provi-
new opportunities to compete in new mar-
sioned, and distributed. But these roles
kets while maintaining high levels of trust
must also be dynamically managed,
and tracking. At their most challenging,
with automated oversight and aging.

• A comprehensive infrastructure for value assets. Experiment with paying
defining and managing data: The for and selling products and services
rate of compound annual data growth through micro-ICOs to practice with
is projected to be 40% for the foresee- new forms of value transfer. This will
able future. Data management policies empower the enterprise to become ad-
must grow and adapt as enterprise data ept at managing a portfolio of digital
assets reach breathtaking scale and be- assets.
come increasingly distributed globally.
Enterprise security policies must also Conclusion
incorporate the likelihood of changing
The transition to a digital work economy
laws and regulations around the world,
is not only inevitable, it’s already here. The
as well as the need to manage, secure,
urgency is real. Enterprise IT and business
and remove data as required.
leaders must understand the dramatic shift
• A bigger, more comprehensive and in the very nature of the workforce, or face
strategic role for trust management: inevitable disruption. Those who ignore it
Trust management will increasingly will find themselves left behind in the race
become its own arena. The dynamic to leverage new technologies transforming
management of trust and value trans- where, when, and how we work.
fer through open ledger platforms, Yet, in this transition, enterprise deci-
such as blockchain, will become com- sion-makers are being offered a set of
monplace. The ability to understand, opportunities that can create a broad range
design, and implement complex trust of competitive advantage. As the world
interactions between enterprises will be of work changes dramatically, enterprise
a core enterprise skillset. leaders will find that managing a dynamic,
fluid, and all-encompassing security func-
• Tight, seamless integration between
tion can unleash a huge amount of eco-
cybersecurity and business opera-
nomic value, giving the enterprise the
tions: As the ways in which value is
ability to rapidly take advantage of new
transferred blurs the lines between
business opportunities fueled by exponen-
IT and operations, decision-makers
tial technologies.
within technology, cybersecurity, and
business will need to work in concert
to manage the organization’s digital

WORK IS CHANNELLING HUMAN ENERGY
One caution to enterprise decision-makers: The transition to a digital work

economy brings with it an important responsibility. At its most fundamental,
work is the channelling of human energy. Yet as technology has the capabil-
ity of automating an increasing percentage of human work tasks, enterprise
decision-makers intent on reducing labor costs have a critical decision to
make. This conundrum is reflected in a simple question:
If you could automate every single task in the enterprise and replace every
single human, would you?
This is not an idle question. Much of the public concern about the future of
work focuses on the potential for robots and software to replace a huge per-
centage of tasks formerly performed by humans. Yet thinking only in terms
of reducing the costs of human labor fundamentally misses the point.
Rather than thinking of work as a cost center, enterprise leaders need to see
the incredible opportunities that can be created for workers who are freed
from mundane tasks to pursue new ways to create value for the enterprise
and its customers. Unlocking opportunities for expanding the human poten-
tial to solve problems will be a critical skillset for the dynamic enterprise.

12
The Ethics of Technology
and the Future of Humanity
Gerd Leonhard – Author; Executive “Future Trainer;” Strategist;
The Next 20 Years Will Bring More • Nanobots in your bloodstream monitor-
Change Than the Previous 300 ing and even regulating cholesterol levels.
If this statement sounds somewhat prepos- • Augmented virtual or mixed reality de-
terous, please keep in mind that we are vices that look like regular eyeglasses or
now crossing a crucial threshold that was even contact lenses, giving you ready
previously unthinkable. Technology is no access to the world’s knowledge, at the
longer simply changing our environment, blink of an eye.
i.e., what is around or outside us, or what
hardware we use. No more is it just a tool. • The ability to connect your neocortex
Technology is well on its way to becoming directly to the internet and transform
a creative force—and a thinking machine, thoughts into action or record what
as well. you think.
Technology is now gearing up to go • Developing a relationship with your
inside us, thereby changing who we are digital assistant or robot because it
and rapidly redefining what it means to seems so real, so very human.
be human. All this, as some of my fellow
futurists are fond of saying, to allow us to None of this is as far away as you may
“transcend the limitations of humanity.” think, and the societal, cultural, human,
If intelligent machines are to perform and ethical implications will be mind-bog-
our routine work for us, we will have to gling. Clearly we must prepare for this
train them, teach them, connect them to challenge today, or we will find ourselves
us—in effect making digital copies of our- ill-equipped to handle these new reali-
selves, cloning our knowledge (and pos- ties. If we are not able to clearly define
sibly some of our unique human intel- and articulate an agreed upon set of Dig-
ligences) in the cloud. This will alter us; ital Age ethics, we run the risk that unfet-
and it will alter our view of what we are tered technology expansion will not only
and what we could be, as well as what the be dangerous, it will also cause us to ques-
machines are. And this is only the first tion the very nature of our existence: What
step. Try to imagine: is it that makes us human?
83
Defining Ethics thing like one trillion devices on the IoT
Before we venture further into why ethics by then, where IA (intelligence augmenta-
in technology is critical to our future, first tion) has truly become AI (artificial intel-
let us attempt to define what ethics is. Riff- ligence), and where at least 80 percent of
ing off the late U.S. Supreme Court judge the 10 billion earthlings are connected at
Potter Stewart, I propose this as a working high speeds, on cheap devices, wearables,
definition: and via digital assistants and robots that we
can communicate with, as if we are speak-
Ethics is knowing the difference between ing to a good friend. Add genetic engineer-
what you have a right or the power to ing and the rapid convergence of technol-
do and what is the right thing to do. ogy and biology to this equation, and the
If we accept this definition and apply it sky is the limit—literally—in terms of pos-
to what is coming in the next 10 years, we sibilities (see page 89).
can quickly see a serious challenge emerging. Exponential thinking, therefore, becomes
mission-critical, both to realize opportu-
The Future Is Exponential, Conver- nities and to foresee and address the con-
gent, and Combinatorial—and So Are sequential ethical challenges and moral
the Resulting Ethical Challenges quandaries.
Right now, we are at the take-off point of
A Perfect Storm of
exponential progress. Henceforth, change
Combinatorial Forces
is no longer gradual but sudden, in almost
all scientific and technological progress— Even more important, the true challenge
such as quantum/3D computing, nano- to humanity lies in the fact that while all
technology, biotechnology, cloud comput- these technologies are unfolding expo-
ing, hyper-connectivity and the Internet nentially, they are also causing tradition-
of Things (IoT), AI, geoengineering, solar ally unrelated industries (and the sciences
energy, 3D printing, autonomous vehicles, underneath them) to converge. These
and pretty much everything else. so-called megashifts, such as datafication,
What’s more, most of these exponential cognification, automation, and virtualiza-
technologies are dual-use—meaning they tion (see megashifts.com) are already com-
can be harnessed for incredible, positive bining with each other to create entirely
innovations as well as for evil purposes. As new possibilities and challenges.
William Gibson, the science fiction writer These convergent and combinatorial
widely credited with pioneering cyber- forces will soon create a perfect storm of
punk, likes to say, “Technology is morally immense progress and enormous chal-
neutral until we apply it.” lenges that transcend the realms of tech-
Let’s imagine the world a mere 10 nology and business by impacting society,
years from now—some 50 to 100 times culture, and humanity as a whole.
more advanced—a world where most sci-
Get Ready for the Next
ence fiction has become science fact. It is
Generation of Unicorns
likely to be a world where literally every-
one and everything around us is con- Looking back at the warp-drive success of
nected, observed, recorded, measured, the unicorns of the past seven years (i.e.,
and tracked. I estimate there will be some- those companies that were or are privately

valued at over $1 billion, pre-IPO, such as Understanding the Urgency to
Uber, Xiaomi, Palantir, Airbnb, and Spo- Construct Ethical Frameworks
tify), we can already see examples of the However, the prospect of such exponen-
exponential-combinatorial-convergent tial growth puts us on the horns of another
story. And this is just the beginning. dilemma. We must now urgently con-
For instance, Spotify’s business model struct ethical frameworks that will keep up
became feasible only because of expo- with this furious pace. Without these eth-
nential and combinatorial technological ical frameworks in place, unfettered and
change: Streaming 20 million songs to 150 thereby socially destructive growth will
million users is now doable, thanks to the become increasingly toxic and disastrous.
fact that we finally have cheap yet powerful Clearly we must prepare for this challenge
smartphones connected to fast mobile net- today, or we will find ourselves ill-equipped
works. In addition, we now have new ways to handle these new realities. Business ought
of paying online, AI/algorithms that create to take a lead on this, and so must savvy pol-
playlists, and last but not least, sufficient iticians and public officials. Whoever is the
market pressure on the record companies thought leader in these thorny issues will be
to provide the licenses. It is quite reveal- more influential than Warren Buffett has
ing to note in this context that Spotify is been in matters of investing.
no longer really in the business of “selling
music.” Rather, it sells convenience, intel- Donald Ripley in the 1995 movie Powder:
ligence, interface, and curation—the result “It has become appallingly clear that our
of a convergent and exponential outlook technology has surpassed our humanity.”
on the future, something that apparently is
always reserved for industry outsiders. Every Extension Is Also an
Airbnb makes for another great exam- Amputation—but What Should
ple. It boasts a vast, global database of users’ We Not Amputate?
short-term rental listings, with mobile Marshall McLuhan talked about this in
devices as the primary use case. It employs his landmark 2001 book Understanding
intelligent rating and pricing technol- Media, and it rings even more true in the
ogy (AI once more, if you will), has social present day: Every technological exten-
media built in to the system, offers digital sion of ourselves is also an amputation of
payment options, and has been propelled another part of us (or another extension).
by the rise of the sharing economy. Put If we continue to have closer relation-
all this together, and you have warp-drive ships with our screens than we have with
growth. other people, if we will indeed “transcend
While these tech innovations are all human limitations” by spending our lives
mostly positive developments that often in augmented or virtual spaces, or if we are
enrich our lives, we must brace ourselves to connect our neural networks directly
for what is about to come: new superstar, with an AI in the cloud, then we will cer-
exponential, unicorn organizations that tainly lose—i.e., amputate—many things
combine AI and biotechnology—thus that make us human. I firmly believe this
achieving the complete convergence of is a consequence we must reckon with.
technology and biology—or fuse AI, nan- We stand to lose human elements,
otechnology, and the material sciences. such as emotions (which can be emu-
The Ethics of Technology and the Future of Humanity 85

EMOTIONS
INTUITION CREATIVITY
COMPASSION IMAGINATION
MYSTERY ETHICS
VALUES EMPATHY
CONSCIOUSNESS
lated by but are fundamentally incom- five to 10 years, it will no longer be about
prehensible to computers); imperfections if we can do something, i.e., technical feasi-
(smart machines won’t tolerate errors); bility, cost or time, can something be done,
surprises and serendipity (machines don’t will it actually work, how expensive will it
enjoy them), and mysteries (machines hate be, and how will it make money? Rather, it
them). will be about why we are doing it (context,
Generally, it would become nearly purpose, values, goals) and who is doing it
impossible to retain what I call “the andror- (control, security, governance, power). In
ithms,” all the things that actually make other words, it will be about ethics, ulti-
us human. We might end up extended in mately. This is a crucial shift in society,
many different ways, but also our basic brought about by exponential, convergent,
human expressions could end up ampu- and combinatorial change.
tated. We’d be extremely intelligent, but Are you ready to shift from an empha-
totally dehumanized. That strikes me as a sis on science and technical feasibility to
bad idea. an emphasis on meaning, purpose, and
Who will decide what we can safely human governance?
amputate—such as, maybe, the ability to
read maps or drive a car ourselves? Who What Does Digital Ethics Have to
will define the limits of when we will no Do With Security? The Digital Ethics
longer be human? Who is mission control Moonshot
for humanity? In my opinion, technological security can
only be as good as the moral, ethical, and
Getting an Ethics Upgrade—From If political frameworks that surround and
and When to Why and Who define it. The most advanced security tech-
The bottom line is that we are now mov- nology will be useless if those who hold
ing to an entirely different era as far as tech- the key and those who use it, act unethi-
nology is concerned. Sometime in the next cally, with evil intent, or with great neg-

ligence. In fact, the very same technology morality (yet another term to describe
that is employed to protect consumers and something like ethics) is a purely natural
users can be used to spy on them. Some and human creation; it is simply a part of
of the most potentially beneficial technol- being human. The Dalai Lama wrote an
ogies, such as the IoT, can be used to form entire book on his belief that ethics is more
the biggest and most powerful Panopticon important than religion. Take note.
ever constructed. Meta-level ethics would, for example,
It will therefore not be enough to sim- assume that pretty much everybody wants
ply improve technological firepower as to remain human, retain human quali-
the world gears up for exponential tech- ties, and enjoy basic human rights, such
nological growth; we must also redesign as the right to free will, free decision-mak-
and embolden our ethical frameworks. We ing, and choice (notwithstanding the few
have to reach a global agreement on what but also very noisy transhumanists and
is good for humanity, at large, and what extreme singularitarians who seem overly
is clearly not—and, also, how we would keen on becoming cyborgs or robots as
enforce such tenets. soon as possible).
In many ways, this task might even be Who would enjoy having their digi-
harder than the technological challenges tal (or real) identity stolen, or their DNA
ahead of us. In any case, I would propose to used to program a super-soldier halfway
add this “ethical moonshot” to the cyber- around the world? Does anybody want
security moonshot that Mark McLaughlin his or her data and information out in the
talks about in his chapter. public sphere? Everybody enjoys the ability
to have mystery, secrets, mistakes, and pri-
Ethics in Technology, aka Digital vacy in their lives.
Ethics, Will Very Quickly Become
the No. 1 Issue in This Industry For Your Consideration: An Ethics
Defining ethical standards on a global Framework for the Digital Age
scale is not easy. It may even be impossi- These are the kinds of general digital eth-
ble if we attempt to address very detailed ics principles that could be the framework
convictions, i.e., values and beliefs that are for a global “ethics in technology” mani-
particular to specific societies, countries, festo—a kind of digital human rights dec-
regions, or religions. But if we stay at the laration. In fact, I suggest five core human
very top level, on a global scale, I believe rights that could form the basis of a future
we can indeed define some crucial ethical digital ethics manifesto:
standards for humans. The key will be to
1. The right to remain natural, i.e., bio-
focus on HUMANITY, and to act with
logical. We need to retain the right to
what ancient Greeks called phronesis (prac-
be employed, use public services, buy
tical wisdom) in order to ensure that all
things, and function in society with-
technological progress results in collective
out a requirement to deploy technol-
human flourishing—which is the underly-
ogy on or inside our bodies.
ing paradigm we need to adopt.
On the topic of religion and ethics, 2. The right to be inefficient if and where
Albert Einstein (a big source of inspiration it defines our basic humanness. We
for me) repeatedly set forth that morality must have the choice to be slower than
does not require a divine source. Rather, technology and not make efficiency
more important than humanity.

3. The right to disconnect. We must Conclusion
retain the right to switch off connec- What are we without ethics? Can we still
tivity, go dark on the network, and assert and own our humanity, particularly
pause communications, tracking, and as we barrel headlong toward a future in
monitoring. which technology will give us the ability to
4. The right to be anonymous. In our blur the lines between what is human and
coming hyperconnected world, we what is machine? Just because we can do it,
should still have the option of not should we do it? And if we do, how will we
being identified and tracked, such as define what is the right way to do it?
when using a digital application or I believe we urgently need to tackle
platform, when it doesn’t pose a risk this challenge because the future could
to or impose upon others. be heaven, or it could be hell (I call this
5. The right to employ or involve peo- ‘HellVen’), depending on the decisions
ple instead of machines. We should we make today. Technology does not have
not allow companies or employers to ethics, but societies depend on them. Let
be disadvantaged if they choose to use us remind ourselves that civilizations are
people instead of machines—even if driven by their technologies and defined
it’s more expensive and less efficient. by their humanity. Technology is not what
we seek, but how we seek.

A BRIEF HISTORY OF THE NEXT DECADE BY GERD LEONHARD
2020: The world is becoming hyperconnected, automated, and uber-

smart—and everyone benefits. Six billion people are “always on,” around
the planet, each of us seeing different information and content all the time.
We interact with platforms via augmented reality, virtual reality, holographic
screens, or via intelligent digital assistants (IDAs).
2022: Our own digital egos have moved to the cloud and are develop-
ing a life of their own. Swarms of IDAs and software bots live in the cloud
and take care of routine tasks. No more searching for restaurants or hotels;
no more updating the doctor on what’s wrong. Our bots know us and our
desires, and they communicate infinitely better than we can by typing ques-
tions into a computer.
2024: Goodbye privacy and anonymity. We are constantly connected to

machines, and they are getting better and better at reading our minds. Tech-
nology has become so fast, powerful, and pervasive that we cannot avoid
being tracked, observed, recorded, and monitored—ever.
2026: Automation is widespread, and social norms are being rewrit-

ten. Gone are the days when routine tasks—whether blue collar, white col-
lar, manual, or cognitive—are done by humans. Machines have learned how
to understand language, images, emotions, and beliefs. Machines can also
speak, write, draw, and simulate human emotions. Machines cannot be, but
they can think.
2028: Free will and free choice are only for the privileged. Our lives have
become tracked, guided, and curated. Because everything we do, say, see—
and increasingly, feel and think—can be tracked and measured, we see a
waning in the importance of free will. We can no longer easily divert from
what the system thinks is best for us, because everything is observed. This
makes for healthier and more responsible lives, lowers the costs of medical
care, and makes near-perfect security possible. Yet, many of us are unsure
whether this is heaven or hell.
2030: 90 is the new 60. Because we have analyzed the DNA of billions of
connected humans via cloud biology and quantum computing, we can now
determine with great certainty which exact gene is responsible for triggering
which exact disease. In another five years or so, we will be able to prevent
cancer. Longevity has exploded, completely changing our social systems,
as well.

PART 2
Lessons From Today’s World
13
If You’re Not Collaborating With
Colleagues and Competitors on
Cyber Threat Intelligence, Beware:
The Bad Guys Are Way Ahead of You
Sherri Ramsay — Cybersecurity Consultant; Former Director of the U.S. National
Security Agency / Central Security Service Threat Operations Center
I worked at the U.S. National Secu- audacity to share! Sharing tips, vulnerabil-
rity Agency for 33 years, during the time ities, mitigations, and winning strategies
when we first saw just how big a target the with those outside your organization. Even
Department of Defense and the rest of the with your competitors.
federal government was for hackers and Why? Because it’s what the bad guys are
bad actors all over the world. During those doing to us, every minute of every hour of
years, I learned firsthand about many of every day.
the problems those in private-sector lead- Every day, our computers and net-
ership are now struggling with in their works are being attacked. It takes attack-
attempts to protect their digital domains. ers only minutes to compromise a sys-
And I learned about the value of shar- tem, and most of the time, they are able to
ing threat intelligence information when it exfiltrate our data within days, sometimes
came to protecting our networks and our hours. And when we realize what has hap-
data. pened, often much later and sometimes
The other lesson I learned is one I want only when notified by an external party,
to emphasize throughout this chapter— such as law enforcement, we wonder what
an organization’s success in cybersecurity went wrong, whether it will happen to us
depends as much on leadership as it does again, and how we could have prevented
on technology. Maybe more. it. We operate in independent stovepipes,
Specifically, I learned that cybersecurity defending ourselves as if each of us was on
requires leadership—whether you’re a CIO our own island. The bad guys, the attack-
in a three-letter government agency or a ers, watch us as we struggle to understand
CEO of a global conglomerate. And this and characterize the attacks.
leadership means having the confidence, They watch us. And then they come at
the boldness, and, sometimes, the sheer us again.
95
The attackers meet in the dark corners information that has been stolen or com-
of the internet to share exploits, vulnera- promised and then posted on legitimate
bilities, exploitation infrastructure, and websites, which often are created for the
whatever other information might be help- sole purpose of sharing stolen information
ful to those looking to attack our networks with others.
for nefarious purposes. To date, we have There are forums created and used by
talked about information sharing, but we the bad guys. Some have benign names like
have not yet done nearly enough to dra- “security research forum.” They promote
matically move the needle in our favor. these forums as legitimate entities, even
If the bad guys are collaborating, why displaying ads to cover costs or to actu-
aren’t the good guys? Why do we continue ally make money. These forums are used to
to live with this disadvantage? Are we wait- share all kinds of information that is help-
ing for a solution to fall in our laps? ful to the bad guys. They also provide ano-
nymity for their users. This is teamwork.
How and Why Bad Actors Are The Dark Web, by design, provides ano-
Sharing Insights About Your Security nymity for users and is facilitating a thriv-
The harsh reality is that there is extensive col- ing underground for the bad guys. Here,
laboration among the cyber bad guys; there everything that a person needs to break in
are few lone wolves. This extends across to your networks is available for an aston-
the entire spectrum of bad actors—nation- ishingly low cost. How low? Worms can
states, criminals, hacktivists, and terrorists. be purchased as cheaply as $10, key log-
Even a single hacker is not really alone. gers for $20, known ransomware for $30–
Why do they collaborate? Why do they $50. Furthermore, the entire exploitation/
share? The answer is simple. It saves them attack can now be easily outsourced, from
time and it saves them money. According the development of the malware to its dis-
to Etay Moor, Senior Strategist at IBM, tribution and even the conduct of the
“Information sharing is a given on the operations.
dark side of the net.” That’s a big reason And these bad guys are coming after
the average cost of conducting an attack is your networks and your data.
decreasing and attacks are spreading across
networks at a faster pace, year after year. Why Organizations Don’t Share This
Much of the information the bad guys Information—and How It Impacts
share is easily accessed without them doing Cybersecurity
anything special. For example, they simply Throughout history, we have used strate-
use a search engine to locate spreadsheets gic alliances to defeat our enemies and to
with the word “password” in them to get solve our most pressing problems, from
the default password lists for numerous minimizing geopolitical conflict to sta-
devices of interest. bilizing financial markets and tackling
Bad guys also exploit one of our big- world hunger. Some say that the true mea-
gest weaknesses: human error. Informa- sure of a great civilization is its ability to
tion is available on the internet that may work together to solve difficult, seemingly
have been posted by mistake or by some- intractable problems. Certainly, cybersecu-
one who had no idea that the information rity appears to meet this criterion.
would be useful for a nefarious purpose. But allying with others is in depress-
And there is also a significant amount of ingly sharp contrast with how we are
addressing cybersecurity today. Informa- disconnected silos and relying upon tradi-
tion about “near-misses” and successful tional enterprise security technologies and
attacks are closely guarded secrets. Orga- techniques has gone as far as it can go, and
nizations rarely share this critical informa- it is not good enough.
tion, collaborate on damage control, or Breaking this cycle will require a fun-
provide early warning to other organiza- damental shift in thinking. It will require
tions that may be at risk. It’s a losing strategy. leadership. Just as we evolved from the
Why do we continue to live with this early days of perimeter defense to today’s
disadvantage? There are three reasons orga- focus on intelligence, detection, and
nizations have been hesitant to participate response, we must move from an individu-
in meaningful information-sharing initia- alistic model to one of collaborative “con-
tives. nective defense.” We can only make true
progress once we share our relevant infor-
• Many of the sharing mechanisms to-
mation, pool our expertise, and connect
day are associated with federal or state
our responses.
government, and enterprises are con-
Or we’d better get ready to suffer the
cerned that sharing information with
consequences.
the government will lead to increased
regulation and oversight. Companies Getting in Front of the Problem
are concerned about the perception of With a “Crowdsourced” Mindset
being “in bed” with the government,
In building a collaborative connec-
which might affect their global market
tive-defense cybersecurity model, we can
opportunities.
take a lesson from the concept of crowd-
• In the private-sector, corporations feel sourcing.
that disclosure may prompt criminal Crowdsourcing, according to Merriam-
or civil lawsuits. Remember all the le- Webster, is the practice of obtaining needed
gal brouhaha over the Y2K threat and services, ideas, or content by soliciting
companies’ worries over legal exposure? contributions from a large group of peo-
ple, especially from the online community.
• Maybe the most important reason for
Crowdsourcing has certainly enhanced
not sharing is concern over market
our travel by car. Not too long ago, we
and reputational risk. Even a problem
followed the directions provided to us by
caused by a technical glitch or human
our GPS devices, unaware of road hazards,
error implies data or IT infrastructure
accidents, etc., along our routes. Now with
problems or poor management. An ac-
crowdsourced information input into our
tual attack just creates additional un-
GPS applications in real time, we are aware
certainty.
of these incidents and can take action to
Unfortunately, we are failing. Every avoid them. In fact, the applications pro-
new cybersecurity headline serves as a vide an alternative route. We are empow-
warning that no organization is immune ered as drivers because we have useful
from these attacks. Each new breach seems information and mitigations in real time.
worse than the last. Everything, from Adopting a crowdsourced mindset is a
our business communications to medical great strategy for fortifying our collective
equipment to the cars we drive, is vulnera- cybersecurity defenses. Because cyberse-
ble. Fighting against network intrusions in curity is now everyone’s problem, every-
If You’re Not Collaborating With Colleagues and Competitors on Cyber Threat Intelligence, Beware 97
one can become part of the solution. We ing collaboration in the private sector—
will need strong leadership to move in the fear of running afoul of federal laws and
direction of sharing relevant information regulations—was mitigated by the passage
and sharing it quickly. of The Cybersecurity Act of 2015. This
With its long history as a prime target important legislation encourages private
for cyber criminals and threats, the U.S. organizations to voluntarily share cyber
government recognized early on that col- threat indicators and defensive measures
laboration and information sharing can without fear of legal liability, public expo-
make a difference in cybersecurity. sure, or antitrust complications. The act
In 1998 the federal government asked not only provides protection for compa-
each critical infrastructure sector to estab- nies that share information with the fed-
lish an Information Sharing and Analysis eral government, but also for companies
Center (ISAC). These groups were created that exchange cyber incident informa-
to help critical infrastructure owners and tion with each other, whether or not the
operators protect their facilities, personnel, government is involved. For CEOs and
and customers from cyber and physical CISOs, the most significant benefit of this
security threats and other hazards. ISACs law is that it empowers members of the
provide a central resource for gathering private sector to begin collaborating with
and sharing information on cyber threats each other on cyber incidents. The private
and network defense best practices. They sector can take advantage of this oppor-
are a starting point for crowdsourcing a tunity, redefine information sharing, and
connective defense. create a framework for collaboration that
The Comprehensive National Cyber- serves its needs.
security Initiative (CNCI) was initiated There are many powerful examples of
in January 2008 by President George W. this new spirit of openness and sharing in
Bush, and was a significant policy devel- the private sector. One demonstration of
opment, especially for its time and the cur- this is the Columbus Collaboratory, an
rent understanding of the cybersecurity Ohio-centered consortium of private-sec-
environment. CNCI proposed to establish tor companies across different industries—
a frontline of defense against immediate from healthcare and financial services
cyber threats by creating and enhancing to energy and consumer goods. Colum-
shared situational awareness of network bus Collaboratory is committed to using
vulnerabilities, threats, and events. CNCI sophisticated analytics, artificial intelli-
advocated for making cybersecurity more gence, and machine learning on a col-
collaborative and efficient within the fed- laborative basis to identify and overcome
eral government; it did so by establish- cybersecurity threats.
ing more empowered cyber centers and Another illustration of how bold lead-
extending that expertise to the entire gov- ers have put aside the emotional turmoil
ernmental sector by enabling teamwork of working with competitors is the Cyber
across state, local, and tribal governments. Threat Alliance. Look at their roster, and
The initiative remains one of the strongest you’ll immediately see the participants
examples of dedicated government leader- are often direct competitors. But however
ship achieving a whole-of-nation approach fiercely they may compete in the market,
to tackling shared cybersecurity challenges. all their CEOs ultimately understand the
A potentially big roadblock to promot- value in jointly being part of the solution.
TruSTAR, the organization where I What are the requirements of connec-
act as an advisor, is another great example tive defense?
of how adopting a collaborative, crowd-
• It must preserve privacy. Collabora-
sourced model really pays dividends. At
tion on cybersecurity should not cost
TruSTAR, a threat intelligence platform
participants the trust of their clients.
helps organizations—many of which are
direct competitors—share information • Participation in it must deliver real
about threats and solutions in order to value to the individual contributors.
overcome the organized malevolence pro- It is not sufficient to create an exchange
moted by cybercriminals. where sharing is one-directional. Mem-
I believe it is this crowdsourcing bers must be incentivized to participate
approach to cybersecurity that is a model in a timely exchange of actionable data.
not only of what can work, but also of what
• The member connections must be
has to happen with far more frequency if
fluid. We cannot limit ourselves by
we are to beat the bad guys and keep our
allowing existing personal or industry
networks secure and our data safe. And
relationships to define our sharing par-
that will take the leadership, confidence,
adigm. We need to have dynamic con-
and boldness of those business executives
nections, driven by the targets of an at-
and board members reading this book.
tack campaign and composed of those
We cannot afford to do any less.
in the network who want to contribute
Building a Connective Defense to to timely active defense.
Share Cybersecurity Information • The system has to be transparent
These efforts demonstrate the bene- and trustworthy. There cannot be any
fits of working as a team to defend our- doubt about the motivations of con-
selves against the growing number of tributors or the operators of the sys-
attacks against both government and the tem itself. There must be transparency
private sector. This cannot be a feel-good around how members are vetted and
exercise to make us feel warm and fuzzy admitted and how the data is used and
about teamwork. This is a pragmatic, hard- protected.
headed, enlightened approach, accom-
Keep in mind another important issue:
plished by pooling resources and getting
What information is being shared? When
better insight into threats and defenses.
we talk about sharing intelligence, some
If we don’t do this, adversaries will
ill-informed people may reflexively inter-
always have the upper hand, and we will
pret that as proprietary and private infor-
continue to endlessly spend money, but
mation. But the information that needs
never be able to win the battle.
to be shared isn’t personally identifiable
Unfortunately, mention the word
information, health insurance data, con-
“sharing” when it comes to cybersecurity,
text-specific content, or intellectual prop-
and many corporate leaders start twitch-
erty. It is information that will identify an
ing. But we must take the emotion out of
attacker in the network and mitigate the
this issue by appreciating the many bene-
attack.
fits of crowdsourcing to create a “connec-
This connective defense by enterprises
tive defense.”
working together will help all of us detect,
If You’re Not Collaborating With Colleagues and Competitors on Cyber Threat Intelligence, Beware 99
investigate, and mitigate emerging threats will give our organizations the best oppor-
far more quickly than we ever could work- tunity not only to defend our digital infra-
ing alone. structure against attacks, but it also will
In doing so, we are taking a page— enable others to understand the threat
in fact, the most strategic page—of the landscape and help all of us.
cyber attackers’ go-to-market plan. We can Sharing is best if it is voluntary, not
finally close the gap with our adversaries under a government-reporting require-
and change the discussion from embarrass- ment. An exchange will add value and will
ing failures to inspiring successes. enable real-time correlation and mitigation
Isn’t it about time? to all participants. Let’s learn from govern-
ment agencies’ experience in plotting our
Summary paths; those of us who worked in the gov-
Let me be very clear about this: The old ernment’s cyber centers know that this col-
model for cybersecurity no longer works. It’s laboration model can and does work.
broken, and it can’t be fixed. We must work The technology is advancing, the legal
together like the bad guys do—only better. climate is changing, and the opportunity
Keeping an incident quiet or shar- for us, the good guys, to gain the higher
ing only among a few friends potentially ground is here. The lack of effective collab-
exposes others to the same attack, which is oration among organizations in both the
a fundamental breach of fiduciary respon- public and private sectors is our Achilles’
sibility, whether you’re a CEO, board heel. The bad guys will continue to exploit
member, CISO, or government official. it as long as we let them.
A true exchange—a connective defense— Let’s fix this problem!

14
Compliance Is Not a Cybersecurity Strategy
Ryan Gillis — Vice President for Cybersecurity Strategy and Global Policy,
Palo Alto Networks
Mark Gosling — Vice President, Internal Audit, Palo Alto Networks
In many boardrooms around the world, metrics that reflect an organization’s cyber-
members are receiving serious presenta- security risk management approach. If you
tions from their chief information secu- take the necessary steps to safeguard your
rity officers about the status of their efforts most critical data across your networks,
against a whole host of security and privacy cloud environment(s), and endpoints, and
regulatory mandates that have increasingly regularly train your employees to practice
significant potential fines. Board members good security hygiene, your organization
are undoubtedly taking their governance will be well-positioned for compliance.
responsibilities seriously and are likely ask- That’s why it’s important to remember
ing tough questions to determine how big that, in an ideal scenario, compliance is a
of a regulatory risk their organizations floor for your organization’s cybersecurity
may be facing and if they are on track to efforts, not a ceiling.
demonstrate compliance. As important as it is for organizations
But while compliance is important, it to demonstrate compliance with regula-
should not overshadow the board’s focus tory mandates, it’s not the be-all and end-
on the greater issue of managing cyberse- all for executives. And board members
curity risk. should not become distracted by the lat-
Clearly, this is not an either/or scenario est new thing in the regulatory game—nor
between risk and compliance. Organiza- should they view cybersecurity risk as an
tions and their boards need to pay strict unsurmountable threat fueled by the latest
attention to both issues. The most success- breach headlines.
ful organizations are the ones that under- Instead, board members should help
stand the tight relationship between the their organizations focus on the big picture
two, even in the face of mounting cyber of cybersecurity—reducing risk, increasing
threats, and act accordingly regarding bud- business opportunity, and using precious
gets, manpower, and executive focus. resources wisely and strategically.
Compliance and security are not mutu- Cyber risk discussions now take up
ally exclusive; far from it, in fact. Ideally, more time, energy, and attention for board
compliance can document and provide members. And, with a deluge of infor-
101
mation about cyber risk and regulatory Instead of asking, “Did we pass that
demands out there, it can be hard to make PCI DSS audit?”, board members should
sense of it all. However, the common goal ask questions that emphasize whether crit-
and focus for all board members, organi- ical business goals could be impacted by
zations, employees, customers, partners, security problems.
government agencies, and regulatory bod-
• What types of data exfiltration could
ies should be straightforward: Reduce
include our latest intellectual property?
cyber risk. Reducing cyber risk is too often
rooted in either the anecdotal lessons from • How are we ensuring that customer re-
public breaches or the penalties associated cords are not stolen, tampered with, or
with compliance and legal issues. A sound erased?
approach is more about ensuring the long-
• Can we be certain that our email mes-
term vitality, competitiveness, and solid
sages with that potential acquisition
financial footing of the organization—and
partner do not appear on the screens of
perhaps using your organization’s security
our top competitor?
as a competitive differentiator and a mech-
anism to ensure the trust of your customers. Let’s also keep in mind that even the
best-intentioned compliance mandates can
In an Era of Hyper Compliance, Don’t have very real, and very unattractive, con-
Get Distracted From the Real Goal sequences if not enveloped by a broader
Around the globe, new regulations cyber risk reduction framework.
designed to address digital challenges— New regulations have the potential to
from protecting private information to result in confusion, conflict, and ineffi-
ensuring that critical infrastructure is not ciencies that actually may increase cyber
compromised—are consuming an increas- risk, not reduce it, by diverting valuable
ing amount of attention. Business and resources from threat detection and pre-
technical decision makers, with the sup- vention toward reporting and accounting.
port and guidance of their boards, have Take, for example, the lessons learned from
devoted significant financial and person- the implementation of the original U.S.
nel resources to shape these policies, avoid Federal Information Security Manage-
unintended consequences, and demon- ment Act of 2002. This regulation required
strate compliance. U.S. federal agencies to produce hard-copy
But organizations that focus myopically binders on the status of the security of their
on regulations, rather than on the bigger networks, essentially diverting scarce IT
issue of cyber risk reduction, are going to and security personnel and resources away
be hard-pressed to align their security prac- from actually securing those networks, in
tices with their core business priorities. favor of recordkeeping. This is really more
While no one wants to be hit with of a “checkbox” regulation, rather than a
fines or have to spend hours explain- way for organizations’ networks to be truly
ing and negotiating with regulators after secure—another example of being compli-
a data breach, it is essential for organiza- ant, but not necessarily secure.
tions to remain true to their business pri- This is a vital lesson learned for more
orities first. And that’s a critical role played effectively identifying and implement-
by board members. ing common goals in cyber risk reduction
and threat prevention among all parties—

boards, executives, customers, trading • Reviewed the technology infrastruc-
partners, industry groups, regulators, and ture used to protect the company’s
governments. Because being “secure” is not most critical data assets (74%)
a static end-state that lends itself to inflex-
• Communicated with management
ible compliance checklists. It requires a
about the types of cyber risk informa-
constant evaluation of risk, relative to a
tion the board requires (70%)
rapidly evolving cyber threat landscape.
As you read Part 2 of Navigating the • Reviewed the company’s response plan
Digital Age, we encourage you to pay in the case of a breach (61%)
attention to the words of Verisign Exec-
“Review” and “communicate,” as
utive Vice President Danny McPherson.
important as they are, do not go far enough
Danny has done a great job of putting an
to identify and act on the best ways to
exclamation point on this issue:
reduce cyber risk, especially with a preven-
“…compliance is not—repeat, not— tion-first strategy. Instead, boards need to
your goal. Or, at least it should not become both more intimately knowledge-
be the key focus of your cybersecurity able in how executives charged with reduc-
program. And let me tell you why: ing cyber risk are identifying threats before
they do damage and in becoming true
Being compliant is not the partners in helping those executives fortify
same as being secure. “ their defense plans.
This also means that board members
Major Board Implications need to accelerate their own education on
cyber risks—both in general and as it spe-
Certainly, board members must continue
cifically pertains to their organization. For
to ask tough questions of all their senior
instance, in the NACD survey of directors,
executives, including but not exclusively,
73% of respondents said their boards had
their CISO and CIO. Specifically, board
“some knowledge” of cyber security risks.
members’ questions on cybersecurity must
Clearly, in order to fulfill both their fidu-
rapidly swing from, “Are we compliant?”
ciary responsibility as directors and to make
to “What is our risk profile?”
good on their requirement to understand
This means that board members need to
and support their executives’ risk preven-
move from a somewhat passive, detached
tion, they need to become even more con-
approach to security oversight to one that
versant on cyber risks and in identifying the
is more proactive. Take the results from a
right solution specifically tailored for the
recent study conducted by the National
unique requirements of their organization.
Association of Corporate Directors
Whether that means utilizing outside
(NACD) about cyber risk. Following were
cyber security consultants as board advi-
the top four answers board members gave
sors, putting a cyber risk specialist on the
to the question, “Which of the following
board, or taking some other steps, is obvi-
cyber risk oversight practices has the board
ously the board’s call. But it’s a call that
performed over the last 12 months?”
needs to be made. After all, a study con-
• Reviewed the company’s current ap- ducted by NASDAQ pointed out that
proach to protecting its most critical 91% of board members are unable to
data assets (82%) interpret a cybersecurity report.1
And that is a big problem.
Compliance Is Not a Cybersecurity Strategy 103

Board Oversight Questions Should existing education programs for
To facilitate a more robust and effective users, partners, and even customers be
strategic plan for reducing cyber risk, board modernized, overhauled, or scrapped
members need to ask a new set of questions entirely in favor of approaches that
designed to provide a deeper understand- better reflect the coming threats?
ing of current and potential risk levels and • Can your legal and compliance offi-
a stronger basis for taking action to protect cers identify all existing regulations
against current and emerging threats. that apply to cyber and information
• Which people, processes, and tech- security, and do they understand
nologies are currently being used which new mandates are under con-
to defend your network? Your CIO sideration or in development? How
and CISO also must be able to tell will those emerging requirements im-
you what your organization is already pact your organization’s threat profile?
doing about spotting risks before they And, should your representatives be-
are weaponized, and where they believe come more involved in the process of
the next attacks are likely to occur. This framing those mandates in order to en-
information needs to be aligned with sure that they really do help reduce risk
a thoughtful, open discussion on how, and not become just another check-
where, and when resources are being mark on the compliance “to do” list?
deployed against the threat identifica- • Are representatives from the securi-
tion and protection processes. ty team included in every business
• What additional resources are need- planning meeting that’s being held?
ed in people, processes, and technol- This is an extremely important mind-
ogies in order to limit risk? Of course, set shift for organizations: Boards need
no one is going to give the CISO a to be in front of this transformation
blank check, so ask tough questions to and move from “security as an after-
determine where the greatest financial thought” to “secure by design.” This
efficiencies can be gained by making means everything from new product
smarter—and not necessarily bigger— development and supply chain man-
investments. agement to marketing programs and
customer retention—not just compli-
• Which threat intelligence services is ance or data governance.
the organization using, and how are
they performing? It’s vitally important • What is your plan to keep up with
to know what demonstrable impact the pace of change? Ultimately this is
those services are making to help the one of the most important questions.
organization spot risks and protect By anticipating change, you will be
against them before they pierce its de- better prepared to understand the im-
fenses. pact on your organization, infrastruc-
ture, and the associated risks, which
• How do our organization’s security will directly affect your ability to safely
training programs need to change to and quickly adapt to change.
reflect the new realities of cyber risk?

Conclusion and properly balancing risk with opportu-
One of the biggest things board mem- nity will have the biggest impact on their
bers can do to ensure that their organiza- organizations’ successes—but only if they
tions’ cybersecurity resources are deployed remember that compliance is a byproduct
in the most effective and efficient manner of that effort, not the ultimate goal.
is to remember that unyielding, relentless This chapter was adapted from “How Can
attention to aligning cyber risk reduction Board Members Help Turn Cyber Risk
with business priorities will go a long way Reduction from a Goal into a Reality,” pub-
toward achieving compliance goals. lished in January 2018 in NACD Director-
Board members who help their exec- ship, the official publication of the National
utives focus on reducing vulnerabilities Association of Corporate Directors.
1
“Grading global boards of directors on cybersecurity,” Harvard Law School Forum on Corporate Governance and Financial
Regulation, 2016
Compliance Is Not a Cybersecurity Strategy 105

Cybersecurity Awareness,
Understanding, and Leadership
15
Security Transformation
As a Business Imperative
John Scimone — Senior Vice President and Chief Security Officer, Dell
Despite everyone’s best intentions and sig- • Hacking tools are more sophisticated
nificant investments in budget, manpower, and easier to access, and the financial
and corporate attention, organizations in barrier to “market entry” for hackers is
every industry and geographical location dropping.
are falling behind in the all-out-fight to
• The ability to confidently attribute cy-
protect their digital assets against cyber
berattacks remains elusive, creating an
threats.
environment where criminality can ex-
Why? While reasons vary for each orga-
ist without accountability.
nization, a few truths have quickly become
self-evident. For instance: The result: Cyberattacks may be the
most prominent “low-risk / high-reward”
• It takes much, much longer to detect
enterprise in the history of humankind.
sophisticated intrusions than it does
for bad actors to carry them out. Get Ready for Security Transformation
• Hackers can try an indefinite num- This narrative represents a grave risk to
ber of times and only need to succeed modern businesses and demands aggres-
once; defenders must be successful ev- sive management. Clearly, whatever our
ery hour of every day. organizations are doing is not enough. Not
nearly enough. Traditional approaches are
• The sheer volume of detected IT vul-
not even slowing the advance of cyber-
nerabilities is multiplying faster than
crime, never mind actually defeating it. No
ever—and those are just the ones we
board member, CEO, or CISO should be
can actually detect.
willing to accept this status quo.
• Businesses are rapidly digitizing their Instead, business leaders—not just the
operations, building increased depen- CISO and CIO—must enter a new era of
dence on the same infrastructure that security transformation. A radical rethink-
is becoming increasingly vulnerable. ing of security—yes, a transformation—is
109
essential. This approach, by the way, is not tions. But resilience is much more than
overly dependent on cutting-edge secu- simply passing audits or avoiding fines
rity tools, serious financial investments, and contract claims for failing to demon-
or recruitment of experienced profession- strate compliance. As business leaders, you
als—although all of those are certainly want your security forces to be fixated with
necessary. laser-sharp focus on ensuring availabil-
Perhaps what is needed most is for ity of essential resources in order to avoid
board members and business executives— problems and assure business success—not
including CISOs and CIOs, by the way— simply on “being compliant.”
to move beyond traditional approaches to When considering cyber risk manage-
cybersecurity threats. We must all enthu- ment, we can break it down into three
siastically embrace security transforma- component parts:
tion rooted in a realistic recognition that
1. Threat management
cyber threat actors can hit a business with
devastating consequence at any moment, 2. Vulnerability management
24/7/365, and that this is no longer a black 3. Consequence management
swan risk in terms of likelihood. This com-
Unfortunately, there really is painfully
pels a level of aggression in attitude and
little we can do on the threat management
activity that is currently missing from the
front. Unless you are part of a law enforce-
dialogue.
ment or related government organization
Security Transformed—Resilience on with investigatory and arrest powers, one’s
an Equal Footing With Defense ability to impact the threats on the other
end of the keyboard remains limited.
As much as we are seeking to prevent a
From a vulnerability management per-
cyberattack, we are also preparing for a
spective, our adoption of pervasive mobil-
cyberattack. As you can imagine, there’s
ity, cloud computing, personal applica-
a world of difference between the two
tions, and the exciting world of the Internet
approaches. A key element in preparing
of Things all increase our cyberattack sur-
for a cyberattack is the notion of resilience.
face and associated risk profile. As a result,
Of course, every business leader and board
the number of publicly reported vulnera-
member understands that systems, appli-
bilities more than doubled in 2017.1 Now,
cations, and technology investments don’t
these are risks well worth taking for most
deliver any value if they are not available or
businesses—in fact, the decision to not
if the data they contain cannot be trusted.
digitally transform would be a death knell
In fact, when systems are down or data
for most businesses today—but we also
integrity is in question, it’s even worse: We
need to acknowledge that with this shift-
lose economic value and business competi-
ing business technology footprint comes
tiveness because we’re chasing our tails fix-
substantially increased cyber risk.
ing problems, rather than creating value
As a result, the CISO spends much of
for our customers.
his or her day focused on vulnerabilities—
That said, CISOs have historically
fixing them, mitigating them, and devising
been charged with ensuring resilience pri-
ways to avoid them in the first place. Not
marily for regulatory compliance and to
surprisingly, this has left scant resources for
avoid lawsuits regarding service interrup-
consequence management.
110 Cybersecurity Awareness, Understanding, and Leadership

That’s where a commitment to resil- can’t stop everything in today’s vastly com-
ience becomes essential. Recognizing that plex and vulnerable technology landscape,
in the current environment where threat you need to establish a clear sense of prior-
actors and vulnerabilities remain pervasive ities and invest most meaningfully in both
and uninhibited and are likely to remain defending and preparing a resilient posture
so for the foreseeable future, a greater for those areas.
focus and priority must be placed on how Another transformative way of look-
to manage the consequences that come ing at security is the shift away from stan-
during and after an attack. Organizations dard “best practices.” As comforting as
need to focus on developing the capa- it is for business executives to hear from
bility to effectively fight through what is their CISOs that they have aligned with
increasingly becoming the inevitability of well-established best practices on secu-
an attack. In order to do this, businesses rity, the harsh reality is that best practices
must focus as much on security-minded are not actually effective in meeting the
business process improvements and con- risk expectations of most modern enter-
tinuity planning as on the deployment of prises. (If they were, we wouldn’t be read-
additional security tools. ing about the latest breach at a premier
corporate brand so frequently.) In addi-
Security Transformed—Custom- tion, the notion of best practices can also
Tailored, Risk-Aligned Programs obscure the reality that security no longer
and Investments can be a one-size-fits-all paradigm. CISOs
Transforming the way security is planned, have recognized that security strategy must
deployed, and managed must change with look and behave differently for every orga-
the reality that business conditions are con- nization, based on its business strategy, risk
stantly evolving, operational initiatives are tolerance, and perceived value of the pro-
always in flux, and—especially—the bad tected business assets.
guys are forever evolving their own tactics.
Traditional approaches no longer work Security Transformed—
in an era marked by heavy reliance on dig- Structure Matters
ital assets that range from monolithic data Business leaders also should evolve their
centers and traditional applications to the most basic assumptions about how struc-
“connected enterprise.” For instance, the tured security responsibility within the
legacy approach—which does not neces- organization must change. Historically,
sarily mean it’s been in place for decades, the CISO most often has reported to the
but more refers to an outdated approach— CIO or some other senior technical officer.
to security has mostly been binary: Either That organizational structure makes sense
your organization is secure, or it’s not. if you assume that security is a corporate
But the lessons of past breaches have technology initiative rather than a busi-
taught us that security is best measured as ness risk management function. However,
a scale of risk. Remember what I said ear- remember what IT organizations are going
lier: We’re not trying to completely prevent through these days, with practices such as
breaches, but rather anticipate and respond shadow IT, tech-savvy end users firing up
to them so we can effectively reduce their their own virtual machines, affordable pub-
impact to an acceptable level. Since you lic cloud services used for business applica-
Security Transformation as a Business Imperative 111

tions, and oceans of unmanaged endpoints, the entire enterprise. And we should ensure
ranging from smartphones to wearable that our cybersecurity programs are follow-
computers. In security transformation, the ing the data and identities that are so key
CISO is best able to defend the organiza- to protect, regardless of where the evolving
tion when he or she is positioned to look technology and third-party landscape takes
across all cyber risk, not just the risks cre- them. In whole though, the most essential
ated by the corporate IT organization. Fur- aspect of security transformation is funda-
ther, beyond simply reactive risk manage- mentally understanding and accepting that
ment, CISOs should be leaning forward to the current approach—level of attention,
focus on digital opportunities, a role best investment, tools, skills, business process
enabled when the CISO is positioned to tradeoffs—is woefully inadequate to effec-
have visibility across all of an organization’s tively manage cyber risk, and then having
digital activities and in tight and direct the fortitude and commitment to imple-
alignment with other business executives. ment the changes necessary to address this
disparity.
Security Transformed—
Perimeterless Security Putting It Into Action: Questions
Finally, security transformation mandates Board Members and C-Level Execu-
that cybersecurity defense go far beyond tives Should Ask Their CISOs
the traditional emphasis on keeping bad If you’re a CEO, COO, CFO, or board
guys off the network and away from valu- member, you need to be proactive and
able data. Instead, a more enlightened, talk with your CISO about what they are
business-centric approach to cybersecurity doing to transform security protocols and
should embrace and account for new digi- processes. And that does not mean ask-
tal models, including widespread mobility, ing which new intrusion detection tool
cloud platforms, and increased third-party they’ve bought or which advanced per-
risk factors. This shifts the emphasis away sistent threat remediation program they’ve
from devices and platforms, and toward implemented. Instead, your conversations
the protection and defense of digital iden- need to focus on ways to turn security
tities and the data that is most important transformation from a technical discussion
to the business. to a business one, and you should seek to
Some examples of how organizations are understand if the appropriate level of bold-
embracing security transformation include: ness and urgency is present in every aspect
the idea that security is not a binary con- of the program.
cept and should be measured on a scale of I encourage you to ask your CISO such
risk; or why security programs should not questions as:
be driven primarily or exclusively by com-
• What is the likelihood that the breach
pliance mandates, but instead should be
that just hit Company Y will happen to
tailored based on business priorities, such as
us?
operational efficiency, brand reputation, or
market competitiveness. We should begin • If it does happen to us, what is our
to think of cybersecurity not as a compo- legal, operational, brand, and compli-
nent of IT risk, but rather, as a business ance exposure?
function that addresses business risk across

• How have you transformed our securi- Hopefully, this discussion will demon-
ty protocols and practices to move be- strate to you that your CISO under-
yond what isn’t working at other peer stands and is committed to a transformed
companies like Y? approach that is appropriate and necessary
to support your business.
• Are you confident our overall business
And, if you don’t like the answers they
risk tolerance is clearly defined, and is
give you, you should encourage them to
our cybersecurity then properly aligned
reconsider their strategy—radically, if nec-
to it? If not, what do we need to do to
essary. After all, if they are investing in leg-
achieve that definition and alignment?
acy best practices that are benchmarks in
• What is the most glaring vulnerability most companies in your industry, your
in our cyber defenses today, and what organization is just as likely to be the next
is it likely to be three years from now? victim of a major attack. That’s because the
What plans are in place to address both status quo, for most organizations today, is
of these and against what timeline? an ineffective posture, as evidenced by the
constant stream of public breach notifica-
• Does a risk-governance structure exist
tions. And for a modern business to sur-
that clearly defines corporate roles and
vive and thrive, it must transform its secu-
responsibilities relating to cybersecu-
rity posture alongside the broader business
rity-risk identification and manage-
and digital transformations that are already
ment? Do your business stakeholders
underway.
understand their roles, and have they
effectively operationalized them? Is ac-
countability being introduced where
dependent stakeholders are not meet-
ing expectations?
1
CVSS Severity Distribution Over Time, National Vulnerability Database, NIST
Security Transformation as a Business Imperative 113

16
The Importance of Cybersecurity
Preparation and Leadership
Stephen Moore — Vice President and Chief Security Strategist, Exabeam
If your organization is like most, you On the Frontlines

probably have an incident response plan There’s no way to synthesize everything
designed to help your teams work their that happens during a breach, the gravity
way through a cybersecurity attack. It cov- of it. You might be a mid-level manager
ers the technical and nontechnical steps and all of a sudden find you are thrust into
the organization must take to respond. It technical response, and also asked to com-
has passed the muster of auditors and been municate with senior-level executives, cus-
reviewed countless times for the purpose tomers, and with people across the entire
of fulfilling regulatory compliance require- organization responsible for responding to
ments. All in all, you are proud of this doc- the breach. Very few are prepared for this
ument and can point to it and say, “Yes, we drastic change in pressures and responsibil-
are prepared.” ities.
And then a breach happens. I must make the point that nothing can
Guess what? You’re not prepared. No prepare you for what it is like to be in the
matter how much time and effort your vortex of a data breach, especially those
teams have put into their incident response of great depth and breadth. I’ll give you
plan, there is no way they could possibly one example: Time. Talk to people who’ve
foresee and prepare for the massive toll a never been through a breach, and they’ll
major data breach will inflict upon your tell you that the impact and implications
organization and your people. will probably be mostly over in a matter
Through my experiences, I’ve learned of months. All I can say is, “No way.” It
what to do if your organization has been is going to take years for the company to
breached, and what not to do. I’ve learned recover; and even then, there are likely to
about the steps organizations can take to be lingering issues.
ensure they are better prepared to handle A breach will affect every aspect of your
a breach, including some ideas I will share business: the retention and attraction of
here. Most of all, I’ve done my best to new clients; your personnel and corporate
learn what it takes to be a leader and what culture; whether people will even want to
it takes to inspire confidence and comfort work at the company; your reputation.
in times of crisis.
115
You will likely be dealing with multiple sounds like an unsolvable riddle, but can
investigations, audits, regulatory groups, you prepare for something that can’t be
the press, and a retooling of your technol- prepared for?
ogy infrastructure. Not to mention litiga- Actually, you can. I’ve developed sev-
tion. All of this will go on for years and will eral ideas that I believe will help individ-
be a huge and constant drain on resources. uals and organizations do a better job of
Going forward, every aspect of the busi- preparing their people to deal with the
ness will be shaped by the breach. ramifications of a cyber breach, without
forcing them to constantly strive to do
The Human Impact hero work.
The toll this will take on your people is
something that you can’t measure, antici- No. 1: Write Your Breach Notifi-
pate, or really appreciate until you’re actu- cation Letter Before You Suffer a
ally going through it. The pressure on Breach
your people is immense. Most organi- Lacking experience, organizations need to
zations don’t have the depth of manage- work backward, starting with the breach
ment, the training, and the people with notification letter. Sit down at the highest
the right skill sets to adequately deal with a levels possible within the organization—
major breach—both immediately and over senior management, CISO, perhaps even
the vast span of time the circumstances including board members—and write the
require. breach notification letter, under the direc-
Even if you have adequate response and tion of counsel and as a draft “working”
communication plans, you need people to document. Interestingly enough, doing
execute them. In a breach, a communica- this will uncover many of the key chal-
tions funnel gets created and most of the lenges you will face. This is the finest exec-
information is communicated through a utive tabletop exercise known to me, due
small group of people leading the inves- to the questions and outcomes. When you
tigation. It is up to those people to syn- sit down and write a notification letter that
thesize the information for the appropri- the world may one day see, you’re going
ate individuals—whether board members, to have to start asking the right questions:
senior-level executives, auditors, clients,
• Who writes the letter?
the media, partners, or any other effected
parties. • What is the tone?
There is an art to this, and most people
• Whose names are on it? The CIO?
forced into these roles are not prepared to
CEO? CISO?
do them well. They must learn, and learn
fast. • Who will answer questions from the
media?
Steps to Being Better Prepared
• What are the ingredients that go into
Given the immense challenges and dra-
the letter?
matic impact that a cybersecurity event
will impose on your organization and its • There are the staple talking points,
people, how do you prepare for something such as “we’ve retained outside experts
that is probably beyond any preconceived and contacted law enforcement.” But
expectations you may have established? It do we have a pre-existing relationship
with them? Shouldn’t we?

• How well-prepared are the people in- Work your way down to the unfiltered
side the organization to do the work answer: those staff members normally
that will be required? Are they trained ignored and probably working buried
for this? within your information security team—
your security operations center (SOC).
• What will it cost to pay an outside or-
Without question, the reputation of your
ganization for public relations? What
organization and your future professional
type of executive coaching do they pro-
comfort is in their hands. Have you even
vide?
met them? Do you understand their work-
• How do we securely share information day, their challenges, and their pain? How
and communicate if breached? well can they articulate their investigative
processes?
• Who meets with the press? Who
Their problems and observable risks
coaches these people prior to meeting
must be externally supported and priori-
with the press?
tized. Seek their counsel before you have no
• How do we contact clients? By letters? choice but to seek it. Please do not under-
Phone calls? Email? Via the web site? serve your SOC.
• Where do we host our breach informa- No. 3: Build a Better Type of
tion website? What happens if our site Response Plan and Response Action
is part of the breach?
A plan untested, unshared, or created in
• Are we going to do credit monitoring? a vacuum of experience is only good for
What does that cost? Is it worth it? those who can avoid the negative effects of
its failure.
• Most importantly, who is the source of
When I started this chapter, I was skep-
truth for investigative answers? Won’t
tical about the standard incidence response
they already be a little busy? How often
plans that most organizations use to satisfy
do we update these talking points? Are
executive management or outside auditors.
we able to answer these in-house today,
Frankly, I’ve never seen a good one when it
or do we lack this ability?
comes to actually responding to a breach.
I could go on with more questions, but These response plans typically cover tech-
I’m sure you get the point. These are typi- nical issues, but they don’t discuss things
cally not questions that organizations raise like leadership or communications. And
until they’ve suffered a breach, and at that they don’t address breaches as the multi-
point, it is too late. You’ve already gone year events that they often are in the real
from the frying pan into the fire. world.
A more effective incidence response
No. 2: Conduct a Field Trip to the plan will address the pertinent questions
Source of Truth—The Security Oper- raised by the breach notification letter.
ations Center (SOC) Who’s in charge? What’s the tenor and
If you have a breach, who would you call spirit of the organization? How do you
internally? Who would that person call sound? How large was the breach—how
next? Who would prepare executives for many records or systems were affected?
difficult interviews and questions from cli- How open do you want your plan to be—
ents? do you want to be cold, verbose, and suc-
The Importance of Cybersecurity Preparation and Leadership 117

cinct, or do you want to be open and share You also need to think about creating
as much as you can? Do you share early a landing zone to house all of the people
before all the details are known, or wait you are going to bring on board to help.
to run out the clock? I recommend shar- Where is the secure command center, and
ing early and honestly, knowing that addi- is it most convenient for the staff?
tional updates will be made as the investi-
gation unfolds. No. 5: Teach Your People Well
Your people, many of them technical mid-
No. 4: Plan to Deal With Issues level managers, will be thrust into pub-
Around Response Capabilities, Tech- lic-facing activities. Are they ready for it?
nology, Infrastructure, and Physical Have you trained them? Do you feel com-
Space fortable having them speak to your most
Once you’ve suffered a breach, your entire important customers? Do you have a
technology infrastructure will likely be backup plan and a backup plan for that?
under investigation. Your IT teams will You might need 25 more spokespeople.
be buying new technology while they are Have they been trained to speak in public,
still cleaning up the existing environment. handle an interview, an auditor, or govern-
Plus, you will likely be bringing in outside ment official? This goes beyond what your
consultants, not just on the technology corporate communications team can man-
side, but across the board. age, because many interactions need to be
Along this line of thinking, remember technically oriented. You can use outside
that your multi-year plan, pilot projects, people to help, but they are most likely
and pending budget requests will proba- going to be speaking from a script. Is that
bly be green-lit. You will need three crit- the image you want to present to your cus-
ical technical capabilities: visibility, ana- tomers, partners, and the general public?
lytics, and automated technical response. Crisis tends to burn through veneer.
You can ensure you have these capabilities The responsibilities are not just out-
before a breach, or acquire them quickly side-facing. There are internal challenges as
post-breach. I’d suggest prioritizing these well. Mid-level technical managers, need
capabilities before a problem occurs; it’s to be articulate and clear when speaking
much less expensive. to everyone, especially newly acquainted
Visibility removes technical blind spots, executive-leadership team members.
generally through data lakes to store event This is one of the hidden costs of deal-
data and analytics to make sense of it all ing with a breach. It’s natural to think
and create attacker timelines. And then about lost revenue, a declining stock price,
response is your cleanup. Remember, damage to the brand’s reputation. But
without complete attacker timelines, you there are a lot of people-oriented costs that
won’t have complete response. must be addressed as well. If you can plan
Logistically, do you have physical space for some of these in advance, and spend
for additional hardware while you remedi- the time training your people to handle
ate and clean existing infrastructure? Do a variety of roles, you stand a much bet-
you have enough rack space, cabling, and ter chance of mitigating some of the other
power to deal with all of the extra equip- challenges as they arise and threaten to
ment? Ever think about allocating this cripple your organization once an attack
ahead of time? takes place.

No. 6: Build Relevance With Your to create space for people to do hero work,
Sales Teams which is usually the result of the type of
This is advice aimed primarily at CISOs leadership you provide and the type of cul-
and other security leaders. Despite what ture you create.
we think, the board and executive leader- If someone is operating in fear, he or she
ship are often focused on one main goal, will not innovate, will not do hero work,
which is the retention and acquisition of will not be the brand ambassador, con-
customers. Everything else flows from tributor, or thinker you need. Fear creates
that, beginning with the perception of the indifference quickly, and the level of indif-
brand’s reputation. In a breach, you will be ference is often directly tied back to bad
asked: “Does our present situation put any management. Your leaders have to take the
pending deals on the bubble?” and “Who heat, so the people on their teams can take
might leave?” the chances that hero work requires. You
Clients and prospects will have a ton of have to keep morale up and shield your
questions, and how you answer them will people from pain or fear of failure. Hire
be critical. Again, it is essential that you and promote servant leadership today.
encourage comfort and confidence. When Leaders have to be leaders, and often
I speak to CISOs, I often ask how many in times of crisis, you see them slip back
have presented at their sales quarterly into the technical. This acutely means the
business reviews or even know their sales leader doesn’t trust his or her staff. Once
teams. Curiously, I’ve never had a positive you get into a position of leadership, you
acknowledgement. Let’s change this. can’t afford to be that technical person any-
A breach creates ongoing challenges for more. If you’re spending your time playing
those who make money for the company; around on a console, you’re not a leader.
understand the sales pain. You will be
Conclusion
pleased to discover that doing this opens a
wonderful door of relevance for your orga- The skills involved in responding to a
nization and even personal brand. breach are much different than those
You may think your job is to keep the involved in attempting to prevent it, par-
bad guys out, but it’s also to facilitate the ticularly for most members of your tech-
business. I’ve learned to develop a strong nology teams. The reality, however, is that
relationship with the sales team, and it has you have to rely on these people to step
given me an incredible amount of clout. up their game and provide a level of lead-
Once I took the time to build the trust ership.
of the sales team by putting them first, You need your leaders and spokespeo-
my career changed. It changed who I was ple to inspire comfort and confidence in all
talking to in the organization, how I was directions. You can get ahead of the game
treated, and the types of conversations I by preparing them beforehand and being
was involved in. aware of which people are likely to step up
and provide leadership in a time of crisis.
No. 7: Don’t Rely Solely on “Hero You can ensure that the overall organi-
Work” zation is prepared so there is less chance
People are not superheroes, and if your that the people responsible for respond-
plan is to rely on herculean efforts you will ing will be overwhelmed. You can ensure
probably fail. On the other hand, you want that there is leadership depth. You can take
The Importance of Cybersecurity Preparation and Leadership 119

the time to write your breach notification cyberattack, and more on how well you
letter ahead of time, answer the questions, responded to it. The better prepared you and
and align resources to support those capa- your teams are, the better able you will be
bilities into your corporate culture. You to respond appropriately. You won’t be able
can visit your SOC. to anticipate every scenario—nobody can—
As an organization, you will likely be but strong preparation and leadership will
judged less on whether you suffered a help you deal with the unexpected.

17
Data Manipulation, Law Enforcement, and
Our Future: Seeking to Build Trust in Our
Digitally Connected Systems
Dr. Philipp Amann — Head of Strategy,
Europol’s European Cybercrime Centre (EC3)
While we have traditionally considered stantial investment. Data manipulation in

data manipulation as the practice of alter- this context can also mean using hiding
ing documents and other information, techniques such as steganography to exfil-
that definition is changing. When we trate data or hide command-and-control
think about data manipulation now, the commands.1
alteration of documents and information Data manipulation has become a mov-
done with a criminal or harmful intent ing target for those of us in the business of
has become a major concern, but not the combating criminal activity online, build-
only one. We also think about things like ing trust, and protecting our way of life in
fake news, social engineering through the the Digital Age. Adversaries who manip-
discrete mining of social media informa- ulate data with malicious intent are con-
tion, and the use of data as a tool—or a stantly developing new tactics and attack
weapon—to shape people’s thoughts, modes, seeking any edge in a world where
ideas, opinions, and, ultimately, their all of us are increasingly dependent on dig-
actions. ital connections. This includes activities
As highlighted in Europol’s Annual by criminals who hide their identity, mask
Internet Organised Crime Threat Assess- their location, and obfuscate their financial
ment, data remains a key commodity for transactions.
cyber criminals. However, it is no lon-
ger just procured for immediate finan- The Evolving Role of Law Enforcement
cial gain, but it is also increasingly used, What can we do about data manipulation?
manipulated, or encrypted to further more The first focus for law enforcement is on
complex fraud, for ransom, or directly for investigating criminal behavior and pros-
extortion. The illegal acquisition of intel- ecuting those responsible for crimes. With
lectual property or its manipulation can certain aspects of data manipulation and
reflect the loss of years of research and sub- the often related criminal abuse of infor-
121
mation technology, we have made signif- port of governments, regulatory
icant headway in investigating and prose- bodies, and private companies. This
cuting criminals and shutting down illegal is an absolute necessity if we are to
activities. A few examples: successfully address criminal activity
AlphaBay and Hansa: In July 2017, online, including today’s data manip-
authorities in Europe and the U.S., includ- ulation challenges.
ing the FBI, the U.S. Drug Enforcement 2. The crimes involved activities that
Agency, and the Dutch National Police, were clearly illegal, and thus fit
with the support of Europol and other into the law enforcement model for
partner agencies, announced that they had investigating and prosecuting crim-
shut down AlphaBay, at the time the larg- inal activities. But, as cybercrime and
est criminal marketplace on the Dark Web, malicious data manipulation evolve,
and Hansa, the third-largest criminal mar- not every instance will be clearly
ketplace on the Dark Web. Both AlphaBay defined by legislation or regulation,
and Hansa were enabling massive amounts thus making it more challenging to
of illegal drugs, stolen and fraudulent iden- prevent, defend, investigate, and suc-
tification documents, access devices, mal- cessfully prosecute perpetrators.
ware, and fraudulent services to be traded
3. In each instance, law enforcement
amongst cyber adversaries, which were
was in a position to be more reac-
enabling future data-manipulation crimes
tive than preventative. Our ulti-
to be committed.2
mate goal is to be both. Law enforce-
Operation Power Off: In April 2018,
ment needs to successfully leverage
the administrators of the distributed
resources from all around the world,
denial-of-service (DDoS) marketplace
not only to respond to crimes, but also
webstresser.org were arrested as a result of
to prevent and deter the criminal activ-
Operation Power Off, a complex investiga-
ity from happening in the first place,
tion led by the Dutch police and the U.K.’s
and ultimately to become more pro-
National Crime Agency, with the sup-
active.
port of Europol and a dozen law enforce-
ment agencies from around the world. These examples also highlight the high
Webstresser.org was considered the world’s degree of professionalism, collaboration,
largest marketplace for DDoS services. and industrialization of the underground
These services enabled cyber adversaries to economy, where services and tools sup-
use data manipulation to launch approx- porting the entire “cybercrime value chain”
imately four million attacks measured, are readily available online and to non-tech
aimed primarily at critical online services savvy individuals.
offered by banks, government institutions,
and police forces.3 Disrupting, Deterring, Diverting,
There are many more examples of suc- and Defending
cessful law enforcement efforts that we can In dealing with malicious data manipu-
cite, but I am pointing to these because lation and cybercrime, the expectation is
they have specific common characteristics: that law enforcement—together with all
relevant partners and in accordance with
1. They involved a coordinated effort
its mandate—will take on a more expan-
across law enforcement agencies all
sive and complementary role in defend-
over the world, along with the sup-

ing against, disrupting, and deterring ille- is also a need for standardized rules of
gal activities before they can do harm and engagement with private industry to estab-
cause losses. This is why prevention and lish a clear understanding of the extent to
raising awareness are key topics, particu- which private parties can engage with us
larly in relation to addressing high-volume and we with them.
and low-level criminality online. When it comes to young people with
Law enforcement is in a unique posi- strong information and communication
tion. Not only do we understand spe- technology (ICT) skills, we also support
cific modi operandi and techniques when projects such as the “deterring youngsters
it comes to cybercrime; we are also con- initiative,” which, together with industry
stantly monitoring trends and threats, and academia, aims to divert young people
while analyzing the evolving motivations away from a potential pathway to cyber-
impelling those who would do us harm. crime by offering positive alternatives.4
However, when it comes to data manip- We see this not only as an opportunity to
ulation, even when activities are motivated divert such talent to positive activities, but
by malicious intent, we are sometimes also as a way of addressing the shortage of
unable to contribute as effectively as we ICT skills.
would like. One reason is that not all of the
forms of data manipulation we encounter Cooperating, Collaborating,
are properly defined as criminal by leg- and Connecting
islation. In other words, the intent may If there is one thing we’ve learned about
be malicious, but that doesn’t necessarily today’s cyber environment, it is that we are
make it a crime. There is also a lack of a all in it together. We can gather strength
harmonized common legal framework or in numbers and in pooling our knowledge,
an underuse of existing legal frameworks experience, and resources. It is a truism of
and provisions, meaning the same activity the Digital Age that we are all connected.
might be criminalized in one jurisdiction, Our adversaries try to take advantage of
but not in another. our uber-connectedness—we should do
Access is another issue. Not every orga- the same in fighting them.
nization involves law enforcement when it This touches upon the question of
first encounters a problem. There are many safeguards against and regulation of data
possible reasons for this. However, I would manipulation, as well as responsibili-
ask executives to preemptively think about ties. Should it be left to tech companies
how they work with law enforcement— to self-regulate when it comes to issues
before they have an issue. By building a around data mining, data privacy, and data
proactive partnership with law enforce- manipulation, or should the discussion
ment, you will be better equipped to pre- involve all stakeholders, including indus-
vent an attack and enable a stronger and try, law enforcement, and the public? I
more impactful response should an attack would argue for the latter approach.
occur. Regulatory and legal frameworks are
Even in instances where access is possi- just one example. If you look across the
ble, we face challenges in relation to loss of cybersecurity spectrum, you will see that
data and loss of location, which create sub- every facet involves some level of cooper-
stantial obstacles for investigations. There ation and collaboration—from technol-
Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems 123
ogy platforms designed to work seamlessly being manipulated; sometimes only par-
together, to law enforcement agencies tial information is shared, thus creating a
that work together to not only investigate narrative that seems plausible, but which
crimes, but also to detect, deter, divert, and is not based on all of the available infor-
to help defend. mation. It is designed to support a spe-
The No More Ransom initiative is a cific idea rather than provide an accurate
great example of a joint initiative between depiction of events. The challenge is com-
law enforcement and industry, aiming not pounded because adversaries are not nec-
only at prevention and awareness, but also essarily breaking the law; they are merely
victim mitigation.5 The joint platform is taking advantage of their deep knowledge
currently available in more than 30 lan- of social media and search-engine algo-
guages and supported by more than 120 rithms to manipulate data.
partners, offering more than 50 decryption Finally, trust is also a key ingredient to
tools, free to victims of ransomware. successful public-private partnerships.
Building Transparency, Oversight, Moving Forward

and Trust Data manipulation is on the verge of
In order to attain the levels of collabora- becoming one of the largest criminal indus-
tion and cooperation necessary to address tries. Today’s reality is that law enforce-
data manipulation, we must trust our peo- ment has a vital role to play in creating
ple, processes, and technologies and build a more impactful and proactive response,
trust-based relationships between industry not merely reacting to criminal activities.
partners and law enforcement. This means Everyone benefits from a holistic, adap-
we have to also address issues around trans- tive, and complementary approach that
parency and oversight, which are becom- involves all relevant partners, one where
ing far more complex as technology inno- organizations can leverage the capabilities
vation continues to accelerate and flourish. provided by law enforcement agencies. For
The growth of big data analytics and example:
automated decision-making creates new
• With prioritized and coordinated
issues in terms of transparency and over-
joint actions against the key cyber
sight, and therefore trust. This challenge
threats—supported by adequate leg-
could become exacerbated with the expan-
islation—we can increase the risks for
sion of machine learning and artificial
cybercriminals and impose real conse-
intelligence. When we allow automated
quences.
decisions to be based on an algorithm, we
may not have a clear way to determine if • With effective prevention and dis-
the data or the algorithm has been manip- ruption activities, we further tip the
ulated, which becomes further compli- scales to the detriment of criminals by
cated if the algorithm has a built-in bias. leveraging cooperation and partner-
This can add risk and make it difficult to ships across law enforcement, govern-
audit and/or verify the outcome of such ment, and private industry.
processing.
• With advanced technologies and
Trust is also an increasing issue in the
open platforms, we can use shared
area of fake news. It’s not just that fake
threat intelligence, machine learning,
news is being created and real news is

and automated decision-making to re- seeing the benefits of proactive regulation
duce risk and improve responsiveness. with a strong cybersecurity element. GDPR
This enables us to eliminate manu- forces organizations to understand what
al processes and use software to fight data they have, where it is stored, who works
software while adhering to strict data on it, who can manipulate it, and how to
protection regulations. protect these assets. That is linked to quality
and information management, with orga-
• With greater collaboration and com-
nizations defining how they run their busi-
mitment to sharing, we can band
nesses in relation to cybersecurity risk. It also
together as a community to use com-
promotes the idea of designing security pro-
bined resources in the war against
tections into products and services.
data manipulation. The cyber industry
Taking a broader perspective, GDPR
has made great progress in this area
is about improving business and manage-
through the establishment of platforms
ment practices, understanding core busi-
such as the Cyber Threat Alliance
ness processes, and identifying the assets
(CTA), a not-for-profit organization
of an organization, as well as its risk pos-
that enables near real-time, high-qual-
ture. While GDPR is an important piece
ity cyber threat information sharing
of legislation, its impact on the WHOIS
among companies and organizations in
database going dark after May 25, 2018,
the cybersecurity field. Another great
had substantial cybersecurity implications,
example for collaboration that includes
not only for law enforcement, but also for
law enforcement as a key partner is the
the internet security industry as a whole.
Cyber Defence Alliance. And we have
This highlights the need to strike a balance
also made significant headway together
between privacy and protection of funda-
with the members of our own Advisory
mental rights on the one hand, and secu-
Groups.
rity and safety on the other.
Technology: Cyber criminals are
Looking Ahead adopting new approaches to increase their
How do we turn this vision of cooperation capacity to manipulate data and com-
and collaboration into reality? Europol mit cybercrime. We must use current and
and its European Cybercrime Centre emerging technologies to prevent them.
(EC3) and its many different partners in This means the use of shared threat intelli-
law enforcement, industry, and academia gence, open platforms, AI, machine learn-
are a prime example of the power of a net- ing, and more. It also means we must
worked response to cybercrime at scale. explore the benefits of innovations, such as
However, we need to continue to improve blockchain technology, to create an envi-
and forge new alliances, further our coop- ronment that is more transparent, trust-
eration with other partners, and continu- worthy, and resilient.
ously adapt our response. We also need to Big Data analytics, machine learning,
focus on areas such as regulations and tech- and AI can improve cybersecurity through
nology to clarify criminal activity, improve better threat detection and prediction,
our preparedness, and enhance our ability intelligence collection and analysis, and
to coordinate a response: faster response. With effective use of infor-
Regulations: With General Data Protec- mation, the deployment of scarce opera-
tion Regulation (GDPR) in Europe, we are tional resources can be better targeted to
intervene precisely where issues, crimes, nership, which enable secure threat intelli-
and threats can be expected. However, it gence to be shared.
is important that we use such tools care- Require organization-wide training
fully, proportionally, and in line with rele- and education: We all must be educated
vant legislation and regulations. about the risks of data manipulation and
An example of using technology and the need for improved cybersecurity. This
information collaboratively and effectively often starts in the executive suite, where
can be found in the Adversary Playbooks C-level executives must understand risks
program that has been developed by the so they can make the proper investments
CTA. CTA members leverage an auto- and strategic decisions. It also extends to
mated platform to share actionable intel- security personnel, who are in relatively
ligence to create Adversary Playbooks that short supply in comparison to the need.
provide a consistent framework to iden- So inspire, incentivize, and reward your
tify broad threat indicators and adversary IT security personnel to keep vigilant and
chokepoints. These playbooks typically informed. And recognize that, as leaders,
incorporate several core elements: techni- we must leverage education and training in
cal profiles, typical plays, recommended our work and classroom settings so users
actions, and technical indicators. are aware of how they can mitigate risk
whenever they go online.
Suggestions for Business Insist on a holistic approach: Cyberse-
Leaders and Executives curity should be part of a holistic approach
Beyond regulations and technology, busi- that should be part of all processes. Busi-
ness leaders and executives have a vital role ness leaders and board members need to
to play in addressing the evolving chal- establish a cybersecurity culture whereby
lenge of data manipulation. They have everybody is aware of his or her responsi-
a responsibility to set the cybersecurity bility, and security and privacy “by design”
agendas for their organizations and decide are guiding principles. Since humans are
on the appropriate investments in people, often the weakest link, ongoing train-
processes, and technologies. Suggestions ing, education, and creating awareness are
on steps business leaders and board mem- indispensable tools in protecting against
bers can take: cybercrime and data manipulation.
Develop an understanding of the
evolving adversarial mindset: Executives Conclusion
can look to sponsor initiatives that drive The world is changing before our very
your organization to build a proactive eyes. The threat to data encompasses all
trusted partnership with law enforcement three principles of confidentiality, integ-
agencies. In doing so, you can gain insights rity, and availability. By gaining access to
into the motivations, technologies, tech- data and subsequently exposing such data,
niques, and business models of cybercrim- criminals undermine the confidential-
inals, which can help to define the steps ity of information. By manipulating the
your organization can take to be better data, they undermine the integrity, and
enabled to prevent an attack. Also look to by attacks such as ransomware, they make
collaborate with organizations, such as the the data unavailable. While data is a com-
Cyber Security Information Sharing Part- modity now, it is increasingly emerging as

a cybercrime attack vector through means and figuratively. Our connected networks
such as data manipulation, compromised give us the ability to coordinate and col-
processes, and the increased potential to laborate in the face of data manipulation
shut down basic infrastructure services and and cybercrime. Will we be able to build
other pillars of our societies. the trust necessary among our people, pro-
The good news is that no one is alone. cesses, and technology to overcome these
In fact, we are all connected, both literally threats? We must, we can, and we will.
1
“Criminal Use of Information Hiding (CUIng) Initiative,” http://cuing.org/
2
“Massive Blow to Criminal Dark Web Activities After Globally Coordinated Operation,” Europol, July 20, 2017
3
“World’s Biggest Marketplace Selling Internet Paralysing DDOS Attacks Taken Down,” Europol, April 25, 2018
4
“Cyber Crime vs Cyber Security: What will you choose?,” Europol, https://www.europol.europa.eu/activities-services/
public-awareness-and-prevention-guides/cyber-crime-vs-cyber-security-what-will-you-choose
5
“No More Ransom project helps thousands of ransomware victims,” ZDNet, July 27, 2017
The Convergence and Divergence
of Compliance and Cybersecurity
18
Why Secure Availability—Not Compliance—
Should Be Every Business Leader’s Goal
Danny McPherson — Executive Vice President and Chief Security Officer, Verisign
Compliance takes up an inordinate rity, or availability). Furthermore, enumer-

amount of an organization’s time, budget, ating what you care most about, and what
and manpower, particularly when it comes enables it, is a critical first step in a com-
to ensuring that access to IT resources and prehensive cyber-risk management pro-
vital information are safeguarded at all gram.
times. Let me be clear: I’m not saying that
And I’m here to tell you that C-suite compliance isn’t important. No one wants
executives and board members alike—and to risk fines, sanctions, or damaging pub-
yes, even a lot of us chief security officers— licity over regulatory violations. And no
are fretting, fussing, and fidgeting over the one wants to see our executives do a digi-
wrong thing. That is, given that most IT tal “perp walk” for the compromise of sen-
security resource allocation still focuses on sitive information.
accommodating inherently reactive com- That’s why cybersecurity challenges
pliance objectives rather than considering have made compliance a source of anxiety
overall enterprise cyber risk management, and angst for C-suite executives and board
we may not be adequately protecting what members. I don’t need to do a roll call of
we care about most! data breaches in your industry—we don’t
An organization’s overall cyber risk can have enough hours in the day for that.
be calculated [in part] by considering Let’s just all agree that those breaches, data
threats posed by motivated capable adver- losses, and regulatory compliance missteps
saries (to include intentional or uninten- are exacting huge costs on all organiza-
tional insiders), the organization’s vulner- tions’ finances, operations, legal exposure,
ability to those threats, and the immediate and brand reputation, not to mention the
and residual consequences that result (e.g., long-term residual effects on impacted
be they impacts on confidentiality, integ- parties.
131
I’m sure that just the simple thought of able when employees, partners, and cus-
a banner headline with your organization’s tomers need them. Besides, demonstrating
name linked to a data breach sends shiv- compliance is too often viewed by business
ers down your spine. I know that’s what it leaders as an event, typically played out in
does to me. this conversation:
But compliance is not—repeat, not—
CEO to CSO:
your goal. Or, at least, it should not be the
How did the HIPAA audit go?
key focus of your cybersecurity program.
And let me tell you why:
CSO:
Being compliant is not the same as being
Great, we passed with flying colors.
secure.
For that matter, being compliant does
What the CEO says:
little or nothing to ensure that your crit-
Glad to hear it; nice work.
ical systems are available at any point in
time, which jeopardizes everything you do.
What the CEO thinks:
That’s why you need to focus on taking the
One less thing to worry about until next year.
right steps to enable secure availability of
essential services and key resources in the
Demonstrating compliance—either with
face of broadening cyber threat vectors. If
an external regulatory body or an inter-
you do that—and only if you do that—
nal function—is usually a point-in-time
you’ll have a fighting chance to maintain
status check. But no one should delude
operational integrity and achieve compli-
themselves into thinking that their abil-
ance in today’s incredibly interconnected
ity to demonstrate compliance guarantees
internet ecosystem. Let me explain why.
them another second of secure availability.
Why Availability Matters And even a few minutes of interrupted sys-
and Why It Must Be Secure tems availability can cost millions of dol-
lars, compromise customer trust, and tar-
For as much attention, spending, and
nish an organization’s reputation.
energy that goes into the process of
That’s because, at any point in time, a
demonstrating compliance, it’s important
cyberattack can:
to remember that compliance is a very lim-
ited way to look at the security of essential • Take down a city’s water filtration sys-
systems or data. tem.
Compliance regulations tend to be
• Disrupt an internet service provider’s
inherently reactive and very targeted, either
wide-area network infrastructure.
by industry, geography, or type of infor-
mation that needs to be protected. These • Circumvent a retailer’s digital loss pre-
requirements often focus heavily on the vention system.
confidentiality and then on the integrity
• Interrupt a manufacturing plant’s ro-
of the data. Although these are certainly
botics-based assembly line.
important issues, they do little or nothing
to ensure overall resilience—that is, that • Undermine a municipality’s online
mission-critical systems and data are avail- voting system.
132 The Convergence and Divergence of Compliance and Cybersecurity

If any of those systems—or any other Trends such as the Internet of Things,
mission-critical application—is rendered cloud computing, enterprise mobility, and
literally or functionally unavailable because digital transformation are making orga-
of cybersecurity attacks, the compliance nizations more efficient and better posi-
status you proudly hail won’t mean a pile tioned to bring new products and services
of beans. to market faster.
Fortunately, many executives are get- They also are making organizations—
ting the message—a message that is often and their entire business ecosystems—
delivered by an anxious and persistent CIO more vulnerable.
or CSO, or a business leader who realizes Take IoT, arguably one of the most
that the organization will not demonstrate exciting and promising applications of
compliance unless it focuses on the bigger technology in decades. But when billions
picture of secure availability and resilience. of everyday items are connected via the
With increasing frequency, executives internet—not only to each other, but often
and board members are buying in to the also to our core business systems and IT
notion that secure availability is the very infrastructure—we dramatically increase
foundation of compliance. As such, there risks that threaten secure availability and,
are more nuanced discussions with busi- in turn, compliance.
ness leaders and in boardrooms that go far Another dual-edged sword is the
beyond compliance-centric issues, such as increased use of technology to enable cus-
confidentiality and data integrity. tomer self-service, such as online banking,
Not surprisingly, organizations with a omnichannel shopping, or ordering and
culture built around collaboration among managing municipal services from a digital
business and technical leaders are demon- consumer device or through a public cloud
strating real leadership in promoting service. Yes, it creates a boatload of new
secure availability first, with compliance services and improved customer engage-
being one result of that focus. And those ment. And yes, it also introduces a boat-
where the CEO and board see cyberse- load of unmanaged endpoints and easily
curity as a technology problem best han- accessible points of entry into our digital
dled by the SecOps team or solely by dou- infrastructure, where systems can be dis-
bling the infosec budget … well, let’s just abled or rendered ineffective if availability
say they are setting themselves up to be the is interrupted.
focus of the next banner headline. Mobility, cloud, virtualization, and
other technology also are driving new
A Sobering Thought: workforce models, such as distributed
New Business Initiatives Often teams, virtual collaborations, and new
Expand Your Cyber Risk Footprint models for when, where, and how people
and Threaten Compliance work and share information. Those pro-
In this book, and in many other discus- vide flexibility and empowerment for our
sions, you’ll undoubtedly read and hear a employees, but they also represent big secu-
lot about the exciting business opportu- rity headaches as more things that organi-
nities made possible by the integration of zations care about live in more places with
technologies into everyday business pro- fewer direct capabilities to protect them.
cesses and common “things.”
Why Secure Availability—Not Compliance—Should Be Every Business Leader’s Goal 133

Each and every one of these new oppor- jurisdictions where business is conducted.
tunities carries a substantial risk factor These include issues revolving around cus-
that can result in regulatory or internal todianship of information and data pri-
policy compliance challenges. However, vacy regulations, and ensuring that you are
these challenges will pale in comparison acting responsibly with the data that others
when new products and services are ren- have entrusted you to safeguard. I’m sure
dered unavailable due to security lapses or you’re thinking these are pretty fundamen-
even network connectivity issues anywhere tal, and you’re right. These are table stakes,
along the digital ecosystem. essential requirements for ensuring secure
availability and meeting compliance man-
Lessons Learned: Using a Three- dates. But without meeting these baseline
Tiered Approach to Secure Availability requirements, you might as well get ready
As I’ve stressed in this chapter, compliance for a regulatory assault—and a costly and
is best achieved with a more strategic focus damaging security incident brought on by
on secure availability with consideration a security breach or data loss.
of overall cyber risk to the enterprise. But Doing what you said you were going
actually achieving secure availability takes to do. This is all about a rock-solid com-
patience, practice, and a process rooted in mitment to actually following through in
business goals, not in technology. all ways—contractually, regulatory, inter-
Over the years, I’ve worked with my nal policies, and even morally. This should
business colleagues to identify and over- be part of your organization’s governance
come cybersecurity challenges—and to framework, jointly worked out among
help ensure compliance objectives are met business leadership, IT and security teams,
along the way. I’ve come to think of this as and legal officers. Again, the goal here is
a framework for delivering secure availabil- to ensure secure availability; if done right,
ity, comprised of three major components: compliance will be the byproduct. This is
why your governance programs must go
• Doing what you have to do.
beyond good policies and policy man-
• Doing what you said you were going agement to extend to enforcement in the
to do. same way organizations enforce human
resources or financial policies. Report-
• Continuously refining and adapting to
ing must be consistent, transparent, and
what “good” looks like.
designed to easily flow up the organiza-
Every organization is likely to develop tion. And, of course, policies and enforce-
and deploy this framework in its own ment processes need to be communicated
unique manner, depending upon its own throughout the organization in both secu-
business goals, risk appetite, organizational rity awareness and targeted training pro-
strengths, and enterprise vision. But the grams. If you have a data loss preven-
issues within each of these three pillars are tion policy, but you’re not educating your
applicable to all organizations looking to employees about how to label, securely
ensure secure availability. share, transfer, and store data, or for how
Doing what you have to do. This is long and where, you’ll run into big prob-
where everything starts. After all, your lems and find it extremely difficult to
organization must comply with the laws achieve a state of continual compliance.
and regulatory obligations of the different

Continuously refining and adapt- In the U.S., if an organization’s security
ing to what “good” looks like. Fortu- program is intelligence-driven, the Cyber
nately, there are a number of useful and Security Act of 2015 makes it much eas-
well-regarded standards for the protec- ier for them to ingest and share cybersecu-
tion of systems and digital assets, especially rity indicators without the threat of anti-
when it travels to and from the internet. trust violations hanging over their heads.
Your CSO and IT executives undoubtedly Because attackers exploit asymmetries in
know about the National Institute of Stan- ways defenders don’t have the luxury of
dards and Technology (NIST) Cyber Secu- doing, they are constantly adapting their
rity Framework (CSF), a voluntary frame- tactics and techniques; without adequate
work that provides models based on the information-sharing and community col-
principles of “prioritization, flexibility, and laboration, organizations may be lured
repeatability.” And the Center for Internet into thinking that their state of security
Security publishes a list of the top 20 secu- readiness and secure availability is much
rity controls, which presents a great oppor- higher than it really is.
tunity to identify the best value for infor-
mation security investments. Certainly, Steps Business Leaders and Board
business leaders need to get behind these Members Can Take Today
and other applicable frameworks that help Once an organization understands that
identify key security and resilience objec- enabling secure availability—and, by
tives, as well as corresponding metrics their extension, demonstrating compliance—is
organizations should consider embracing. a business issue rather than a technical one,
These can also help measure the organiza- it has taken the first step toward achieving
tion’s ability to ensure availability and to that goal. And there are efficient ways for
provide a foundation for compliance. business executives to learn from the les-
Until fairly recently, internet engineers sons and experiences of others to support
tended to measure availability in terms those efforts.
of internet access and service level agree- First, keep in mind that your organi-
ments (SLAs). We didn’t necessarily work zation should study high-profile and par-
ourselves into a frenzy because we lost cor- ticularly relevant breaches and learn how
porate or residential internet connectivity they may relate to your own situation.
for a few hours or even a day. But we’ve What vulnerabilities did the breach expose
evolved in very meaningful ways in terms that may be relevant to your organization
of how we gauge the business impact of and operations? How did other organiza-
service availability interruptions. Today, tions respond to mitigate the damage, both
if you can’t deliver uninterrupted core ser- technically and from a communications
vices to your employees, customers, and perspective? What is your plan if such an
partners, you’re in deep, deep trouble. So, incident were to impact you? What was the
we can’t let our organizations get to the impact on their business operations, and
point where systemic dependencies bring how exposed are you?
down our systems and restrict our access to Second, you must—absolutely must—
critical data and services. We must collabo- have a game plan for DDoS attacks and
rate in order to get a fuller and higher-defi- ransomware. This is vital, because more
nition picture of risks and their impact and and more organizations are being hit with
longer-term consequences. these attacks every day. Why wouldn’t they

be? They’re cheap to implement, and the sure filings, internal risk reporting, compli-
bad guys are smart enough to either extort ance documentation and audits, and the
their intended victims or ask for ransoms like. Eventually, however, I began to embrace
that are small enough to be considered “nui- these and other opportunities to discuss
sances” by business leaders and boards. Fur- cyber risks, impending threats, impact, and
thermore, your preparedness here will also preventative steps with my business col-
enable you to better identify, protect, detect, leagues and board members— from a whole
respond, and recover from whole classes of of business perspective. I saw them as my
destructive malware and other attacks, as chance to sound warning bells and highlight
illustrated in Figure 1, on page 137. key cyber risks before something bad hap-
But how you respond when you are hit pened. I also saw them as a chance to pro-
needs to be carefully planned and metic- vide important updates to key stakeholders
ulously carried out, and that’s where the about the latest changes, what we’ve done to
business experience and acumen of your ensure that our key assets remain available,
executive leadership and board comes and, of course, that we’re still in compliance
in very handy. They’ll also engage you in with applicable obligations.
some very probing question-and-answer At the end of the day, we should be wor-
sessions, but don’t fear those—embrace ried less about passing audits and demon-
them. If you’ve done your homework, strating point-in-time compliance than
you’ll have a vital opportunity to ensure about the fundamentals of cybersecurity:
that your defense strategies are aligned availability, confidentiality, and integrity.
with business priorities. Your chief compliance officer might
Third, use regulatory and governance blanch at such heresy, but your focus on
requirements as an opportunity for more secure availability will do more than keep
internal dialogue and game-planning. I used the regulators off your back. It will ensure
to cringe at the thought of quarterly disclo- you still have a business tomorrow.

Figure 1: Five phases of NIST Cyber Security Framework (CSF) 1.1
Credit: N. Hanacek/NIST

19
Enabling the Digital Revolution in Europe:
Building Effective Cybersecurity Policy
Through Trust and Cooperation
Michal Boni — Member, European Parliament
We are about to enter an exciting new stand at the brink of this new digital trans-
stage of the Digital Age. 5G infrastructure formation?
will bring new opportunities; new person- The answer is simple: Trust.
alized digital services will drive innovation
and invention; data and information trans- Building Trust
fers will be available at the highest speeds; Building trust is perhaps the most cru-
new business models will enable Industry cial factor in enabling the digital revolu-
5.0; the Internet of Things will develop on tion that is right before us, maybe even
an unprecedented scale, with billions of more important than the technology itself.
devices communicating with each other. Building trust requires two basic things:
At the same time, we are beginning a
1. Awareness of the need for cybersecu-
new era of human-machine collaboration,
rity and, at the same time, the need to
with unlimited possibilities for data pro-
protect personal data.
cessing, thanks to the use of algorithms
and artificial intelligence. Moreover, we 2. The development of a proper legal and
continue to see rapid development of institutional framework for cyberse-
high-performance computing networks, curity and data protection.
as well as expansion and improvements in How can we make this happen? What
the underlying technologies for cloud and can we do to achieve better cybersecurity
storage solutions. awareness? What practical measures can we
All of this promises to unleash a huge take to make the digital world secure? How
change in how we work, communicate, do we build the levels of trust required to
spend our leisure time, and educate our ensure that people feel safe when they are
children and ourselves. As leaders in our using the advanced technologies of the
fields, whether we are in government or Digital Age?
private industry, how do we ensure that Three things must happen. First, we
we can make the digital world secure as we must overcome the divisions we face
139
with regards to cybersecurity in the con- ticipate in a mutual recognition agreement
text of a digital single market in the Euro- as certificate consumers and producers.
pean Union. Second, we must put in place While this allows companies with certifi-
enforceable cybersecurity policies that are cation in one country to use it in all other
based on risk analysis and management. participating countries, it is not a sustain-
Third, we must build a shared responsibil- able long-term solution.
ity model to assess and address cybersecu- The way toward a common, harmo-
rity dangers. nized certification framework is necessary,
As an EU legislator, I believe strongly as proposed in the draft Cybersecurity Act
that dialogue and cooperation between on which the European Parliament is cur-
government policymakers and indus- rently working. Establishing this common
try stakeholders are essential to address- certification framework is a process, and it
ing these challenges so we can collec- must move from a voluntary model at this
tively develop and execute the right policy stage to a mandatory model after we’ve had
responses that can unleash the digital revo- some years of experience.
lution. I believe if we can effectively address In establishing the Act, an open per-
these challenges, we can provide a path for spective is needed, using a market-led
the rest of the world. approach that does not incorporate too
much administrative pressure. This kind
Key Challenge: Certification of flexibility is crucial if we want to imple-
In the EU, the journey starts with estab- ment certification schemes that will corre-
lishing common, harmonized certifi- spond not only to the current threats, but
cates, which, when accomplished, would also to incoming, future dangers.
also help facilitate the achievement of our The open model in the area of Euro-
shared global objectives. In the EU, we pean certification ought to be clear, trans-
presently have 28 separate sets of national parent, and based on this industry- and
rules for certification, a level of fragmen- market-led approach. There are no one-
tation that is an enormous obstacle to size-fits-all solutions that would suit all
improving cybersecurity. sectors, devices, services, infrastructures,
Currently, there is a patchwork for software, and hardware.
cybersecurity certification schemes and It is important to recognize that a case-
initiatives in Europe. On the one hand, by-case approach is paramount to success-
national certification initiatives are already fully address cybersecurity issues. It is also
in place or are emerging, without being crucial to conduct proper risk assessments
mutually recognized. On the other hand, and, after that, to propose a candidate cer-
not all EU Member States are part of tification scheme. This should depend on
the main European mechanism based on the results of risk analysis linked to differ-
mutual recognition, known as SOG-IS. ent levels of possible assurances.
The SOG-IS Mutual Recognition
Agreement of Information Technology A Model for Building Certifications
includes 12 Member States plus Norway, The European Commission has pro-
and has developed a few protection profiles posed three levels of risk from which to
on digital products, such as digital signa- build certifications: high, substantial, and
tures and smart cards. Members can par- basic. We have to consider these levels and

determine whether we require strict defi- big, and those with high or low levels of
nitions of assurance levels. Another chal- deployment of IT solutions—should start
lenge is what to do with the concept of to analyze its cybersecurity risks. All must
self-assessment. Who determines risk and have competencies to manage those risks.
how will that be accomplished? What will And all sorts of industries should be open
be the driver: convenience/self-assessment to sharing the responsibility in many areas.
or clear requirements based on the signifi- In addition, we as individuals must
cance of cybersecurity? be involved in protecting ourselves in the
The norms, standards, and technical area of cybersecurity. Reducing risk often
requirements for cybersecurity certifica- depends on our habits, our knowledge and
tions should be discussed by experts and understanding of cybersecurity problems,
industry stakeholders. This should first our everyday choices, and our personal
take place at the level of expert working cybersecurity hygiene.
groups, set up by the European Union Finally, it should be an imperative to
Agency for Network and Information provide people with the skills in this area.
Security (ENISA), that would define each Cybersecurity hygiene principles should be
candidate certification scheme. incorporated as a critical part of all educa-
It is better to have a real platform for tional curricula in all European countries.
cooperation on merit issues related to Everyone should be properly trained.
cybersecurity needs than to have a more
general advisory group. At the same time, No Easy Task—
the real work of finding optimal models Cybersecurity Coordination
of certification schemes should be done In the EU, cybersecurity is not necessarily
at the level of the Cybersecurity Certifi- centrally driven. Coordination is needed,
cation Group, in which representatives of and we must determine which institutions
national regulatory bodies are responsible should coordinate the policies for cyber-
for certification. security at the European level. Perhaps by
The common, permanent work of the doing this successfully in Europe, we can
Cybersecurity Certification Group will provide a framework for achieving similar
enable it to harmonize the conditions for objectives worldwide.
certifications. This is the only format that Many of the goals and requirements for
will facilitate the most balanced and effec- pan-EU coordination are described in the
tive approach to bringing together the two Network and Information Security (NIS)
key stakeholders: Member States and the Directive, the EU’s first law focused specif-
business community. ically on cybersecurity, which was adopted
in 2016.1 The NIS Directive comprises
Essential for Success— three parts:
Cybersecurity Awareness
1. National capabilities: EU Mem-
Why is it so important to bring together
ber States must have certain national
Member States and the business commu-
cybersecurity capabilities of the indi-
nity to improve cybersecurity?
vidual EU countries, e.g., they must
First, if we want to raise awareness of
have a national Computer Security
cybersecurity issues, we must involve all
Incident Response Team (CSIRT),
partners and give them the appropriate
perform cyber exercises, etc.
roles. Every company—small, medium,
Enabling the Digital Revolution in Europe: Building Effective Cybersecurity Policy Through Trust and Cooperation 141
2. National supervision of critical ENISA was given in the NIS Directive
sectors. EU Member States have to providing support to the pan-EU CSIRT
supervise the cybersecurity of criti- network and cooperation group described
cal market operators in the country: above.
Ex-ante supervision in critical sec- The purpose is clear: More
tors (energy, transport, water, health, cyber-threat-information sharing means
and finance sector), ex-post super- more understanding of the various forms
vision for critical digital service pro- and schemes of cyberattacks, and greater
viders (internet exchange points, recognition of attacks means more security
domain name systems, etc.). The leg- solutions for defending our devices and
islation also stipulates that, by the end systems. With its new mandate as laid out
of 2018, we will have indicated in in the Cybersecurity Act, ENISA should
every country those operators that are play the key role in the European Union
responsible for security of the critical as the body responsible for cybersecurity
infrastructure. issues.
3. Cross-border collaboration: Cross- It is obvious that ENISA needs to coop-
border collaboration between EU erate with all partners—certainly with
countries, e.g., via a network of opera- businesses, as we have discussed through-
tional CSIRTs across the EU to rapidly out this chapter. ENISA should also
react to cyber threats and incidents; cooperate with different EU institutions
and the strategic NIS “cooperation responsible for security such as Europol;
group” between Member States to with international partners such as NATO
support and facilitate strategic coop- units working on cyberwar; and with
eration and the exchange of informa- experts from academia and other import-
tion, and to develop trust and confi- ant institutions.
dence.
A Necessary Factor—Research for
Thanks to this legal act, the European Innovative Cybersecurity
Union has made it clear how important Without efforts aimed at instilling trust
it is to have cybersecurity strategies and and cooperation between industries using
proper division of responsibilities between common, modern, and ongoing research,
government, military, and business institu- we run the risk of failing in the fight
tions, in all EU countries. against cybercrime.
We need new research projects that are
A Complex Journey
innovative and focused on implementa-
We must acknowledge that the NIS Direc- tion of the rule often described as “cyber-
tive is only a first step in the complex jour- security by design.” We need to develop a
ney of addressing the cybersecurity chal- framework for using the capacity of AI to
lenges facing the EU in the Digital Age. support risk analysis, the predictability of
At the European level, the capacity of cyberattacks, and the development of new
ENISA should be adequate to tackle new instruments in the processes of crisis man-
measures and tasks. The EU has to sup- agement.
port ENISA in its function to collect data European Union investments should
on cybersecurity incidents, per the role support the improvement of technologi-

cal solutions crucial for cybersecurity. At required to achieve our objectives?
the beginning of May 2018, the Euro- In short, what can we do, individually
pean Commission announced a proposed and collectively, to build the foundation
budget of €100 billion for the next EU of an EU cybersecurity environment that
Research and Innovation Framework Pro- truly addresses our combined interests?
gramme, called Horizon Europe (2021- Here are some suggestions:
2027). In parallel, these technology invest-
• Provide input to me and other MEPs,
ments should be used to develop the
as well as the European Commission
cybersecurity industry in Europe. There is
and the Council.
a huge potential among many companies
to achieve global leadership in the cyber- • Talk with your national governments.
security area. Of course, the approach to
• Determine how to engage with ENI-
cybersecurity should be focused not only
SA.
on European goals, but also with a global
perspective in mind. • Help guide us on what more you—as
individuals and citizens—can do to
Why a Cybersecurity improve cybersecurity.
Roadmap Is Needed
• Help us understand what you need—
All of the issues discussed in this chapter
whether it is education, awareness,
are in some way related to the Cybersecu-
guidance, recommendations on best
rity Act. The Parliament wants to finalize it
practices, or anything else.
as quickly as possible and start the dialogue
with the European Council. • Bring ideas from other countries, in-
But that is not the end of the work. We cluding ideas that can help foster glob-
are still at the very beginning of address- al cooperation.
ing the very real societal and business chal-
lenges we face. It is therefore important Conclusion
to consider what other steps should be
We have a great opportunity in the EU to
taken—and when—and to build a cyber-
secure the Digital Age. But the only way
security roadmap to ensure the involve-
we can successfully address the cybersecu-
ment of all stakeholders at all levels of each
rity challenges we face, here and abroad, is
of the processes. Everyone’s commitment
by cooperating and building trust.
is paramount to our success.
As we stand at the dawn of this new
How can we draw the institutional
stage of the digital revolution, we must
dimension of this solution? What kind of
all recognize the shared responsibility and
perspective for stronger cooperation and
opportunity that has been placed in our
commitment between the EU institutions
hands. Let us make sure we can overcome
and Member States can establish a realis-
the divisions that pull us apart and build
tic path toward implementation? Which
a path forward that binds us all together.
steps can each of us take to build the trust
1
NIS Directive, European Union Agency for Network and Information Security (ENISA), enisa.europa.eu
Enabling the Digital Revolution in Europe: Building Effective Cybersecurity Policy Through Trust and Cooperation 143
20
Beyond Compliance: The Human
Element of Cyber Resilience
Ria Thomas — Partner and Global Co-Lead for Cybersecurity, Brunswick Group
Over the last several years, with the rise in impacts a company faces from cyberat-
massive data breaches, which lead to public tacks.
outcry, governments have responded with Businesses can move beyond compli-
ever-increasing regulatory requirements. ance by striving to understand the human
The European Union’s General Data Pro- element. By changing corporate cul-
tection Regulation (GDPR), which came tures and altering behaviors, they can take
into enforcement on May 25, 2018, may proper steps to ensure they are taking the
be the most well-known of these govern- right approach to cybersecurity and, con-
mental efforts. sequently, protect their valuation and
The need for such a regulation and hard-earned reputation.
the complex efforts it took to address its For the leaders of any organization,
requirements highlighted how poorly pre- whether you are part of the executive man-
pared companies can be when looking at agement team or the board, the path to
the issues surrounding their obligations. better cybersecurity extends to the people,
And yet, GDPR only addresses one signif- processes, technologies, and cultures you
icant aspect of cyber risk to a company— put in place, regardless of whether a regu-
the potential loss of individuals’ data and lation requires it.
its privacy, which the company has a duty Being prepared is not merely about
to protect. achieving or even maintaining compliance;
Like GDPR, most cyber regulations are it is about adopting a cybersecurity culture
created to protect society from behavior that ensures the people in your organiza-
that could cause negative impacts. These tion are ready to deal with any eventuality,
regulations are likely rooted in the expe- whenever it may occur. And that includes
rience of previous attacks and may not you. Active board and executive commit-
extend to other issues until there is enough tee-level ownership of cybersecurity and its
widespread acknowledgement of the need enterprise-wide prioritization are essential
for certain practices to be modified. for comprehensive, company-wide cyber
As such, compliance with regulation resilience.
alone cannot cover the business risks and
145
Understanding the Human Instead, it requires both vertical and
Element of Cyber Resilience horizontal leadership and coordina-
In today’s business, cybersecurity is a com- tion.
bined human and systems challenge that Board members set the governance
requires the close attention and involve- strategy and hold the keys to account-
ment of the company’s senior leadership. ability in terms of how the company
First, it is critical to undertake the nec- leadership prepares and responds to
essary technical investments, not only a cyber crisis. Executive leaders build
to protect your company, but also to be the culture, make key investments,
able to demonstrate that you understood and ensure a crisis structure that inte-
the technical risks and sought to mitigate grates the company’s information-
them to the extent it was feasible. sharing and response coordination;
That being said, it is important to they also undertake critical strategic
acknowledge that cyber risks are caused by decisions during a cyber crisis. Nei-
humans. And cyber prevention is managed ther the board nor the executive com-
by humans. How you work to prevent a mittee can be successful, however,
cyberattack and how you respond to one without the people who work under
starts with understanding who is involved. them. These individuals are the ones
There are three general categories of play- on whom they need to rely to obtain
ers to consider when we are dealing with an accurate, timely understanding of
cybersecurity. These are: the technical, operational, financial,
and reputational implications of the
1. The people attacking the business. attack. They are drawn from across
These are the people who are out to the business and should include
harm your organization, whether cyber/IT, legal, human resources, cor-
for profit, geopolitical gain, mis- porate communications, government/
chief, mayhem, or any other reason. regulatory affairs, et al.
As has been discussed in other chap- Part of being prepared means
ters within this book, the nature of knowing that the entire organization
these attackers is changing all the needs to come together, not only to
time, including their motivations and create an integrated picture of the
attack methods. One important point business impacts but also to coordi-
to remember: Regardless of the moti- nate a response that will minimize
vation, methodology, or attack mech- the potential fallout. It requires that
anism, it is human actors who are each person understands their role,
behind the attack and whose often responsibilities, and what is expected
unpredictable actions you will need to of them during a cyber crisis.
confront.
3. The people impacted by the cyber-
2. The people responding within the attack on the business. A key ele-
business. The ability to minimize ment to maintaining resilience in the
the operational, financial, and repu- face of a cyberattack is demonstrating
tational impacts of a cyberattack does that senior leadership understands the
not rest in the hands of one individ- human impact of the cyberattack on
ual or one group within a company. those to whom it has an obligation.

These are not only the people to understand the threat environment for
inside your organization, but outside your organization, including the poten-
it as well. tial business risk and the potential business
If an attack impacts your infra- impact.
structure, you may not be able to pro- Assessing the threat environment
vide services to your customers. If you involves more than the technical risks. It also
are in a critical industry, such as bank- requires you to understand how your various
ing, utilities, healthcare, or transpor- strategic business decisions may be increas-
tation, the results can be devastating ing your risk of a cyberattack. For example,
to individuals who rely on those ser- as you enter into a new business venture,
vices. If you are in retail or another acquisition or partnership, or you move into
customer-facing industry, you can a new international market or build critical
lose sales and customer goodwill. If intellectual property around a cutting-edge
you suffer a data breach, important technology, who are the human beings
personal records of customers could interested in attacking your business? What
be exposed on the Dark Web, creating could they be seeking to achieve? What kind
risk of identity theft, financial loss, of damage can they cause?
and other consequences. The next step is to engage with all of
It is critical to understand that you, the key members of your organization who
the company leadership, are making will need to create an integrated under-
decisions based not just on what is standing of the impacts and who will be
best for your bottom-line. Rather, you required to come together to help coor-
should demonstrate you are minimiz- dinate the corporate-wide response. Are
ing and mitigating the impacts on the they aware of leadership’s expectations of
people directly affected by the cyber- them during a cyber crisis? Do they know
attack; this focus will ultimately affect their roles and responsibilities? Will the
your bottom line. existing crisis structure, whether formal or
informal, be able to handle a multi-faceted
Building a “Beyond Compliance” cyberattack?
Corporate Cyber Culture As part of the pre-cyber crisis prepara-
Adopting additional measures to ensure tion, it is also critical that company lead-
compliance with a regulation can be a ership invest in raising employee aware-
critical turning point in how a company ness, not only of cyber risks but also of
addresses a specific cyber risk that the reg- the behavior that may be expected of them
ulation seeks to address. to protect the organization from cyber
It is imperative, however, not to assume threats.
that compliance alone will protect your The above measures will allow you to
business from the wide-ranging ramifica- stay resilient in a cyber crisis because the
tions of cyberattacks. Instead, the focus human beings you need to rely on to min-
should be on each aspect of the human ele- imize the long-term impacts, especially to
ment described above. your reputation, are already within your
Given the range of evolving cyber organization. Creating a corporate-wide,
threats and risks, the first step for com- cyber-resilient culture requires not only
pany leaders, whether in the boardroom their active engagement and participation,
or the executive suite, is to take the time but their buy-in.
Beyond Compliance: The Human Element of Cyber Resilience 147

Finally, during a cyber crisis, you should To accomplish this, you need to ensure
take into account the spirit of most regula- that you have the right strategies and poli-
tions: How do you ensure that your prior- cies in place to reflect that you have planned
ity is understood to be the human beings for and thought about these things before
who are most impacted by the attack on the incident took place. This prepared-
your business? These are not only your cus- ness approach is where the right culture
tomers, partners, and your employees, but can leverage institutional muscle mem-
also the general public. What are the prin- ory. You will not be able to think every-
ciples by which you lead your company thing through in advance, but if your core
through the cyber crisis? Are they protect- group understands their roles and respon-
ing your business operations and valua- sibilities, you are in a much better position
tion? Or do your actions and words con- to do the right thing and shape public per-
vey that you have understood the weight ception in a positive way.
of the trust that has been placed in your
business by the human beings on the other Conclusion
side of the crisis? Compliance with regulations alone does
It is possible that a cyberattack on your not ensure cyber resilience. Instead, your
business and its ramifications will not fall organization’s ability to overcome the myr-
within the confines of a particular regula- iad impacts of a cyber crisis starts with
tion, such as GDPR, but it may still have understanding your cyber risks, the poten-
an enormous impact on the public. How tial impacts, and the measures you need to
the public reacts has little to do with comput into place in order to maintain your
pliance and everything to do with percep- ability to steer through the crisis. Those
tion: Did you do everything you were sup- efforts cannot be successful without taking
posed to do? Put more succinctly: Did you into account the human beings that form
do the right thing, even if you were not the core of the threat, the response, or the
required by law to do so? impact.
IMPLEMENTING A CORPORATE-WIDE CYBER RESILIENCE APPROACH
How do you ensure that your organizational cybersecurity culture goes

beyond compliance into resilience? Here are additional suggestions and
questions to consider for each of these critical aspects of your cyber resil-
ience approach:
1. Assessing risks of a cyberattack:
• Do you have a comprehensive understanding of the business risks
you face from the technical, operational, and strategic threats
posed by a cyberattack?
• How would you define a worst-case scenario, e.g., timeline of
acceptable operational disruption; type of market impact; level of
government scrutiny; public/media attention?

• Are you addressing challenges regarding a possible lack of skilled
cybersecurity staff?
2. Understanding the impacts of a cyberattack:

• What processes do you have in place to understand the multiple
impacts of a cyberattack across corporate units or of one that is
combined with physical attacks?
• How do you prioritize or reconcile conflicting national or interna-
tional regulatory requirements, such as GDPR?
• What liabilities and obligations exist to internal and external stake-
holders, including employees, customers, partners, and regulators?
• Do you have a program in place to assess the impacts of an attack
by an aggrieved employee with access to your business and cus-
tomer critical data or your network?
3. Planning and executing your cyber crisis response:

• Is there a corporate-wide incident management plan in place for a
range of cyberattacks that accounts for your cyber risks?
• Do senior leaders across the organization understand their roles
and responsibilities? Is there a structure of support under them to
ensure they have the information they need in a timely manner?
• Is there an employee awareness program in place to increase
employees’ understanding of cyber threats and the need for good
cybersecurity practices, including those relating to their social
media activity?
• Who are the internal and external stakeholders you need to notify
and/or alert? How will you prioritize?
• How do you deconflict information shared by your business units
and coordinate how much information is being shared with whom
and when?
4. Communicating with internal and external stakeholders:

• Does your strategic communications plan include prescripted,
pre-authorized messaging related to the cyberattack scenarios that
are relevant to your cyber risks?
• Is there a process by which you notify employees and external
stakeholders, especially if key methods—phones, email—become
corrupted or disrupted because of a cyberattack?
• Who is the “face” of your company during a significant cyberattack?
Have they been media-trained? Are they ready to lead by example?
Beyond Compliance: The Human Element of Cyber Resilience 149

21
Why Corporate Governance Matters
So Much in Cybersecurity
Paul Jackson, GCFE — Managing Director, Asia-Pacific Leader, Cyber Risk, Kroll
In the high-pitched, relentless battle of boards. The good news is that figure
against cyberattacks, much of the attention represents a nearly 50% increase in just the
and energy has been focused on technical past two years; the bad news is that cyber-
solutions, regulatory compliance, and bal- security remains a dangerously weak area
ancing risks with opportunities. of understanding for boards in assessing its
What about corporate governance? potential impact on business operations.
What role does executive and board-level In fact, only 9% of board-member respon-
oversight play in ensuring robust cyberse- dents said their boards had a “very good”
curity … and what role should it play? understanding of cybersecurity’s potential
When most of us think of corporate for impacting business operations.1
governance, we tend to associate it with Let me give you a real-world example
such business functions as financial integ- of this disconnect. A large, Asia-based sup-
rity, hiring practices, legal and regulatory ply chain company asked our firm to do
assurance, and corporate strategy. But the a thorough penetration test of their net-
increasingly critical and complex issues works as part of what they assumed would
presented by cybersecurity now have risen be a routine due diligence exercise. But
to the point where it must be a core com- we discovered that an expensive monitor-
ponent of an overarching corporate gover- ing solution was not achieving its intended
nance framework. goals and was not being properly managed.
And that is happening not a moment It quickly became clear that an attacker
too soon. could have gained full control of the net-
For instance, there is increasing evi- work, including full access to the CEO’s
dence that boards are playing catch-up system and had the potential to badly
when it comes to prioritizing cybersecurity damage business partners’ systems. Lead-
as a vital governance issue. A 2018 global ership was shocked to learn this, prompt-
study of more than 1,000 board members ing an urgent rethinking of how to restruc-
conducted by McKinsey indicated that ture cyber governance and remove reliance
cybersecurity was a “potential business dis- on the internal IT team to solve security
ruption” topic on the agendas of only 37% problems.
151
This is why leadership, both among weren’t blocked; which parts of the busi-
C-level executives and in the boardroom, ness were impacted; and what were the
has to step up in making cybersecurity a financial, legal, regulatory, and reputa-
more prominent element in corporate gov- tional costs?”
ernance. But how? Instead, the cybersecurity governance
I believe there are four major areas model needs to be inverted to a top-down
where corporate governance needs to approach. This is the essential definition of
evolve when it comes to cybersecurity: organizational leadership:
• Inverting the cybersecurity leadership • Understand and identify the challenges
responsibilities. and opportunities.
• Adopting and “living” the right cyber- • Establish priorities.
security framework.
• Promote collaboration and innovation
• Addressing the organizational struc- around solutions.
ture.
• Lead by example.
• Getting smarter so business leaders can
Leadership needs a full, transparent,
ask the right questions.
and real-time understanding of the risks
faced and the measures in place to protect
Inverting the Cybersecurity Leader- the organization. If that information is not
ship Responsibilities being clearly communicated to the C suite
One of the biggest problems is that cyber- and the board, then leadership needs to
security has traditionally been designed find ways to ensure the right information
with a bottom-up approach. In that is provided, typically by the CISO or CIO
model, individuals tasked with securing in today’s corporate frameworks—or find
IT systems identified technical solutions someone else who will.
to protect the infrastructure, applications, If implemented correctly, a top-down
and data. Organizations spent untold bil- governance framework will eliminate most
lions of dollars on technology, only to find threats and provide a mature, defensible,
that it wasn’t enough to stem the impact of and flexible structure for protecting sensi-
expanded threats, increased vulnerabilities, tive data. It will also help to ensure com-
and innovative attackers. pliance, establish good legal protections,
This brings to mind a popular adage: and encourage good cybersecurity hygiene
When every problem looks like a nail, among employees, partners, and suppliers.
every solution must be a hammer.
This bottom-up mindset brought Adopting and “Living” the Right
about cybersecurity defense, detection, Security Framework
and response policies that were devel- Security frameworks are important because
oped around technical tools, without con- they embrace the full set of issues neces-
sidering the business needs or operational sary for good cybersecurity: business oper-
implications. Metrics were developed that ations, legal, regulatory, risk management,
told the CSO how many attacks were and technical processes.
blocked and from what sources, while the While there are numerous good frame-
real focus needed to be “Which attacks works available for leadership to evalu-

ate—and keep in mind that all frameworks tives. The framework’s inherent flexibility
should be adapted to each organization’s guides business leaders and the technical
unique business conditions, operating pro- management responsible for cybersecurity
cedures, and priorities—the most relevant to focus on actions that will best position
and actionable one comes from the U.S. their organizations to manage their unique
National Institute of Standards and Tech- cyber risk, and to direct resources to areas
nology (NIST). This voluntary framework where they can be most impactful to the
is the most broadly accepted and most business.
widely implemented around the world,
and has its foundation in five pillars: Addressing the Organizational
Structure
• Identify the assets to be protected.
It has often been said that you can learn
• Protect those assets with the proper a lot about any organization’s priorities by
safeguards. looking at their org chart. This is becom-
ing more and more true every day in the
• Detect incidents quickly, reliably, and
realm of cybersecurity governance.
comprehensively.
Increasingly, corporate leaders are driv-
• Respond to incidents in a way that ing change by rethinking and realign-
minimizes their impact. ing who is responsible for cybersecurity
and how the role is positioned within
• Recover from incidents and restore
the enterprise. For instance, the idea that
business operations as soon and as
physical security, internal investigations,
completely as possible.
and cybersecurity should be merged into
There are plenty of actionable steps a single organization reporting directly
and best practices organizations can and to the board is gaining in popularity, and
should deploy in their cybersecurity gover- has many advantages. Independence is an
nance model, such as assuring that appro- important motivation for this approach, of
priate security patches have been applied, course, but it also facilitates a more com-
end-of-life systems have been deactivated, plete approach to security that takes into
and strong encryption and access control account people, business functions, priori-
tools have been put in place and are being ties, and technical factors.
used. Still, those are technical solutions, There is little question that announce-
most typically handled by the security and ments of changes in reporting structures
IT organizations. make people sit up and take notice. Some
The real power of the NIST model of that is office politics, but much of it cen-
from a governance standpoint is that it ters on the notion of what—and who—
creates an opportunity—or, depending on is gaining importance within the organi-
your sense of urgency—it provides a flex- zation.
ible framework for executives and board Elsewhere in this book, there are some
members to internally mandate and be excellent recommendations on how to
used to hold business units accountable. identify and hire the best possible CSO in
The importance of the NIST Framework order to keep with a vigilant governance
as a tool of self-assessment is that it places model for cybersecurity that ties business
cybersecurity objectives in the context of and technical requirements. In the chap-
the organization’s overall business objec- ter from executive search firm Heidrick &
Why Corporate Governance Matters So Much in Cybersecurity 153

Struggles, the authors offered some clear- rity, or that every board member have to
headed advice: pass a Security+ certification test. But the
“Boards need to exercise even more dil- days of leaving cybersecurity responsibility
igence than ever when determining who to the technical people are long past. Reg-
to hire, how to structure their roles and ulations and legislation have changed the
responsibilities, where to look to recruit accountability quotient, and as we’ve seen
them, and which tradeoffs are appropriate too many times, an organization’s very rep-
to make in order to land the best possible utation—which has been carefully honed
candidate.” and crafted over decades with untold sums
And Adobe CSO Brad Arkin offered of money—can unravel after a cybersecu-
helpful advice to boards and C-suite execu- rity glitch.
tives: Listen closely to how your cybersecu- Some people have gone as far as to rec-
rity leader talks about problems and solu- ommend that every board should have at
tions. His pragmatic takeaway: If you’re least one member with extensive cyber-
getting a lot of technical jargon instead security expertise in order to “keep the
of framing the discussion around business CSO honest.” That concept may have
goals, you’re talking to the wrong person. some merit, but it still involves most board
members and executive leaders turning to
Getting Smarter So Business Leaders the “one wise man or woman in the room.”
Can Ask the Right Questions Business leaders and board members
As has been emphasized repeatedly don’t simply default to the CFO when
throughout this book, security is a busi- a financial crisis hits, and they don’t just
ness issue, not a technical one. While we assume the chief legal officer or outside
need the right technology tools to identify counsel has everything covered when an
threats, protect against them, and reme- embarrassing lawsuit pops up. In those
diate their impact, cybersecurity practices and other scenarios, executives and board
and policies must be planned, measured, members jump in with both feet because,
and governed against business bench- among other reasons, corporate gover-
marks. nance demands that they do.
Doing that requires strong, vocal, visible, The same is now true with cybersecu-
and constant support from business leaders rity.
and the board. But it also necessitates that One of the important ways business
top management and board members put leaders can get smarter and ask better ques-
more energy and resources against expand- tions is to have a commonly used prism of
ing their own knowledge about cybersecuri- business issues through which cybersecu-
ty’s impact on their business. rity issues can be analyzed, discussed, and
Remember: You can’t get the right acted on. For instance, discussions with
answers if you ask the wrong questions. the CSO on topics such as distributed
Or, in the context of this chapter, you can’t denial-of-service attacks should be cen-
govern if you don’t know what you’re sup- tered on how the business was impacted in
posed to be governing. areas such as downtime, lost productivity,
Now, no one is suggesting that the CFO revenue, and profit impact, and whether
or the head of marketing go back to school cybersecurity investment priorities should
to get an advanced degree in cybersecu- be re-examined.

Of course, this is a two-way street. emphasize the importance of good secu-
Not only do board members and business rity habits.
leaders need to take steps to better edu- Third, internal and external resources
cate them on cyber issues, but CSOs and should be deployed to regularly hunt for
other technical leaders need to re-imagine threats already on the networks but unde-
and re-engineer how and what they pres- tected, rather than simply relying on met-
ent to the business side. Things that have rics around detected security events. Expe-
often been taken for granted, such as how rience has shown us that attackers are often
a CSO’s PowerPoint presentations look or already inside networks for many months
why an organization is changing its pol- before real damage takes place. These
icy for using public cloud services, must hunts should be based on actionable intel-
always be framed in a business perspec- ligence and real-world knowledge of cur-
tive—ideally one that aligns with the orga- rent threats.
nization’s core values and business priori-
ties. Conclusion
Corporate governance has changed a lot
What Boards Should Do Now in recent years, driven by such issues as
What should boards be doing in order to increased regulatory oversight, more active
receive regular, appropriate security met- and involved board members, and a need
rics around monitoring and detection? to apply healthy doses of both skepticism
First, the board needs to understand and support in an increasingly complex
what cyber threats exist inside their orga- business environment.
nizations. A good starting point would be And cybersecurity may be the single
to obtain a report on current cyber threats biggest thing to reshape corporate gover-
impacting their industry and some recom- nance in decades.
mended safeguards. Importantly, a search Unfortunately, we still don’t have
of any data on the Dark Web—passwords, enough clarity for actionable advice that
personal data, confidential documents, or corporate leaders can implement from
financial documents—that have already the word go to help ensure the security of
been exposed should be conducted by a their organization and its data. But tak-
reliable third party, and mitigation con- ing a more business-centric, inclusive,
trols put in place. top-down approach to cybersecurity cor-
Second, keep in mind that employ- porate governance will take us a long way
ees are almost always targeted for attacks. toward achieving our respective organiza-
Board members need to receive regular tions’ goals. When cybersecurity is con-
updates on the level of staff security aware- sidered as a business issue, rather than iso-
ness through steps like controlled phishing lated as a technical problem that has to be
exercises. The board also must ask if man- solved by technical people using technical
agement is fully committed to this kind of tools, we will have a much greater chance
organizational cyber hygiene in order to for success.
1
“A time for boards to act,” McKinsey, March 2018
Why Corporate Governance Matters So Much in Cybersecurity 155

PART 3
Make Sure You’re Covered Today
22
Welcome to the Frontlines of
Business and Cybersecurity
Pablo Emilio Tamez López — Chief Information Security Officer,
Digital transformation. The Internet of The situation has the potential to

Things. Big data analytics. Cloud comput- become more precarious in the near future,
ing. Artificial intelligence. Machine learn- unless we act now, as leaders, to address
ing. Somehow, we have come to think of it. Consumers and enterprises are spend-
these innovations as the future, the defining more and more on IoT and mobile
ing technologies of the next iteration of devices. The growth is exponential—with
business, and the foundation for what the all of these connected devices generating
World Economic Forum aptly describes as information and, on the other hand, add-
the Fourth Industrial Revolution. ing incremental attack surfaces. CISOs
Guess what? The future is now. must understand this evolving risk envi-
Every one of those technologies is in ronment, how to handle this data, and
practical use today. Type a search on Goo- how to protect their assets. So, it is very
gle, and you’ll immediately see ads related important to implement adaptive and scal-
to that search. It happens automatically— able technologies for this growing attack
you might even say surreptitiously. All of surface, either in the cloud or in the phys-
the underlying technologies and business ical data center.
models that are transforming our world
act like an invisible hand guiding almost Now’s the Time to Act
everything we do in the Digital Age. I share this viewpoint not to create fear or
But take a second to look at it from cause alarm, but to make sure we are all
the other side. From the perspective of our aware of today’s reality and urgency. The
adversaries, those who would harm us for audience for this book, Navigating the Dig-
profit, geopolitical warfare, ego, or even just ital Age, Second Edition, represents lead-
to create mischief. For them, digital trans- ers in business, academia, and govern-
formation, the IoT, and big data analyt- ment who are not only directly affected
ics mean a greater attack surface. For them, by cybercrime, but are empowered to do
cloud computing, AI, and machine learning something about it.
are simply more weapons to use against us— In Part 1 of this treatise, we focused on
and more sophisticated ones at that. the future. In Part 2, we focused on lessons
161
learned from the recent past and today’s government officials, legal experts, tech-
world. In Part 3, we focus on applying nologists, chief information security offi-
those lessons—what is happening now, cers, and others.
how we can address today’s rapidly evolv- Each author shares his or her individual
ing threat landscape, and, perhaps most experiences to collectively create a compel-
importantly, how we can prepare for what ling guide designed to spur action, com-
is coming next. munication, and innovation. The hope is
Business leaders and board members that organizations of all sizes, locations,
are in a unique position, approving invest- and industries can leverage the wisdom
ments, guiding the vision for digital trans- and practical advice contained in Part 3
formation, striving to build environ- to become better prepared to successfully
ments where innovation and opportunity navigate the challenges of the Digital Age.
can flourish. That also means being at the Some of the ideas that are sure to resonate
frontlines of cybersecurity. include:
You don’t have to be a technology wiz-
• Trust: How do we ensure that trust is
ard to understand the vital role that cyber-
no longer an issue for users?
security plays in business today—or to
provide leadership for your organization. • Communications: How do we get
In fact, as many of our authors express, business and cybersecurity leaders on
you must provide leadership. If not you, the same page, speaking the same lan-
then who? guage?
For too long, it seems, our adversar-
• Regulations: How do businesses work
ies have been one step ahead of us. Now
cohesively with regulators?
is the time to reverse that trend and put
them on the defensive, make it more dif- • Technology: How can the good guys
ficult, costly, and risky for them to attack leverage technology innovation to
our data, privacy, elections, infrastructure, thwart the bad guys?
business operations, or wherever else they
• Preparation: How can we prepare for
may seek to expose vulnerabilities.
attacks and limit the damage if a suc-
Making Sure We Are Covered cessful attack takes place?
Today—and Tomorrow • Business enablement: How can we
How do we do that? What can we do now transform cybersecurity from business
to make sure we’re covered today and also risk to business advantage?
build the right foundations—in people,
processes, and technologies—to give us the Conclusion
best chance of protecting our future and
We’ve come a long way in a short period
fulfilling the promise of the Fourth Indus-
of time to reach the critical juncture in the
trial Revolution?
Digital Age that is now before us. Many of
Many of the answers to these profound,
the organizations that are using connected
provocative, and paramount questions are
digital technologies to redefine industries
contained in the chapters ahead. In Part 3
weren’t even in business as recently as 10
of Navigating the Digital Age, Second Edi-
years ago. Now some have valuations in
tion, we hear from leaders across the cyber-
the billions of dollars.
security spectrum—business executives,

At a time when our world is mov- is a critical time in our journey. If we are
ing so quickly, when digital technology is to move forward safely in the Digital Age,
transforming our lives and work, we must we must make sure we are covered today.
ensure that cybersecurity does not stop our When it comes to addressing the chal-
progress. That’s why today, this moment, lenges of cybersecurity, our future is now.
Welcome to the Frontlines of Business and Cybersecurity 163

23
In Today’s World, Every Company
Is a Cybersecurity Company
Mark Anderson — President, Palo Alto Networks
The theme of this third and final part of sible for cybersecurity. In particular, busi-
Navigating the Digital Age, Second Edition, ness leaders and board members must set
is “Make Sure You’re Covered Today.” In an agenda and an example.
the pages ahead, you will read about tech- I could provide more examples, but
nologies, regulations, communications, there are many chapters preceding and
processes, and people. You will hear from succeeding this one that are quite eloquent
leaders who have been through breaches, in explaining and illuminating the cyber-
helped draft regulations, developed inno- security challenges facing all of us today,
vative cybersecurity solutions, and remain whether we are in private industry, gov-
at the forefront of driving progress in a vast ernment, academia, technology, or cyber-
number of ways. security. I would, however, like to share
As you forge ahead, both in reading some thoughts on what business leaders
the remaining chapters in this book and in can do now to move their organizations
addressing the cybersecurity challenges fac- forward—making sure you are not only
ing you as a leader in your organization, I covered today, but are also prepared to
would urge you to keep one thing in mind: deal with the cybersecurity challenges that
If your organization is stuck in legacy con- loom on the near horizon.
structs, if you are doing things the same way
you did them five years ago, or even two Make Cybersecurity a Core Part of
years ago, it is time to reassess what you are Your Business
doing. In order to make sure you are truly There was a catchphrase that caught on sev-
protected today, you must look forward to eral years ago to the effect of “Every com-
the future and not backward at the past. pany is a software company.” It is time to
Cybersecurity can’t be an afterthought. think about cybersecurity in the same way.
It must be built into the priorities of the As Mark Rasch discusses in his upcoming
business at the ground floor. Cybersecu- chapter, every aspect of the business is tied
rity can’t be just about risk management. It to cybersecurity because every aspect of the
must be about business enablement. And business is touched by digital technologies.
it can’t be the sole province of technology Cybersecurity can’t be an afterthought;
pros. In today’s world, everyone is respon- it can’t be an add-on; it can’t be a silo.
165
Those are legacy constructs that will crip- intelligence, OT and IT teams are more
ple you. Think in terms of the future state intertwined than ever—and cybersecurity
of your business. What are the outcomes must be one of the strong binds that ties
that are most important? Where do you them together. If your organization still
want to invest your dollars? What kind of thinks about OT and IT as separate silos,
corporate culture do you want to create? you are still mired in one of those legacy
When you set those priorities and build constructs we’ve been discussing.
those future constructs—especially if you Silos drive territorialism, and territori-
are evaluating or already well on your jour- alism is a losing strategy for fighting today’s
ney to the cloud—cybersecurity must be a cybercriminals. You need all the coopera-
part of every discussion and decision. You tion you can get, both internally and exter-
wouldn’t think about planning your future nally. If people inside your organization
business without considering sales, mar- aren’t collaborating, you won’t be able
keting, or customer service. Is cybersecu- to ensure that you’re covered today and
rity any less important to your future and tomorrow. Fix it now.
success?
Stop thinking of cybersecurity in terms Make Sure You Have the Right
of risk management or compliance, and People—and Make Sure You Train
start thinking of it as a core competency Everyone
of your business—no matter what business Look closely at the cybersecurity leaders
you are in. In today’s world, every com- you have in place. Are they forward-think-
pany is a cybersecurity company. ing? Do they like interacting with other
teams and leaders across the organization?
Adapt Your Organizational Structure Do they emphasize training, awareness,
In order to truly make cybersecurity a core and openness? Can they speak the lan-
competency for your business—as well as guage of business? Are they as comfortable
a potential competitive differentiator— in the boardroom as they are in front of a
you may have to shake things up in your computer screen?
organization. Again, it’s a matter of getting Today’s cybersecurity challenges require
rid of legacy constructs in which informa- a different kind of leadership than was
tion technology and operational technol- appropriate in the past. Fear of change
ogy (OT) are typically separate silos (and can be profound, yet we are in an environ-
“cooperation” can be made to feel like a ment when change is inevitable. Today’s
four-letter word). cybersecurity leaders should be excited by
While it’s true that cybersecurity is the change, not overwhelmed by it. The skills
responsibility of everyone in the organiza- that might have worked well for a CISO in
tion, it is also true that OT and IT teams the past may not be the skills that will help
have more at stake than almost everyone. propel your company into the future.
They are not just users of technology solu- It’s not just about the people who are
tions; they are builders. If they fail to build directly responsible for cybersecurity. It’s
in the proper cybersecurity protections, about everyone, and it’s about creating and
they bring risk to the entire organization. maintaining a corporate culture in which
With innovations such as the Internet cybersecurity is ingrained everywhere. If
of Things, machine learning, and artificial cybersecurity is to become a core compe-

tency for your organization, you have to • Cybersecurity-as-a-platform: Open-
treat it that way—starting at the top and ness is critical to driving cybersecurity
extending all the way down, through every innovation and enabling us to keep
level and to every employee. pace with our adversaries. A platform
You must have a commitment to model supports an open environment
training, give your people the best tools, and dramatically accelerates our ability
test them on a regular basis, measure the to consume innovation.
results, and keep track of your progress.
If you’re not improving every quarter, it Encourage a Culture of Openness
should feel uncomfortable, and you should
Embracing a cybersecurity-as-a-platform
start questioning if your approach to train-
model is one aspect of leveraging openness,
ing is adequate.
but it can also go further. Another one of
When It Comes to Technology, Look the truisms that comes up time and again
Ahead, Not Behind in this book is the idea that when it comes
to cybersecurity, we are all in it together.
One factor that can really hamper organi-
We have adversaries that have no
zations is an insistence on holding on to
qualms about sharing information, tools,
older technology. If the attitude is, “We
and attack methods on the Dark Web.
paid for it, we might as well use it,” then
Shouldn’t there be an equivalent Light
you’ve got a real problem. Hanging on
Web, in which we work together to
to legacy equipment that doesn’t address
shed light on how we can all be success-
today’s threat environment is costly, ineffi-
ful, where we can talk about best prac-
cient, and likely to give you a false sense of
tices openly across various industries and
protection. And it may be exposing you to
share real-time information about emerg-
even greater risk.
ing threats?
What does a “look-ahead” technology
There is a consortium made up of more
vision look like? Here are some key elements:
than 15 different security vendors called
• Automation: It’s been said time and the Cyber Threat Alliance. This body was
again throughout the pages of this built in the spirit of openness and sharing,
book: You can’t fight machines with with the belief that no one company can
people. Our adversaries are becoming do it all. We must work together and share
more automated; we must do the same. strategies and threat data to stay ahead of
our adversaries. This organization pro-
• AI and machine learning: These are
duces playbooks, analyses, and reports for
similar to automation. Our adversaries
every member to consume and benefit
are using these technologies to their ad-
from. If your security vendors are not shar-
vantage, we must use them to defend
ing threat intelligence with the CTA, then
ourselves.
it might be time to work with one that is
• A SaaS consumption model: You can’t more open and interested in contributing
buy new tools and put them one on to our communities in this way.
top of the other. As Nir Zuk explains in
his chapter, cybersecurity needs to be Conclusion
consumed quickly, easily, and cost-ef- The days of cybersecurity as an add-on
ficiently. Software-as-a-service is an en- are gone. There’s too much at stake—and
abling technology. things are moving too quickly—for any
In Today’s World, Every Company Is a Cybersecurity Company 167

organization to remain wedded to older security must be embedded in the DNA
models of cybersecurity. Whether it’s peo- of your company to facilitate the business
ple, technology, or processes, the only way outcomes that will meet the expectations
to make sure you are covered today, is to of your customers, employees, and share-
look ahead and plan for tomorrow. Cyber- holders in the years to come.

24
How You Should Expand Your
Cybersecurity Talent Pool:
A Lesson of Supply and Demand
Ed Stroz — Founder and Co-President, Stroz Friedberg, an Aon company
This is a story about supply and demand. There are two sides to the problem:
It’s a story about how to address critical To solve our growing cybersecurity chal-
resource imbalances in the face of mount- lenges and to bolster personnel resources,
ing global pressures, complexities, and we need increased talent on both the sup-
impacts. I’m not talking about the supply side and the demand side. In cyberse-
ply and demand of economic commodi- curity circles, the supply side is made up
ties, but rather the supply and demand of of the third-party cybersecurity firms that
the next generation of cybersecurity talent. provide for-hire expertise in such roles as
Almost anyone reading this book forensic analysis, digital investigations,
knows something about the gigantic third-party tools development, cyber risk
chasm between the needs of organizations’ assessment, and threat intelligence. Across
in-house teams compared to cybersecurity the ledger is the demand side of cyberse-
service providers, and the availability of curity, which is made up of the consum-
smart, creative, talented men and women ers of those capabilities and other security
to fill the more than two-million-person tools and services, including on-staff secu-
global cybersecurity talent gap estimated rity experts who team with both internal
over the next few years.1 business stakeholders and outside cyberse-
Undoubtedly, your CISO has pled their curity suppliers. Both sides need to evolve
case for a larger budget to identify, recruit, the ways they define, identify, and attract
hire, and train cybersecurity staff. You’ve sought-after talent.
probably listened attentively to their
arguments, and you’ve more than likely Supply-Side Cybersecurity
approved at least some of their requests. Now, in the interest of full disclosure, our
However, current attempts by the cyber- firm is one of those supply-side cybersecu-
security industry to fill this gap are sim- rity service providers. We’ve been fortunate
ply not working, and the issue is not going to have hired a lot of very smart, talented,
to be remedied by ramping up what we’ve and dedicated men and women who have
been doing to date. helped save our clients from potential
169
catastrophes; some of them have also gone era of increased cyber risk. We need new
on to important cybersecurity and busi- and different types of people.
ness leadership roles on the demand side. That’s not to say we don’t need people
But I won’t kid you. Despite our solid with deep technical skills; obviously, our
track record, it’s getting harder for us to clients rightly expect us to have the tech-
keep up with the demand for talent, and nology chops necessary to solve a wider
we like to think we’ve been pretty clever array of problems faster than ever. That’s
in where we look for new people and the particularly true when you consider the
process we go through to ready them for tightly integrated role of information tech-
prime time. So we’ve had to update what nology across all organizational functions
we do, how we do it, and the kinds of peo- and in situations such as controlling criti-
ple we target. You should, too. cal infrastructure. But it’s not enough.
A lot has changed for supply-side firms We’ve supplemented and expanded
such as ours to make us rethink how we our traditional mindset to recruit people
nurture and hire a new breed of cyber- who have studied in fields such as busi-
security professionals. Just 20 years ago, ness, economics, or law. Even college stu-
cybersecurity was a pretty immature field. dents not studying technical disciplines
A single cybersecurity practitioner could have taken courses in technology, and let’s
do quite a bit to help their clients because face it: The millennial generation is far
the state of the art wasn’t that advanced. more technology-savvy and aware of cyber
Maybe you had some digital forensics risks than those of us who graduated col-
training, perhaps you gave expert tes- lege in the last century. And this isn’t lim-
timony at a trial; for many supply-side ited to recent college graduates, either. We
firms, that was the pinnacle of their skill believe there is great benefit to taking peo-
set, and it didn’t require that big a net to ple with the right “soft skills,” like good
find the right people. judgement, inquisitiveness, and a bias for
Today, cybersecurity is a whole different creative, alternative solutions, and hav-
ballgame. I don’t have to tell you about the ing them work alongside colleagues with
expanding threat vector, increased vulner- deeper technical training.
abilities, intensified risk management, and Of course, we have a detailed training
the need to turn cybersecurity from a cost plan that not only covers the technology
center into a competitive differentiator for issues, but also our clients’ business chal-
your entire enterprise. We’ve had to hire lenges. I can’t stress how important train-
more specialists, in much the same way law ing is for firms like ours—and for those of
firms and medical practices had to diver- you on the demand side, as well. After all,
sify across different areas of unique require- you don’t take a recent Yale Law graduate,
ments. That has meant that organizations as talented and as well-educated as they
like ours have had to create and build may be, and have them argue a case before
methodically planned approaches to bring- the U.S. Supreme Court.
ing new skills into the organization so we Naturally, we want to hire people whose
can deliver more value to our customers. skills and expertise put them in the bulls-
But that does not mean we’re just look- eye of our recruiting target. But there’s a
ing for more college graduates with degrees lot to be said for hiring people who may
in cybersecurity or the equivalent. That be found in the ring or two just outside
approach simply won’t close the gap in an dead-center.

Demand-Side Cybersecurity Demand-side organizations should
On the demand side—from global corpo- place a higher emphasis on identifying and
rations across different industries to smaller recruiting problem solvers with business
organizations with mounting cybersecu- expertise; you can always backstop them
rity risks—recruiting and training the next with people who can break down botnets
generation of talent is just as hard, for all or use automated monitoring tools to spot
the reasons I cited on the supply side. In advanced persistent threats.
many ways, a lot of internal security orga- Not only is there more ability for
nizations have been set up like in-house demand-side organizations to look for a
security service providers, treating their new breed of cybersecurity specialists from
business users as “customers.” Things like non-traditional backgrounds, I believe it is
internal charge-backs and restrictive secu- essential to do so. The harsh truth is that
rity policies and procedures further pro- most businesspeople have worked in orga-
mote the idea that the cybersecurity staff nizations that have been struck by a data
is somehow “different” from the business breach, a distributed denial-of-service
side of the organization. attack, or a ransomware demand. They
That’s a mindset that has to evolve. understand far too well the impact of these
And one of the ways I think it has to be and other threats on business outcomes,
done is by expanding the profile of who is and they also know how some security pol-
recruited, hired, trained, and nurtured on icies lack the necessary operational context
the demand side of cybersecurity. to reduce user friction and improve busi-
We need to get away from traditional ness agility because everyone is required to
definitions of internal security operations change their passwords monthly.
teams as the techie people. Instead, we Remember what I said earlier about
have to position these people as business supply-side firms such as ours broad-
peers and colleagues charged with achiev- ening our target audiences a ring or two
ing business goals. And we have to look for away from the bulls-eye? The applicable
new types of people whose prioritized skills rings can and should be expanded a bit
include business acumen, a problem-solv- further on the demand side. In fact, real-
ing mindset, an ability to balance risk and world experiences tell us that being too
opportunity, and just really sound judge- immersed on the technical side of a solu-
ment. That may be found in your latest tion can prevent you from seeing the real
cybersecurity graduate student … but it enterprise-level issues. It’s a bit like medi-
might not. cine; in recent years, doctors have received
Similar to what’s happening on the sup- criticism for treating the symptoms, but
ply side, the demand-side cybersecurity gap not the patient. They feel they are curing
should be filled with more businesspeople. cancer, but they need to also cure the per-
Having technical skills is, of course, great son lying in the bed.
and necessary. But it shouldn’t be a bar I also talked about the growing special-
to limit the potential talent pool. On the ization in cybersecurity, just as the case has
demand side, you already probably have a been in fields like medicine and law. And
wealth of technical talent, and you proba- while that’s true on the supply side, I think
bly already hire some external security ser- we need more generalists on the demand
vice providers for specialized expertise. side. When I say generalists, I obviously
don’t mean people who are technical Lud-
How You Should Expand Your Cybersecurity Talent Pool: A Lesson of Supply and Demand 171
dites, but I do mean people who focus treat them like they are vitally important.
more on finding new ways to spot and They are.
solve problems, typically in close collabo- Create a diverse ecosystem of talent
ration with business colleagues and techni- and skills. You need a web of relation-
cal specialists. ships and abilities to solve the increasingly
diverse and head-scratching challenges of
So How Do You Do It? cybersecurity. The new breed of cybersecu-
As business leaders, you can’t just sit back rity talent is going to come more and more
and wait for your CISO to come in with yet from disciplines like law, economics, statis-
another request for bigger college recruiting tics, accounting, operations, and finance—
budgets or authorization to increase staff sal- and you need them tightly integrated with
aries to raid other organizations’ experienced smart, technical talent from both inside
staff and to protect the ones you already and outside the organization.
have. Instead, there are a lot things you can Value experience, not just exper-
and should do proactively to build your tise. Think about how many times you
pipeline of cybersecurity talent. sat in a boardroom discussing a problem.
Whether you’re on the demand side Didn’t you often gravitate toward the man
or the supply side, it’s time to rethink the or woman in the group who had lived
kinds of people you seek to fill your yawn- through that problem before? This kind
ing cybersecurity talent gap, or how to of experience is invaluable in cybersecu-
identify and retrain non-cyber-specialists rity; could your organization learn some-
to take on new roles. thing from a business professional who
Hire smart. Start by identifying smart worked at places like Sony, Target, or Equi-
people—even those without deep techni- fax during their times of crisis?
cal expertise. You can teach smart people Redraw your bull’s-eye. Ask your heads
enough technical detail so they can have of HR and cybersecurity to sit down and
good discussions with their more techni- look at all the job descriptions of your open
cally astute colleagues. But your best and spots, and have them think how to redefine
brightest security engineer by themselves those roles in light of the rapidly changing
may not make much of a difference in cybersecurity landscape. Your “ideal” job
your bottom line if they either don’t have candidate should probably look and act dif-
a grounding in business skills or don’t have ferently today and in the near future than
a good business mentor. Smart people will they did even a few short years ago.
always find a way to figure it out. Don’t worry (so much) about the cost.
Culture matters. Your organizational Hiring cybersecurity talent is expensive. So
culture is vital in determining (A) if you is fighting the aftereffects of a breach. In
can retain your good people, (B) if you can order to get a return on investment, you
attract good people from the outside, and need to first invest. Not everyone is look-
(C) if you can position your cybersecu- ing to face off salary offers against each
rity people as trusted peers who care about other; some people just want to know they
improving the organization’s business per- work in a place that values their input and
formance, rather than in hunting bugs. their contribution, offers them the best
Value these people, reward them, involve chance to succeed at their job, and makes
them in early-stage business planning, and them proud to be part of the organization.
1
“The Fast-Growing Job With a Huge Skills Gap: Cyber Security,” Forbes, March 2017

Language
25
How to Articulate the
Business Value of Cybersecurity
Mark Rasch — Cybersecurity and Privacy Attorney
Every aspect of business today has an IT ment for cybersecurity. If the goal of cyber-
security component. Every business rela- security is simply to prevent a reportable
tionship, product, hiring decision, and breach of personal data, then a company
marketing program. Every customer inter- will only likely do the bare minimum to
action, communication, product design, prevent or mitigate such a breach. If the
and executive decision. Keep going: sup- goal is merely to comply with a legal or
ply chain management, manufacturing, regulatory standard, then we will do no
distribution, customer service. And more: more than necessary to say that we have, in
finance, human resources, insurance, prod- good faith, complied.
uct safety, worker safety, and employee col- In the competition for scarce corporate
laboration. or government resources—money, tech-
In fact, anyone reading this book would nology, people, and attention—we still fail
be hard-pressed to come up with a single to think of cybersecurity in terms of how
business activity that is not, in some vital we can use it to empower and differentiate
way, connected to a computer or computer the business. And we still tend to judge our
network—and, therefore, to cybersecurity. chief information security officers (CISOs)
Yet, in far too many cases, we think of and other security professionals based not
cybersecurity the same way a compliance on how well they’ve propelled the busi-
officer sees cybersecurity—as a necessary ness forward, but on how many phishing
evil. General counsel sees it as a cost associ- attacks they’ve deflected.
ated with contractual or other compliance. Something’s got to give. We have to
Chief risk officers may take a risk-based shift our perspective and make sure we
approach to cybersecurity spending. Those are talking and thinking about cybersecu-
involved in insurance or loss prevention rity in a language that ties into the goals of
may see cybersecurity and its related con- the business: profitability, customer reten-
cepts of data protection and privacy pro- tion, corporate culture, brand reputation,
tection as a potential loss to be managed. and product innovation. And we have to
All of these approaches lead to inade- create new ways of measuring the effective-
quate attention to resources and manage- ness of our cybersecurity teams. When you
175
look at the concept of cybersecurity strictly If you manufacture widgets, you need
through the lens of preventing harm, it will IT for everything, from payroll and inter-
only get you so far. It’s not that risk miti- nal communications to business process
gation is a bad thing. But when it comes flow, supply chain management, manufac-
to cybersecurity, it can’t be the only thing. turing automation, marketing, sales, HR,
What can we do to change the lan- recruiting, and customer interface. Rather
guage, adapt the cybersecurity culture, than asking how infosec can ensure com-
and shift our perspective? How can we pliance, CISOs need to ask how responsi-
modernize the way we look at cybersecu- ble security practices can enable new effi-
rity to appropriately address today’s rap- ciencies, products, services, and customers.
idly changing world? I thought you would The CISO needs to align metrics and
never ask. goals with those of the core business. Thus,
the CISO can show how an effective VPN
Where We’ve Come From; solution empowers telecommuting, which
Where We’re Going reduces downtime and promotes efficiency
Compare the workplace of the 1960s with and—guess what—sells more widgets. A
that of the 2010s. Think Mad Men, the secure virtualization platform enables the
U.S. television series that faithfully depicts mobile workforce and customers to access
the former era. Lots of low-wage, moder- their data, which promotes customer sat-
ately trained workers moving mail, typing, isfaction and—wait for it—sells widgets.
filing, taking stenography. Pools of secre- A secure payment system permits online
taries, rows of clerks, people in the mail- ordering and—you guessed it—sells wid-
room. Fast forward to today. Those jobs are gets. Security empowers sales, promotes
all gone. efficiencies, and enables business processes
You now have IT and security profes- that enhance products, cut costs, and, oh
sionals who have, in effect, replaced those yeah, also ensures compliance and risk
people. IT director, CISO, CIO; these reduction. But mostly, it sells widgets.
are all jobs that didn’t exist in the 1960s. With technology embedded in your
Instead of 20 secretaries and 30 clerks mak- business, you can adopt new business mod-
ing low wages, we now have a handful of els. You can have a third of your workforce
people making higher wages. Only, we’re working from home and still maintain a
far more heavily dependent on them—and critical mass of workers, social engagement,
the technologies they provide for us. and collaboration. You can provide dedi-
But this progress has resulted in what cated service to customers at any time from
could be called “tyranny of the technolo- any location in the world. You can connect
gists,” wherein technology becomes our your supply chains in a constant loop of
greatest asset and our greatest potential lia- real-time information and advanced ana-
bility. The goal of computer security is not lytics. You can do virtually anything you
to secure computers; securing computers is can imagine, as we’ve seen with companies
easy—unplug them and lock them up. The such as Uber and Airbnb, which have lev-
goal of security is information security as eraged connected technologies to disrupt
part of overall information management. decades-old business models.
And the goal of information management In reality, however, you can only do
is business enablement. those things if the connections and flow
176 Language
of data are secure. That means cybersecu- or solutions are the most critical for the
rity becomes an enabler—of collaboration, company.
efficiency, productivity, agility, cost reduc- The CEO—and ultimately the board
tion, product development, innovation. of directors—has to balance these com-
Security enables the organization to drive peting concerns. Recent SEC guidance in
revenue and profits through the exploita- the U.S. has suggested that cybersecurity
tion of data in new ways. Back in the Mad needs to be a primary concern of the board
Men days, once you made the sale, the of directors of a company, and that those
hard work was done. Now, the sale is just responsible for cybersecurity should report
the start of the relationship. Data collec- directly (or more directly) to the CEO
tion, storage, and analytics become criti- and the board, who should be periodically
cally important—as does security. briefed on the company’s security status.
But before such briefings are going to
Aligning Cybersecurity be effective, the CISO and security per-
With Business Objectives sonnel need to learn how to speak the lan-
If the end game is to align cybersecurity guage of the CEO and board—or educate
strategies and investments with business them on speaking the language of the secu-
objectives, most companies are still dis- rity personnel.
covering how to make the leap. Part of the As a community, we still haven’t figured
challenge has to do with the metrics we use out how to value certain essential aspects of
to measure CISO performance. our businesses, particularly when it comes
This becomes a problem when we build to cybersecurity. I would suggest that most
our budgets based on hardware as opposed organizations are comfortable placing a
to value; when we measure cybersecurity value on tasks such as data collection, pro-
performance on criteria that has noth- cessing, and analytics, but struggle to place
ing to do with the actual risk mitigated or a value on something more esoteric, such
the overall value provided to the business. as privacy.
Have we done a good job if we prevent We don’t value privacy because we
98% of the attacks, but the 2% we miss are don’t place a value on privacy. Sure, we can
devastating? If we stop 90%, but the 10% assess the cost of a data breach. We can say
have zero impact, have we done a bad job? a breach will cost $15 per record, that we
When it comes to budgeting and met- have 100,000 records, and that therefore a
rics for cybersecurity, we often fail to place breach will cost $1.5 million. This helps,
the right value on the things we value most but it is imperfect.
highly as a business. Part of the problem We need to develop the right metrics
here is the “stovepiping” of data security: for valuing privacy, because if we don’t put
too many, or more accurately, too many a dollar value on it, it means we don’t value
different, chiefs. We have a chief privacy protecting it. We measure privacy based on
officer, chief information officer, chief the cost of not protecting it, rather than
information security officer, chief risk the value of it intrinsically. Privacy pro-
officer, chief executive officer, etc. Each tection—real and abiding privacy protec-
“chief ” has his or her own domain to pro- tion—promotes confidence. Confidence
tect—often with overlapping responsibili- promotes trust. Trust promotes sales. And
ties. Each chief believes that her problems sales promotes the CISO.
How to Articulate the Business Value of Cybersecurity 177

Focusing on Business Enablement It means looking at products, services,
Outside the cybersecurity realm, busi- solutions, and new technologies and ask-
ness enablement is typically a factor in just ing: What data is being collected? How is it
about every decision. Say the company is being collected? What is the impact of col-
considering opening a plant in a country lecting, storing, and processing this data?
where it has never before done business. How is the data to be used? How long will
Management will address a series of ques- this data live? From a security standpoint,
tions: What are the risks? Is the govern- does it mean asking who has access to the
ment stable? Is there sufficient electricity data? How do I audit access to the data?
and transportation? Is there a large enough Is the data encrypted or secured, either in
pool of workers? How will this decision whole or in part? How do I protect data
affect our profitability, revenue growth, confidentiality, integrity, and availability?
customer relationships, and partner rela- If business enablement is the goal, then
tionships? we have to use the language of business.
Cybersecurity must be included in each Security reduces costs because it increases
of those discussions. Does the country the efficiency of moving data and enabling
have cybersecurity laws? Does it prosecute collaboration. Security accelerates speed to
cybercriminals? What are the data reten- market, which means we can make more
tion requirements? Can we safely do busi- profit. Security empowers us to do things
ness on the internet? Can we hire cyberse- routinely today that we couldn’t have done
curity professionals in the region? Is there a few years ago. Security enables us to hire
a legal structure that will protect the con- the best people because we are not limited
fidentiality of our data? Will law enforce- by geographic constraints. Security allows
ment work with us if we are attacked? Can sales and marketing to leverage analytics
we get appropriate insurance? Are our and be more responsive to customer needs.
partners reliable, and will they protect our
The Language of
data?
Business Enablement
We should go a step further and attach
a cybersecurity component to everything We shouldn’t stop talking about risk mit-
that gives the company value. When we igation and regulatory compliance. These
develop a new product, we have to embed will always be critical to the success of our
decisions about what data is collected, how cybersecurity teams. But if CISOs start
that data flows through the service, how talking about reducing the overall risk to
it is secured and monitored, how we will the company, they will be far more effec-
manage secure payments, and what the tive in speaking the language of business.
risks are associated with data loss. How do we change the conversation?
The same is true with privacy. We treat Here are some suggestions for IT security
security and privacy as separate concerns professionals:
at our own peril. While you can be secure 1. Closely examine the overall objec-
without protecting privacy, (you can tives of the business. Determine how
securely violate privacy rights) you can- the security function fits with what
not protect privacy without security. This the business does and how it oper-
is the principle behind “privacy by design” ates. Develop a framework for artic-
requirements in government contracting ulating the role cybersecurity plays in
and in data privacy laws.
178 Language
key business functions—hiring, oper- a CISO can effectively quantify the
ations, sales, marketing, distribution, value of risk mitigation, he or she can
etc. be more articulate and insightful in
2. Look ahead. Where is the com- explaining overall return on invest-
pany going, and how can cybersecu- ment. You truly change the conver-
rity be a business enabler? Is the com- sation when you attach real numbers
pany looking to leverage robotics, the to risk mitigation and combine that
IoT, artificial intelligence, big data with values associated with profits,
analytics? Is it looking to break into sales, speed to market, hiring, prod-
new global markets? Perhaps there is uct development, and improved oper-
a new security technology that will ational efficiencies.
enable the company to do something
it couldn’t before. Let security drive the Conclusion
conversation. Business enablement through cybersecu-
3. Take a more expansive view of the rity is not an option in the Digital Age. It
regulatory environment. Perhaps is a fact of life in doing business. If you
your organization is not operating in are involved with other companies, they
the European Union now, so there’s a will demand that you have a comprehen-
sense you don’t have to worry about sive cybersecurity program. Failure to have
GDPR. But you may have business one means you won’t be able to do busi-
partners doing business in Europe; ness, period. However, if you merely place
you might decide to open offices cybersecurity in the bucket of either “cost
there; you may collect data there. Be of doing business” or “risk mitigation,”
aware, be comprehensive, be expan- you may be missing the real opportunity
sive. Don’t look at privacy as a sepa- at hand.
rate discussion, but embed it in your Cybersecurity can and should be about
security posture. driving revenue, achieving greater profit-
4. Talk business. Focus on sales, prof- ability, attracting and retaining new cus-
its, innovation, corporate culture. If tomers, operating more efficiently, empow-
the security team does a great job and ering innovation, hiring the best people,
there are no breaches, what will moti- transforming the workplace. Only when
vate corporate management to invest we think of cybersecurity in those terms,
more in security? The selling point can we truly leverage the power of the Dig-
shouldn’t be that nothing happened; ital Age.
it should be that security enabled and If the only thing we’re trying to do is
empowered the business to achieve not fail, that doesn’t necessarily mean we’re
these specific quantifiable and mea- going to succeed. It’s time to transform our
surable results. language, mindset, and perspective. When
it comes to cybersecurity, whether we are
5. Quantify the value of risk reduc-
on the board, in the C-suite, or on the
tion. At some point, the conversa-
frontlines, we should all be speaking the
tion will inevitably turn to risk. When
language of business enablement.
How to Articulate the Business Value of Cybersecurity 179

26
Language, Please: How You Talk to
Boards and Executives Can Make or
Break Your Cybersecurity
James Shira
It’s 4 a.m. on a quiet Sunday, and your What you say to the business leaders of
Hong Kong office is suddenly offline. A your organization—and how you deliver
fringe political group has hacked the local the message—must give them confidence
electrical grid, cutting off power to fans that you:
and cooling systems in the local data cen-
• Know what happened.
ter. All production systems are down.
The result: Your global banking oper- • Know how it happened.
ations are not available. Dead. Not func-
• Can determine and measure the im-
tioning. And the organization is bleeding
pact on the business.
money by the second.
As your organization’s CISO, you get • Have a clear, defensible recommenda-
that panicky, middle-of-the-night call tion to ensure it doesn’t happen again.
you often have nightmares about, and the
And you can’t do that with a litany of
cybersecurity playbook that was so neatly
technical terms, jargon, and “Don’t worry,
designed and prepared six months ago goes
I’ve got this covered.”
into effect. With good planning and tight
execution, the disaster recovery and busi- Cybersecurity Is Not a Technology.
ness continuity plans are enabled—hope- Don’t Talk About It That Way.
fully automatically—and everyone jumps
Unfortunately, the scenario sketched out
to attention to find the source of the prob-
above is occurring far too frequently—
lem, remediate it, and stanch the damage.
and often with an unhappy ending. Too
As you contact your boss to let them
many organizations treat cybersecurity
know what’s happened and that a catastro-
as a technical problem, one that is ide-
phe has been averted, remember this: What
ally addressed by technical people apply-
you say next may be the most important
ing technical solutions to technical threats.
step toward ensuring the organization is
And too many CISOs talk about cyberse-
secure—as well as your career.
181
curity with a technical voice, not with one must describe the problems the organiza-
of a respected business operator. tion is confronting in plain language that
Cybersecurity isn’t about firewalls, is rooted in business outcomes. You must
intrusion detection, authentication, mal- be able to monitor, measure, and improve
ware prevention, or even threat intelli- those outcomes, and it is up to you to turn
gence. Oh, those are all important compo- cybersecurity into a strategic discussion,
nents of a good cybersecurity framework. rather than a technical reaction to a prob-
But CISOs often fail—and their organiza- lem none of them truly understand.
tions suffer as a result—when they look at The words you choose, and how you
cybersecurity solely through a technology communicate with the board and other
lens and talk about it that way to business business leaders, will be some of the most
leaders. important steps you can take toward
Instead, I strongly urge—no, I becoming viewed as a business operator in
implore—you to rethink how you, as the same way the heads of functional areas,
your organization’s firewall against cyber such as finance, operations, marketing,
risk, talk to C-suite business executives legal, and others, are regarded. If you don’t
and boards about cybersecurity. Your lan- use the right language, you will not be suc-
guage has to help bridge the gap between cessful as a CISO.
the technical underpinnings and the busi-
ness implications. And the first thing you Preparing Your Audience
need to know is that it is not the responsi- In working with many CISOs in both the
bility of the CEO or the board to come to private and public sectors, I’ve learned that
you and tell you what they want to know. good communication, based on the most
It’s on you. appropriate language, is aided significantly
You must take the first step—and the by following a familiar refrain: Know your
second, third and however many it takes— audience.
to close that gap of knowledge for the As a CISO, you have to talk to a lot of
non-technical executives. And you can’t different decision makers, colleagues, and
do that without arriving at a common lan- influencers throughout the organization.
guage for communication. So it helps to understand how best to get
For instance, let’s go back to our night- through to your audiences. One important
mare scenario at the beginning of this chap- way is to ask yourself if you are talking to
ter. When the CEO or a board member someone who is a “reader” or a “listener.”
asks you, “What happened?” it’s import- A reader is someone who takes in infor-
ant not to talk about unanticipated data mation visually, reading position papers,
exfiltration, buffer overloads, or IRC-con- case studies, situational analyses, and sta-
trolled botnets. Instead, your reply should tus updates before a board meeting or a
focus on the business implications of oper- gathering of executive staff. The reader
ational missteps or technical failures, such comes prepared for the meeting by arming
as loss of online banking services for two themselves with pertinent facts, opinions,
hours, which resulted in spikes to our call options beforehand, and is armed to dis-
centers and a 4% loss of revenue. cuss options and consequences.
As a CISO, you must operationalize By comparison, a listener likes per-
cybersecurity from a business perspective, sonalized discussions, often one-on-one,
rather than through a technical lens. You with the CISO so they can hear from you
182 Language
directly and ask questions as they are pro- tribution channels, and branding consid-
cessing what you are telling them. With erations.
listeners, it’s a good idea to have private Third, build professional ties with col-
pre-meetings, so they are prepared for the leagues based on personal empathy. Learn
broader discussion with their peers. your colleagues’ business challenges and
You know the saying, “All politics is frame your cybersecurity discussions and
local?” Well, a good CISO should remem- recommendations in their terms. Talk
ber that “all communication is personal.” about how an investment you recommend
So be prepared to tailor your language to will increase e-commerce application avail-
the needs of the person who is processing ability by 20%, ensuring that the organi-
what you’re telling them. zation won’t bleed revenue like its com-
petitor did last week when its ordering
The Power of Language platform went down for two hours. Or
Interestingly, one place where cyber pro- talk about how a modernized data protec-
fessionals and non-technical leaders have tion approach will make it easier and faster
understood this requirement and have for the legal department to produce docu-
taken important steps to operationalize ments during the discovery phase of a law-
cybersecurity through language is the U.S. suit.
military. Security has been pulled into the Finally, remember that you must back
normal chain of command so it’s part of up your words and “own the fix.” When
the core set of functions undertaken by the you talk to your board about a recom-
U.S. military branch. It’s not an IT activ- mendation for a cybersecurity investment
ity that resides on the edge of the opera- or new policy, take ownership of imple-
tional framework; instead of talking about mentation and accountability: “With your
“information assurance,” everyone speaks support, I am prepared to do the follow-
the language of “mission assurance.” ing.” You can’t be the person who opines
How else can the CISO use the right on what to do but isn’t prepared to own it.
language in the right context to be viewed
as a true business operator, rather than as a Language Skills Will Be a
technical guru? Prime Requirement for the
First, don’t give in to many business CISO of the Future
executives’ stereotype of the CISO as a It’s natural for us to play to our strengths
technical kingpin, perhaps a little eccen- as we conduct ourselves in business every
tric, and probably biased toward tech- day. After all, our strengths are what got
nology solutions that fail to account for us to this place. If a CISO sees himself or
business realities. This means you should herself as the cybersecurity technical guru,
minimize acronyms, avoid hyperbole, steer they will talk that talk and walk that walk.
clear of run-on sentences, and focus on But I’m seeing important new trends
how cyber risk affects business operations. in how CISOs are being put in place. For
Second, understand your organization’s instance, I fully expect that more and more
business environment as well as the heads CISOs will come from top MBA pro-
of any business function. Become knowl- grams, rather than from computer sci-
edgeable and articulate in issues, such as ence programs. I also expect the CISO to
competitive strengths and weaknesses, cus- be trained, mentored, and recruited inter-
tomer behavior, sales and profit trends, dis- nally, within organizations from non-tech-
Language, Please: How You Talk to Boards and Executives Can Make or Break Your Cybersecurity 183
nical disciplines such as finance, opera- security—not only information secu-
tions, and even sales and marketing. rity, but physical security as well. Again,
That’s because the CISO of the future this is where having a CISO with strong
is going to need to have stronger business business skills—communications, prior-
skills and, especially, greater communica- itization, political acumen, delegation,
tions skills to build the coalitions and col- and collaboration—comes in handy. As
laborations necessary to have the tech- CISO, you need to demonstrate manage-
nical and non-technical disciplines work rial DNA, which highlights a comfort level
together. Without them, organizations will with assuming operational responsibility
struggle to properly and proactively iden- for security.
tify sources of risk, weigh the possible solu- And here’s something else to keep in
tions, evaluate their impact on the business mind—something potentially controver-
operations, and make difficult decisions on sial: Many current CISOs, as well as can-
factors other than the best technical fix. didates for that job, don’t want operational
The communications skills are going to ownership.
be particularly important as the CISO acts Many CISOs still see their role as pro-
as a “translator” between the technical and viding technical leadership in the areas
business sides, as well as communicates up related to information security. For them,
to the CEO and the board about balanc- it’s about firewalls and advanced persistent
ing business opportunity with business threats and identity management. Too
risk. To make knowledge power, you have many “traditional” CISOs learned their
to make it understandable. In security, too craft at a different time, when security
often we’ve made it less understandable. threats were often well known and their
The lack of technical knowledge of your business impact limited.
audience such as the CEO and the board No longer. And any CISO who dodges
means they have to trust the person pre- operational responsibility and the tight
senting the technical issues to them, which integration with all business functions
often means they miss the opportunity to within the organization does so at their
ask the right questions that could avert a own peril.
disaster down the road. To be a successful CISO from this day
In the context of cybersecurity, great on, you can’t cringe before power. You
communication skills are required to pro- must hold the organization accountable for
mote better, faster, and more impactful a smarter, more effective balance between
decision making. The most specific things risk and innovation. And, you can’t act
a CISO needs to communicate, clearly and like you’re the only one in the room who
compellingly, revolve around the need for understands the bits and bytes. You don’t
appropriate investment, the requirement want to be seen as a CISO who is so com-
for shared ownership of cyber issues, and fortable lapsing into the next hype cycle.
a bias for action in a time of crisis. Rais- Finally, remember that the most suc-
ing your game in communications is essen- cessful CISO is “prepared for why.” Sitting
tial in order to move cybersecurity from a in a boardroom, or having lunch with the
reactive mode to a proactive, strategic dis- CEO, you may be prepared to argue for
cipline. new investments in tools, training, or staff.
Ultimately, the CISO needs to be the You may have compelling data to highlight
general manager of the full spectrum of a problem or anticipate the next threat. As
184 Language
important as those are, you will not suc- Conclusion
ceed unless, and until, you are able to artic- In Part 1 of this book, SAP Chief Security
ulate the reasons why your recommenda- Officer Justin Somaini told a very import-
tion makes sense. And the people who ant story about how he set out to build
make those decisions are going to demand strong relationships—and foster credibil-
that you can defend your recommenda- ity—with business colleagues by asking to
tions; they are not in the habit of giving join SAP’s sales organization.
you what you want because you dazzled Justin’s rationale was brilliant: “Protect-
them with your technical brilliance. ing the company from security breaches
Elsewhere in this book, USAA Chief and ensuring compliance is actually not a
Security Officer Gary McAlum uses a very good description of my job, nor the
particularly apt way of describing how to job of my peers and colleagues around
close the gap between what a CSO says the globe … How could I enable sales if I
and what the business executive or board didn’t understand sales?”
member hears. He calls it “So what?” and As a CISO, it’s important to step back
he explains that everyone must be ready and acknowledge that, at the end of the
to explain the business significance of any day, your job is to ensure that your orga-
problem, recommendation, or course of nization achieves its most important goals.
action to ensure rock-solid cybersecurity. You may do that by reducing and manag-
Your “why” must be concise, sober, and ing cybersecurity risk, just as the head of
grounded in business benefits that are in sales may do that by creating new sales
lockstep with the organization’s strategic channels or the head of logistics stream-
goals. If not, freshen up that resumé. lines global supply chains. It’s a means to
an end—not an end itself.
Language, Please: How You Talk to Boards and Executives Can Make or Break Your Cybersecurity 185
27
Using the Right Evidence to Make
the Right Cybersecurity Decisions
Mischel Kwon — Founder and Chief Executive Officer, MKACyber
Security: It’s been an evolution. At times, measured by metrics. For years, security
cybersecurity leaders have struggled to tell professionals have said that this is nearly
the story, because it’s complicated. More- impossible. So instead of providing mean-
over, we have to tell this story throughout ingful measures and metrics, we have told
the organization to executives who have stories of adversaries and attacks. Although
vastly different levels of technical under- this part of the story is inarguably import-
standing and vastly different leadership ant, it is not the part of the story that will
priorities. help businesses understand how to make
Too often in the past, security profes- the right cybersecurity decisions.
sionals have largely told the story of fear. Business leaders need security profes-
We have also told the story of right and sionals to provide real, meaningful evi-
wrong, black and white. Don’t get me dence—not descriptions of how bad the
wrong: The story is often scary. But this malware is, its country of origin, or what
approach has backfired, because it isolated the user did to get infected. Statistics from
the security team’s good, analytical think- IT and security must be viewed, analyzed,
ing and kept smart people out of vital busi- and presented in a way in which lead-
ness conversations. ers can understand the risks. Subjectively
We know security professionals need to made security decisions must give way to
change the way they talk to business lead- truly objective ideas, programs, and pol-
ers, because we need to gain the trust of icies—based on quantifiable threats and
those leaders. We in security are contrib- risks—in a way that will seem familiar to
utors to digital business and facilitators of business executives.
new sources of digital revenue. We need So why hasn’t this been done before?
to participate in this conversation, and to Security executives focused on educat-
do that, we have to take an evidence-based ing non-technical colleagues, but lacked
approach to those talks. the necessary data to generate meaningful
If we look at classic business decisions, metrics to measure cybersecurity. Times,
they are made by analyzing facts—usu- however, have changed. Today, our IT sys-
ally based on some statistical analysis, and tems, which often aren’t even on our net-
187
works, but in the cloud, are more import- and presenting them with the facts they
ant to the business than ever. They are need to hear so they can understand the
the backbone of digital revenue. Both the business’s risk. Let’s just look for a moment
chief information officer’s (CIO) and the at the chief financial officer (CFO) role.
chief information security officer’s (CISO) They use key performance indicators to
responsibilities have changed from roles report on liquidity, productivity, and prof-
of delivery to roles that contribute to the itability. How do we as security profes-
top and bottom lines. As these roles have sionals present this picture for cybersecu-
changed, so must the presentations of the rity? State of technology, security spend,
work done or needed to be done by the and risk. If you look at liquidity for a
security team. finance person, this is basically the state of
Security executives must standardize cash. Cash is king in running a business.
their approaches to illustrate what is hap- If you translate this to cybersecurity, then
pening in cyber by embracing an orga- we’re talking about the state of technol-
nized reporting methodology. The need ogy where data is king. Security spend
to tell stories and continually educate will can be articulated by use case, illustrating
ultimately diminish. It won’t take long how spending on technology and people
to set the expectation that cybersecurity improves security capabilities or dimin-
reporting will be almost entirely focused ishes exposure to risk, which has been his-
on those systems, people, and data that are torically articulated based on compliance.
at high risk. Messages must be expressed Aligning everything, including security
as use cases, rather than the scarier term controls, to use cases will enable data-based
of “attack type.” The CISO and their team facts to enter into compliance and risk
should avoid discussing fear-inducing reporting. It is critical to understand what
things that are irrelevant to the organiza- use cases are affecting which systems and,
tion’s business models and threat profiles. therefore, how certain parts of the business
Security and business executives, and revenue are impacted by cyberattacks.
together, must embrace this use case orga- If your security leadership can articulate
nization, from high-level reporting all the this, then reporting cybersecurity matters
way down to the data living in and transit- up to the executives and the board will
ing your network. It will change the secu- become much easier and systematic. It will
rity organization, because everything will become much clearer that certain business
have to be mapped to these use cases: the areas are being impacted by security inci-
reporting, the security controls, the tool- dents, which systems are being targeted,
ing, the analyst processes, and, yes, the which use cases are causing the most prob-
data itself. This approach will spawn a rich lems, where you are improving, and where
array of statistics that, in turn, will allow there are gaps. Business executives should
organizations to measure cybersecurity and expect the CISO and cybersecurity teams
generate metrics that will ultimately pro- to always provide recommendations for
vide the evidence for factual, business-like improvements in reporting, and to show
reporting. the ways security is working collaboratively
Security leaders who follow this blue- with IT, legal, and the other business seg-
print are simply taking a lesson from their ments to improve these measurable indica-
business brethren, trying to understand tors of security progress.
what leadership actually wants to know,
188 Language
There are, of course, challenges to this for the security architecture and secu-
approach. It will be difficult to get access to rity information event manager (SIEM) is
the requisite data to establish this objective all tagged by use case, when you are able
reporting methodology. It can also be diffi- to map tactics, techniques, and proce-
cult to map these various data to their cor- dures (TTPs) to indicators of compromise
responding use cases, but there is a tried- (IoCs) and, when needed, further map
and-true method that we call the Maturity these to their relevant to common vul-
Model Matrix Assessment, which enables nerability enumeration (CVE) identifiers.
cybersecurity organizations to understand, With everything organized, you can really
and see if they have access to, the actual IT prioritize your vulnerability scanning, nar-
data in the correct format and in the cor- row down the threats you need to be look-
rect place that is needed in order to detect ing for, and map the security controls to
each use case. each of the problematic CVEs. Then you’ll
If you map the data you need to mon- have a truly complete picture. Once all of
itor each use case and to determine their this mapping is complete, you can mea-
effect on the organization, you will quickly sure the statistics and arrive at something
determine you do not have access to some new—operational compliance.
of the data you need and that your tooling Use cases become your true key per-
doesn’t always align with what you want formance indicators—your evidence—
to be doing from a security perspective. and they aren’t arrived at by conducting
You have to see this as a good thing. Mov- reviews, audits, or interviews but by ana-
ing away from shiny-object syndrome, lyzing data. Ideally, you will have a dash-
from spending frivolously on the latest board where you can see system hygiene,
and greatest tools, will be a wonderful side business risk, and use-case detection,
benefit of organizing and aligning IT and essentially demonstrating where you are
security data. As business leaders, you may weak and how you can improve, charting
have asked for this data before from your your progress over time.
IT organization, but failed to receive it, Maintaining access to the data you
because systems may not have been archi- need can be a challenge in this new world
tected in a way to detect these use cases. of data center–driven networks that look
This assessment model is a near-per- very little like the in-house enterprise net-
fect way to elevate these issues in a factual, works in traditional organizations. This
unemotional, non-confrontational way. kind of resource distribution is a challenge,
It’s almost entirely certain that tooling, and it means, more than ever, that security
architecture, and process corrections will is a team sport, where cybersecurity experts
need to be made in the quest for use case– partner with other business units to ensure
based detection. That’s why I always rec- proper network visibility. The assessment
ommend starting with a visibility project model, therefore, should be a regular (I
roadmap. You can then report on the exe- recommend quarterly) event, where you
cution of this roadmap and then slowly, as can assess or reassess your access to the
you become more mature, you can begin business’ expanding array of technologies,
replacing road-map updates with real, use whether they’re on premise, in the cloud,
case–based security reporting. or some enterprise app someone else built
Nirvana comes when your threat intel- for you.
ligence and the defensive content created
Using the Right Evidence to Make the Right Cybersecurity Decisions 189
Let’s use a hypothetical healthcare orga- what they are able to detect but also on
nization—a conglomerate of hospitals, where they are blind, demonstrating their
researchers, physicians’ operations, and overall capabilities and how they can be
educators—as an example. They would improved. When a lack of visibility hin-
report on high-risk use cases such as ran- ders their detection capability, they could
somware, data exfiltration, distributed signify as much in their event ticketing
denial-of-service (DDoS) attack, phish- and keep statistics on these blind spots.
ing, and malware. They have one network This, in turn, would be useful data in their
where the four businesses live. Segmenta- detection capability reporting. Once they
tion is non-existent, and they are detecting mapped their vulnerability scans with their
incidents based on intrusion detection sys- IoCs, CVEs, and security controls, the
tem (IDS) alerts. They have a large number focus of their audits changed too, focus-
of Health Information Portability and Pri- ing on that which is high-risk and requires
vacy Act (HIPPA) findings that have noth- more immediate fixing.
ing to do with the actual incidents they are In the end, their reporting would have
facing. This seems like an impossible situa- come from the actual function of the orga-
tion, a fire fight where they will run out of nization. The agreement of the use cases,
water and, inevitably, the CISO will lose the alignment of goals across the organiza-
his or her job. We have heard or experi- tion. This methodology would allow clear
enced this situation many times. and meaningful reporting at all levels of
Their first action should have been to the organization, based on facts, data, sta-
identify the use cases. Then they could tistics, metrics, and improvement.
review the vulnerability scans and map Over time, this hypothetical health-
them to the IOCs that were mapped to the care organization would reap many bene-
use cases that they were looking to detect. fits. The improved architecture could even-
This would enable them to focus in on tually lead to a better-segmented network.
the highest priority use cases. They could They could migrate certain aspects of their
then map the data in their SIEM to the business to the cloud. They would be able
use cases through the assessment model, to work as a team, supporting the busi-
which would show them where they are ness as it corrected its spending on IT and
missing critical data. With the CIO’s team, security tooling. They would also be able
they could review all of their tooling, the to eventually report to the board together,
state of their architecture, and put a road- offering a single, all-encompassing tech-
map together that would lead them to full nology report.
use case monitoring. They would inevita- This is truly a story of more than just
bly find massive savings in re-aligning their reporting and evidence. This is a story of
tooling to support use cases. The CIO and aligning the organization, organizing secu-
CISO could work on the architecture and rity, and ensuring that the requisite data
tooling to improve visibility, detection, is available for the security team to make
and their ability to measure these. Until fact-based, impactful remediation recom-
they have clear use cases to report on, the mendations. The byproduct of this is that
duo would instead report on their architec- leadership can feel confident that they are
ture improvement. making the right cybersecurity decisions—
Once the security team is able to detect based on real, measurable data—for their
by use case, they can then report not only digital business.
190 Language
28
Building Empathy and Trust Among
CISOs and Business Leaders
Brad Arkin — Vice President and Chief Security Officer, Adobe
The hallmarks of a great relationship are Bridging the Gap

trust and confidence. That’s true whether Just think, if a major security incident
we’re talking about business, geopolitical, occurs, who will be the one explaining
or personal relationships—they all require it to the high-level business executives
a strong sense of trust and confidence in in the room? Questions could be as sim-
order to take root and thrive. And build- ple as, “Have you checked all the serv-
ing trust and confidence in a relationship ers to ensure they are set up right?” This
revolves heavily around the notion that is where the security executive would need
all parties must develop a strong sense of to patiently explain that there are hundreds
empathy for how others feel and what of thousands of servers around the world,
they need. Could you imagine how nego- even a maxed-out Excel spreadsheet only
tiations between businesses would fare opens up to ~64,000 cells. To help develop
without a sense of empathy? Or between a sense of empathy, security executives
spouses? will want to find a way to bridge the gap
The same is true in cybersecurity, where between what the business leaders know
efforts often succeed or fail based on the and what they need to know in order for
state of the relationship between CISOs us to make smart decisions together. And
and their business colleagues, particularly unless we find a way past certain knowl-
in the C-suite and the boardroom. After edge and language barriers, we will be
all, technology comes and goes, threats stuck in this no-man’s land of mistrust and
evolve, and strategies are often redrawn in misunderstanding.
response to new vulnerabilities and chang- Technical details overwhelm and con-
ing business priorities. fuse non-technical executives, so it is often
But without open, honest, and two-way best to try to avoid having technical dis-
communication between the technical and cussions. An alternative to technical dis-
business leaders, empathy will be impossi- cussions is the use of analogies, where
ble to achieve. And without a relationship one can take the unfamiliar and convert
built on empathy, progress toward optimal it into something non-technical that busi-
cybersecurity readiness will be fleeting, at ness leaders and board members are more
best. How do we do it?
191
familiar with. For example, in an attempt things—and if empathy has resulted in
to stay away from the minutiae of security, trust and confidence between the negoti-
one analogy that can be utilized is that of ating CISO and engineering leader —then
home renovations—something many peo- you’re far less likely to observe friction.
ple are very familiar with. The homeowner That doesn’t mean the engineers won’t
doesn’t need to know what tool the con- grumble a bit, but they probably won’t
tractor used, or what he did to meet the claim the CISO is an idiot.
engineer’s requirements to align with local Another tell-tale sign of a lack of trust
zoning regulations. What the contractor between the technical and non-technical
needs to do is give the homeowner a sense sides on security issues is when the secu-
that their work achieved the homeown- rity leader can’t construct a clear narrative
er’s goals—more open space, modernized around how proposed investments align
design, bigger closets. It’s all about giv- with desired business outcomes. If your
ing them a feeling of confidence and trust CISO comes to you asking for a big check,
that the contractor did the job properly— and the first words out of their mouth is
making it more likely they will do business that they need it to reduce MTTR to sub-2
again in the future. hours after botnet attack, no one is going
to feel like the CISO “gets it.” But if they
Looking Out for Warning Signs frame their request in something under-
What happens when the C-suite and board standable and relevant, like, “The most
don’t trust the CISO to have security prac- recent regulation guidelines require us to
tices and policies that reflect business goals notify regulators and affected parties in
and realities? Aside from some potentially the event of a breach of personal informa-
uncomfortable conversations, there’s a lot tion, so we need to upgrade to these mon-
of confusion on all sides about the status itoring and reporting tools,” the board is
of the organization’s cybersecurity readi- going to understand. And more important
ness. This reality often inhibits decisions for the long term of the cybersecurity “rela-
on security budgets, governance and over- tionship,” it will lay the groundwork for
sight responsibilities, state of compliance an air of trust because everyone will have
issues, and legal exposure—topics business exhibited some empathy. The business side
leaders do not want to spend their time, understands that the CISO needs this in
money, and energy on. order to keep the organization protected,
For business executives and board mem- compliant, and insulated against legal and
bers, there are some common red flags to brand damage, and the CISO feels the
recognize. For instance, business executives business leaders take him or her seriously
may hear members of different functions and respect their recommendations.
pushing back on the CISO’s policies, like Ultimately, the board and C-suite has
the engineering team fighting the CISO’s to feel that the CISO is concerned with
recommendations on substantial security business results rather than trying to sneak
features to be built into their latest widget. in what they want by layering in a lot of
The non-technical leader may not have the technical jargon. If the senior leadership
ability to sort out which side is right, but doesn’t get that feeling, they’re going to
that level of observable friction becomes realize fast they are talking to the wrong
a big problem in the executive’s mind. If person.
the security leader is asking for reasonable
192 Language
Building a Language of Empathy: selves and their teams to be able to answer
It’s Not Just What You Say, but Also clearly, concisely, and in business language.
What You Do And business leaders should be extremely
Everyone’s heard the saying, “Actions wary of CISOs who try to bluff their way
speak louder than words.” Well, what we through an answer to a tough question. It’s
say is obviously important as a way of far better for the CISO to simply say, “I
helping someone build a sense of empathy, don’t know. But I can get that information
ultimately leading to trust and confidence. for you.”
But non-verbal language counts for a lot— If your CISO is a bundle of nerves or is
probably more than people realize. overly excitable after discovering a security
An obvious example of non-verbal event, that is not going to reassure business
communication that can either elevate executives and board members that they’ve
or undermine the CISO is the reporting got it covered. As we all know, business
structure. If the CISO reports to the CIO, leaders are like good poker players: They
you’re saying, “Security is a technology look for any “tell,” any subtle sign of inse-
issue, best left to the techies.” But if the curity or confusion, that they’re not get-
CISO reports to the COO or CEO, or if ting the full story.
they have dotted-line access to the board,
How Do You Recognize Success?
that makes a profound statement to every-
one that cybersecurity is a business issue. The signs of a successful relationship are
And, by the way, it reinforces that notion often easy to spot: A long marriage with
back to the CISO, who now has more con- a lot of expressions of love and respect
fidence that the board gets it, too. between people who like spending time
There are other forms of non-verbal com- together. An historic peace treaty between
munication that build trust and confidence. long-standing enemies. A political com-
Governance structures, budget approval, promise that crosses party lines for the
and financial oversight are just a few exam- good of a nation.
ples. And then there are others that are less There are similar measures for success
tangible—but no less meaningful. in building a trustful relationship between
Here at Adobe, we use the term “exec- the CISO and the business leadership—
utive presence” to describe someone who and some of these are as intangible as the
carries themselves with confidence and very notion of empathy.
who projects an air of gravitas. I wish I For instance, when your CISO has
had known how important that was when established and maintains the respect of
I was a 25-year-old technical nerd, without business peers and organizational lead-
good communication skills and not partic- ers, you’ll be able to “feel” the confidence
ularly adept at translating what I wanted to bestowed upon the CISO for the work
say to the level and language of my audi- they’re doing.
ence. It was as if I was talking to myself— That shows up in things like colleagues
not a good thing for one’s career, and not a including the CISO in their business plan-
good way to demonstrate empathy. ning meetings (without being directed to
In their interactions with CISOs, busi- do so by the CEO), or doing joint presen-
ness leaders want to see that they are pre- tations to the board on the delivery of new
pared, that they are on top of any issues, business services. When the board mem-
that they have the confidence in them- bers see Tom and Mary standing up in
Building Empathy and Trust Among CISOs and Business Leaders 193
front of the room, easily playing off each identify the existence of a threat, close up a
other and finishing each other’s sentences, vulnerability, and remediate the problem?
they’ll immediately feel more confident in How much money do they contribute to
their CISO and their relationship with the the bottom line by keeping systems and
business side. applications up and running, or by ensur-
Of course, the CISO also has to deliver ing customer confidence in new services?
the goods. They have to make sure they are But even those have to be weighed
actually protecting the organization against against “soft” actions, such as how they
undesired results, and when bad things do conduct post-mortems after a breach, or
happen—as they inevitably will—your whether they can convince development
CISO must take the right steps to ensure teams to design security into their new
things don’t spiral out of control. products before they are released.
To facilitate those kind of results, we
can identify a few important steps that Speaking the Language of Trust,
have to happen along the way in order Confidence, and Empathy
for that sense of trust and confidence to In all relationships, there often are cross-
develop and grow. roads where things can go the right way
or the wrong way. Maybe a couple faces
• Does the CISO make the kind of ratio-
financial difficulty, forcing them to weigh
nal arguments for security investments
some very tough choices about where
that allow the board to say yes, even to
to cut back. Or perhaps an inadvertent
large requests?
border flare-up sparks tensions between
• Is proper security being implemented long-standing enemies who are just com-
across the organization, not just in the ing to grips with their new status as peace-
data center or the SOC? ful neighbors.
Cybersecurity is the same way. There
• Can the CISO get the access they need
will always be security incidents, breaches,
to escalate matters? Are they “clicking”
high-profile ransomware attacks, and other
with their peers, as well as with execu-
potentially devastating events that will test
tives and board members?
the very nature of the relationship between
• Do executives feel a need to microman- business leaders and their CISOs.
age the CISO (and not just because What all parties do to build iron-clad
they may be obsessive micromanagers)? trust and confidence will depend largely
on their ability to establish a feeling of
Finally, there are some hard metrics that
empathy: Yes, things may look bad now,
we all recognize: How fast can your CISO
but I trust you, and I know you trust me.
194 Language
Strategy
29
To Get Ahead of Cybersecurity Threats,
Focus on Preparedness and Sustainability
Heather King — Chief Operating Officer, Cyber Threat Alliance
Megan Stifel — Attorney; Founder, Silicon Harbor Consultants;
Everyone understands natural disasters gies must be built on resiliency, and sub-
are inevitable. Hurricanes, tornados, flash sequently, the twin pillars of preparedness
floods, wildfires, and other extreme weather and sustainability. Unless leaders move
conditions happen frequently and at differ- toward a mindset that emphasizes long-
ent levels of severity, and the economic, term planning and sustainable cyber-re-
human, and social impacts can be enor- silience, informed by the lessons learned
mous, if not deadly. So it’s imperative that from any given event, we will continue to
representatives from all parts of the com- fall further and further behind.
munity share the responsibility to prepare In no other institutional function
for the onslaught of any threat or hazard. would we accept such a downward trend
Ultimately, greater individual and orga- without meaningful change. If company
nizational preparedness contributes to a sales and profits were trending down, we’d
stronger, more resilient community. Doing find a way to plan and execute a sustain-
that means everyone has to get out ahead able path to financial health. If our house
of the problem, prepare for a wide range of was repeatedly robbed, we’d either get an
potential challenges, and ensure that pro- alarm system or we’d move. And if a coun-
tective actions and defensive measures can try’s economic and social position deterio-
be sustained in wave after wave of poten- rated, we’d look at things like job training,
tial disasters. educational opportunities, import/export
Wave after wave of potential disasters: strategies, and an entire array of policies
Sounds like the current state of cybersecu- and programs.
rity, doesn’t it? But far too many organizations real-
We all have to rethink our strategies to ize too late that they are behind the curve
ensure our organizations and our commu- when it comes to cybersecurity, and yet
nities can achieve and maintain a stronger they continue to cling to outdated, inef-
state of cybersecurity. And, those strate- ficient, reactionary, and ultimately unsuc-
197
cessful approaches. Since all organizations By preparedness, we mean getting out
experience incidents or intrusions, it’s not in front not only of today’s cyber risks,
surprising that many chief information but also to anticipate what may be com-
security officers often feel overwhelmed by ing next. Together, these steps help orga-
the sheer volume of actions necessary to nizations determine the potential business
better prepare. impact of cyber risks, and enable them to
It’s time for a change. put in place heightened business continu-
ity plans and incident response plans that
Preparedness and Sustainability are tested through training and exercises
Many organizations still view cyberse- and updated regularly—not just after the
curity through a perimeter security lens, latest incident.
where the focus is on securing the net- The concept of sustainability is intri-
work against intruders—an outdated cas- cately tied to preparedness because it also
tle-and-moat approach. Too many orga- recognizes the need to engage today in
nizations have built cybersecurity defenses order to ensure the same or better oppor-
focused on addressing individual prob- tunities tomorrow. Sustainability manage-
lems or reacting to specific threats. Unfor- ment expands the aperture of a company’s
tunately, that has created numerous cyber- product—whether hardware, software, or
security silos and stovepipes—a solution service—from the moment just before it
for advanced persistent threats, another for goes to market to the point at which the
mobile malware, another for phishing, and company expends resources toward the
still others for threats in specific geogra- product. Companies adopting sustainabil-
phies or vertical industries. Intruders and ity management practices work across busi-
malicious insiders exploit the seams and ness lines to assess supply chains, interop-
gaps this approach creates. Thus, it is inef- erability and scale, consumer engagement,
ficient, ineffective, and not sustainable. and regulatory compliance to ensure what
Today, we must dramatically expand goes to market today will withstand tomor-
the focus of cybersecurity, so we can not row’s challenges and that the product’s life-
only secure our networks but also secure cycle is fully understood.
our products and services used by other An organization’s cybersecurity prepa-
businesses, organizations, and individu- ration must be sustained over time in
als. And we’re not just talking about the the face of new threat vectors and rap-
influx of tens of billions of connected idly changing business requirements. It’s
things—it’s nearly every aspect of how we like shifting thinking of your business pro-
work and interact using technology. More- cesses that support the enterprise from the
over, in order to change our strategies, it’s a view of IT acquisition, to extending sup-
transformation/shift in how we think and ply chain risk management to your entire
approach doing business. For instance, business operations—truly knowing who
instead of “first to market,” think of it as your vendors are, who they rely on, know-
“secure to market,” putting a premium on ing your product’s lifecycle, and how you
providing the most secure products and will support it throughout, including man-
services. At the heart of our recommenda- aging vulnerabilities and patching to data
tions on how to improve cyber resilience collection, retention, and use.
are the concepts of preparedness and sus- The harsh reality is that our business
tainability. leaders are far too optimistic about their
198 Strategy
organizations’ current state of cybersecu- A sustainability-framed approach to cyber-
rity resilience. As a result, they often fail security enables these resilient characteris-
to see the upside of developing cybersecu- tics because it is shaped not only by life-
rity strategies in the same way they develop cycle, enterprise, and supply chain risk
long-term product roadmaps or multi- management, but also by user interaction
year market development programs. Ulti- and anticipated experience.
mately, organizations should be integrat-
ing cybersecurity into these and other Rethinking and Re-architecting the
business operations. Leaders still too often Approach to Cybersecurity
see cybersecurity as a cost of doing busi- Experience has taught us all that informa-
ness rather than as a step toward improv- tion sharing is fundamental to an organi-
ing customer experience, enhancing work- zation’s ability to build a new cybersecurity
force productivity, maintaining trust with strategy upon the concepts of prepared-
customers, or protecting the organization’s ness and sustainability. No sole organiza-
brand. tion can spot, react to, and remediate the
To counter this mindset, business lead- impact of risks in real time on their own.
ers and board members need to discard Without a commitment by organizational
the all-too-prevalent, “what is this going leadership to collaborate with colleagues,
to cost us?” reaction to cybersecurity mea- partners, and even competitors to share
sures to “how can cybersecurity invest- relevant threat information, we will con-
ments improve our business competitive- tinue to fall behind malicious actors.
ness and deliver a better ROI.” At the Cyber Threat Alliance, we rec-
To support such a shift, we need a more ognize that information sharing supports
holistic approach to cybersecurity, which an organization’s preparedness efforts, and
is informed by successful approaches from ultimately, its resilience. In fact, informa-
other disciplines, including preparedness tion sharing—whether human-to-human
and sustainability. When our organiza- or near real-time automated machine-to-
tions are prepared for as many eventualities machine—demonstrates an organization’s
as we can imagine, and when we take the confidence in its own products and ser-
long view about securing the organization vices. Moreover, it’s no longer how much
and its digital assets, we begin to reassert data an organization has access to, but it’s
control over the challenges confronting us. what their products can do with the data.
Moreover, adopting sustainable busi- Furthermore, it communicates a realiza-
ness management practices has helped tion that the threat is growing exponen-
organizations achieve higher profits, in tially, and organizations can no longer
addition to improved environmental, tackle these threats individually, but that
social, and governance ratings. It stands we have a shared responsibility to share
to reason that organizations that adopt a information from our different perspec-
broader vision toward sustainable cyberse- tives and confront the challenges facing the
curity practices can do things like antici- digital ecosystem.
pate and adapt to changing threat vectors For instance, through its members,
more quickly and effectively, because their CTA enables near-real-time actionable
cybersecurity framework is built on holis- cyber threat and incident information
tic preparation, agility, and an ability to sharing among highly competitive cyber-
scale their programs as conditions change. security providers. These competitors have
To Get Ahead of Cybersecurity Threats, Focus on Preparedness and Sustainability 199

voluntarily come together to improve the As organizations commit to a cyberse-
cybersecurity of the digital ecosystem in curity mindset based on preparedness and
an effort to better prepare and protect cus- sustainability, executives and boards must
tomers, and ideally, achieve a more digi- challenge each other to rethink their most
tal resilient world. They all believe this col- basic assumptions about technology usage
laboration will improve their profitability, and cybersecurity resilience. For instance,
not weaken it. Further, CTA’s information they must:
sharing facilitates analysis aimed at dis-
1. Make cybersecurity a C-suite prior-
rupting malicious actors, enabling more
ity with their active participation.
effective and collective defense actions,
A number of chapters have talked
and forcing adversaries to invest time and
about why cybersecurity should be a
money in new infrastructure and how they
C-suite priority. But their active par-
do business.
ticipation is critical. This starts with
A good application of information shar-
conveying in management meetings,
ing as a preparedness action is VPNFilter
employee all-hands, and even your
in May 2018. Cisco’s Talos Group, one of
reports for publicly traded compa-
CTA’s founding members along with Palo
nies how serious you regard the cyber-
Alto Networks, Fortinet, Check Point,
security threats facing your organiza-
McAfee, and Symantec, notified CTA of
tion and ultimately, what you’re doing
the VPNFilter threat that was targeting
to prepare and sustain your organiza-
network equipment all over the world, and
tion, both when an incident or breach
shared their analysis and malware samples
occurs and when you take products—
with CTA members. As a result of the inci-
services or devices—to market. As we
dent information sharing done through
all know on any management topic,
CTA, all of CTA’s members were able
when executive leadership prioritizes
to rapidly develop protections and mit-
and actively engages on an issue, it
igations for their customers and quickly
delivers a sense of urgency.
counter the threat.
Moreover, as Megan wrote in “Secur- 2. Make cybersecurity intuitive in
ing the Modern Economy: Transform- your day-to-day business opera-
ing Cybersecurity Through Sustainability,” tions. Organizations should maxi-
reliance on technology to do both mis- mize opportunities for educating and
sion-critical and everyday tasks in busi- raising awareness within the work-
ness, at home, and in our communities place, so that employees better pro-
will only accelerate. Without a commit- tect the organization while “on the
ment to organizational preparedness and job” and understand how they can
sustainability, organizations and individ- reduce their own digital risks “off
uals and the internet ecosystem will be the job.” Software vendors should
put at greater risk as we are exposed to be required to demonstrate that they
more and more public instances of infor- have secure development processes,
mation security problems: “Maintaining supported by a software bill of mate-
public trust in technology relies, in signif- rials. Next, organizations should com-
icant part, on all stakeholders maintaining municate what is expected of employ-
cybersecurity.”1 ees by requiring best practices in the
enterprise environment and following
200 Strategy
product deployment, and encourag- nology to manage enterprise risk,
ing their adoption at home. Organi- get incident response and continu-
zations can develop “cyber civics” pro- ity plans in order, practice them reg-
grams that emphasize using two-factor ularly, and update plans, policies,
authentication and password manag- and processes appropriately. Acquisi-
ers, thinking before clicking on suspi- tion and plans must be collaboratively
cious links, and being cautious about developed by all business functions
what they post online about them- within the organization, not just by
selves and their families’ status and the CISO. And don’t forget to include
activities (e.g., limiting communica- product and service security upgrad-
tions about travel). ability and patching in these “dooms
3. Recognize that cybersecurity under- day” scenarios.
pins all business operations. As Siân 5. Actively participate in an informa-
John of Microsoft points out in this tion-sharing organization … or
book, security is a business problem, two. Business leaders often struggle
not an IT problem. Therefore, it’s to get past their innate discomfort at
important to remember that a great sharing information with others. But
risk management framework inte- as indicated earlier in this chapter,
grates technical solutions with busi- in the rapidly evolving cybersecurity
ness goals. Putting security first in all landscape, this reluctance can no lon-
business operations enhances confi- ger be tolerated. Invest now in learn-
dence in the processes that develop ing some best practices about what,
products and services, which results in when, where, and how to share infor-
better products and services that sup- mation, because going it alone is no
port the brand and ultimately leads to longer an option. Sherri Ramsay says
increased profits. Failing to incorpo- it clearly in her chapter of this book:
rate security throughout the organi- The bad guys are collaborating; why
zation risks the confidentiality, integ- aren’t we doing the same?
rity, accuracy, and authenticity not
As you undoubtedly imagine, this kind
only of information within the enter-
of holistic, integrated, comprehensive, and
prise, but also of the very products the
deliberate change in the way an organi-
organization depends upon to earn a
zation thinks and approaches its business
profit.
demands the support and active partici-
4. Inform your approach to cyberse- pation by every organization’s executive
curity planning with worst-case sce- team, from the corner office to the board-
nario consequences. Consider not room. We’ve not only tried to raise aware-
just the enterprise network, but also ness about the need to confront threats
everything it depends upon (vendors, in a more proactive, end-to-end manner,
employees, power, physical struc- but we’ve also offered tangible ways orga-
tures) and attaches to it when assess- nizations can challenge their own assump-
ing cybersecurity risk. In addition to tions and create more cybersecurity resil-
adopting the Cybersecurity Frame- ient organizations based on the underlying
work promulgated by the National pillars of preparedness and sustainability.
Institute for Standards and Tech- And, it’s essential for executives and board
To Get Ahead of Cybersecurity Threats, Focus on Preparedness and Sustainability 201

members to embrace this mindset; other- As we institutionalize this kind of
wise you risk leaving your organization to mindset and reinforce it in our discussions
expend countless resources on a defensive and interactions with customers, inves-
posture that’s always going to be playing tors, employees, vendors, and third parties,
catch up to the bad guys. we take major steps toward a more resil-
ient cybersecurity posture that is proactive,
Conclusion analytical, and self-reinforcing. It’s like
Too often, business leaders continue to take preparing for extreme weather conditions.
the castle-and-moat approach to enterprise The more you plan, and the more you put
cybersecurity. But modernizing that phi- measures in place—not just for a point-
losophy by adopting the preparedness and in-time event but for the long term—the
sustainability principles we’ve talked about more routine this will all become and the
in this chapter is essential because it enables more successful your organizations will
executives to look around the corner and ultimately be in managing cyber risk and,
anticipate the impact of existing and as a result, achieving their mission.
emerging threats on business operations.
1
“Securing the Modern Economy,” Public Knowledge, April 2018
202 Strategy
30
Learning and Leveraging the
Wisdom of “So What?”
Gary McAlum — Chief Security Officer and Senior Vice President
for Enterprise Security, United Services Automobile Association
As cyber threats become more frequent, I don’t mean you should ignore or belit-
more sophisticated, and more impactful tle the technical expertise of your CISO
on business operations, organizations need or CIO, or disregard their requests for
to adopt a practical approach if they are to smart and even potentially large increases
make sense out of what promises to be an in security budgets. “So what?” is just the
uncertain and confusing future. lead-in for a series of questions that need
Yes, many business executives and to be properly addressed. As important
board members will convene meetings as technology solutions are in establish-
with their chief information security offi- ing stronger cybersecurity, it’s essential that
cers and other senior IT executives to con- business leaders and board members focus
sider financial investments and changes on the operational implications of cyber-
to business processes. And many of those security challenges and keep the technical
discussions will be riddled with technical issues rooted in a business context.
buzzwords and talk of things like intru-
• How is this threat impacting or how
sion detection systems, UEBA, multi-fac-
could it impact our business?
tor authentication, next-generation fire-
walls, network segmentation, and machine • How are our customers and partners
learning, just to name a few. Your top IT going to be affected?
and security experts will undoubtedly
• What are the financial, operational,
impress you with their depth of technical
regulatory, legal, and brand implica-
knowledge and give you an array of solu-
tions of the threats?
tions to “defend the perimeter” and estab-
lish “multi-layer security frameworks.” And • What is our risk exposure? What is our
every vendor has “the last piece of the puz- residual risk?
zle that you need” in your security technol-
• How will we know if we are succeeding
ogy stack to solve all your problems.
in defending our most valuable assets?
And when those buzzwords start flying
and the acronyms dominate discussions, your • How can we look around the corner at
reaction and response should be simple: what’s next?
“So what?”
203
• And the hardest question of all: How all the technical considerations. There
are we measuring success? In other was a great deal of detail on the types of
words: So what? DDoS attacks that were occurring: UDP
Flood, Ping of Death, NTP Amplification,
How USAA Learned the Lesson of HTTP Flood, etc. What the brief didn’t
“So What?” include was an answer to the fundamental
question: So what? In essence, we were tell-
Several years ago, the financial services
ing the board how the watch worked, but
industry was attacked—not by masked
not what time it was.
thieves breaking into our vaults under the
It would have been easier for me to give
cover of darkness or by smash-and-grab
them more explicit instructions—espe-
robberies of our branch offices. It was a
cially considering the sense of urgency of
cyberattack—a distributed denial-of-ser-
the moment—but I felt it was crucial for
vice (DDoS) attack, to be precise, target-
our team to see and “feel” the impact of
ing the U.S. financial services sector. And
not providing the right information in the
it was a real mess.
right context. I challenged some of the
Seemingly, no financial services orga-
leaders within my group to go out and talk
nization was immune—and that includes
to business teams, to understand the finan-
where I worked at that time. In fact, we
cial, operational, and reputational impact
were hit twice. Believe me, the fact that
of being offline, let’s say, for eight hours.
we had plenty of company did not make it
In fact, I suggested that the Business Con-
any easier for us.
tinuation team would be a great place to
As the first wave of attacks hit orga-
start, since their annual Business Impact
nizations throughout our industry, we
Analysis would be an authoritative source
could see the writing on the wall. The
of valuable data.
media started picking up on the attacks,
They learned their lessons well. They
so there was a daily dose of reporting and
came back with a tight, business-oriented
an increasing tone of fear, uncertainty, and
presentation that was short on technical
doubt (FUD). We knew it was going to be
minutiae and long on business impact.
a board-level issue, that they’d want clear
By the way, it was a single slide. They
answers, and they’d want them fast. So we
boiled down the “so what” to its essence,
began to prepare our presentation.
and that’s what we presented to the board.
I sat down with my SecOps team, and
Essentially, they answered the question,
posed an open-ended directive to them:
“So what if our customers can’t get to their
“Give me a short presentation for the
online accounts for eight hours?” There
board, no more than three slides.” I knew
were very definite answers pertaining to
this was a challenging request, and I felt it
lost business, inability to service custom-
was a good teaching moment for my team
ers, impact to money movement trans-
to gather information they felt was rele-
actions, etc. Any downtime due to the
vant for senior leaders and to give them an
DDOS, regardless of type, was going to be
opportunity to develop strategic commu-
a big deal. They got it.
nication skills.
We know they got it because we were
I wasn’t surprised when the team came
able to easily demonstrate the business
back with a technical presentation on bot-
impact of not taking action in dollars and
nets, how they occur, what they do, and
204 Strategy
cents, and what it would mean in terms • Making the right personnel deci-
of pain for our customers if we didn’t sions means everything. It may sound
take stronger steps. More importantly, it counter-intuitive, but I believe we are
allowed the conversation to change to “Are all often better served by having few-
we ready to deal with this? And if not, er, rather than more, FTEs devoted to
what resources are needed?” cybersecurity—as long as they are the
cream of the crop. Maybe this is a ves-
Creating a Culture of Cybersecurity tige of my days in the military, but I
Using a “So What” Approach always want an elite team rather than
In another chapter of this book, Patric Ver- a large number of average perform-
steeg writes compellingly about the impor- ers simply to have enough eyeballs to
tance of setting a strong “culture of cyber- monitor and manage security events.
security” throughout an organization. I Business leaders have every right to ask
think he has hit on an important require- “So what?” of the CISO who puts in a
ment, and our “so what” discussion can be request to expand his or her team. So,
applied in the area of cybersecurity culture, what will this expansion do to decrease
as well. risk, improve business operations, or
Using our “so what” yardstick, how can enhance products and services?
business leaders and CISOs build and nur-
• The executive team and board mem-
ture a culture of cybersecurity? I have a few
bers need to commit to continuous
suggestions that may work for your orga-
security education. Regularly sched-
nization.
uled presentations to the board and
• Demonstrate that it is a top-down continuous conversations with busi-
strategic initiative. Sending out mem- ness executives are good, but self-ini-
os and approving policies on good cy- tiative on the part of the board and
ber hygiene are fine, but they lack “so C-suite executives is better. Don’t just
what” impact. Your organization needs sit back and ask your CISO for a brief-
to see its leaders “walking the walk” ing; take the lead and get educated
by doing things like engaging security on your own. Visit with the security
team members on new-product devel- team on-site and ask questions. Spend
opment teams from the start, rather some time reviewing threat intelligence
than simply having them eyeball your reports with your CISO. Attend con-
new IoT initiative as it’s about to be ferences and listen to podcasts. Profes-
released to the market. sional organizations like the National
Association of Corporate Directors
• Real leadership goes beyond writing
offer an increasing number of training
checks. Again, having business leaders
and awareness events around cyberse-
and board members approve import-
curity. Your board and executives won’t
ant cybersecurity investments is essen-
know how to evaluate the answers to
tial. But it fails to deliver the “so what”
“so what” questions if they are not
impact of steps like having your CISO
committed to going beyond becoming
report to a senior executive outside the
cyber-aware and actually becoming cy-
typical CIO chain or having regular in-
ber-centric. It’s that important.
teractions with the board.
Learning and Leveraging the Wisdom of “So What?” 205

• Adopt a “secure-by-design” ap- At the end of the day, “so what” is really
proach. This should be applied to a metaphor for an operational methodol-
everything from new-product devel- ogy that frames three key points:
opment to how you use technology
• What is the business impact of this se-
for everyday operations. Policies like
curity situation?
changing passwords quarterly are an-
noying to your employees, in large part • What are the risk implications?
because they don’t hear their “so what”
• What are we doing about it?
pleas answered. The same is true with
your system engineers and application For C-suite executives and board mem-
developers. They will push back on bers, what you don’t want or need is a
your well-intentioned edicts, for exam- growing cascade of reports, dashboards,
ple, to strengthen authentication for and metrics. CISOs already have a vast
that new online loan approval appli- amount of information that they are send-
cation, unless you make them under- ing to business stakeholders about vulner-
stand the implications when security abilities and risk; just dumping more data
defenses are breached or customer ac- on the desks of decision makers isn’t going
counts are compromised. to work. Board members and executives
have to walk that fine line between getting
Framing “So What” Questions for “so what” answers and wallowing in tacti-
the Best Results cal details. And, time is always a limited
commodity.
As is true in nearly every type of relation-
One way to help is for business execu-
ship, your ability to get everyone on the
tives and boards to train the technical pre-
“so what” bandwagon is influenced heav-
senter—the CISO, CIO, or anyone pro-
ily by how you send your messages. Dif-
viding security information to the business
ferent people on the receiving end of a “so
side—not to pull the crowd into tactical,
what” missive can interpret that in differ-
technical discussions. Board members, in
ent ways, and the results can range from
particular, have a limited amount of time,
instant learning and embracing the spirit of
and they need to have confidence and trust
“so what” to hostility, confusion, and fear.
in the people accountable for ensuring
What you say matters. But how you say
the organization and its assets are secure.
it may matter more.
Coach your CISO and their team on how
• Is your “so what” message motivation- to deliver strategic answers to the “so what”
al, challenging, instructive, and bene- question.
fits-oriented, or is it threatening?
Moving Ahead With Your “So What”
• Is it framed in business implications, Methodology
such as financial impact, operational
Taking a “so what” approach to cybersecu-
efficiency, company risk, or brand rep-
rity isn’t about downplaying risk or mini-
utation?
mizing the importance of smart technol-
• Do we need to shore up our defenses ogy investments. Instead, it’s a pragmatic
by increasing financial and manpower way to prioritize how, where, and when to
investments, or maybe re-prioritize the utilize key resources (money, time, people,
use of existing resources? technology) to spot and prevent problems
before they impact business operations.
206 Strategy
When I was first exposed to “so what” in Ultimately, business leaders and
my Air Force career, I’ll admit it was a lit- board members should use the “so what”
tle uncomfortable and occasionally discon- methodology—wisely, strategically, and
certing when my superiors challenged me non-judgmentally—to help CISOs and
in this way. If you’re technically focused, other security professionals sift through all
you tend to think and respond in what you the technical details and present only the
know best—technical terms. But CISOs information needed to make smart, fast
and their teams have to force themselves decisions. For business leaders asking “So
to think and present information differ- what?” may not be an easy process. Your
ently, even if it’s not easy for them. I know technical leaders have a tendency to want
it wasn’t always easy for me. When you are to give you the whole story, to tell you
sitting in front of a 4-star general and hav- everything. You have to help them pare
ing to explain why it’s really important that that down.
computers supporting a major weapon sys- After all, a DDoS attack may be right
tem have to get patched (which means around the corner, and no one wants to
risk), you very quickly learn to cut through hear about the history of botnets and how
the technical details and answer the “so an ICMP flood attack works.
what” questions.
Learning and Leveraging the Wisdom of “So What?” 207

31
Junk the Jargon: In Today’s World,
Money Talks
Diane E. McCracken — Banking Industry Executive Vice President
and Chief Security Officer
When it comes to cybersecurity in today’s To Walk the Walk, You Have to Talk
world, money talks. the Talk
Most cybersecurity professionals, like For CISOs and other cybersecurity pro-
myself, come from a technology back- fessionals, the only way to learn to inter-
ground. We are comfortable talking about act with the board is to interact with the
hardware, software, networking, applica- board—often, and with great purpose. In
tions, databases, next-generation firewalls, my organization, I speak with the board on
cloud computing, artificial intelligence, a monthly basis.
machine learning, and the like. In many Just like any relationship, trust must
ways, it’s our native language. be built and a common understanding of
But when it comes to communicating roles, accountabilities, and, most impor-
with business leaders, particularly board tantly, expectations will be negotiated over
members, tech talk does us no good. In time. Only through consistent interac-
fact, the more we speak the language of tion will you and board members start to
technology in the boardroom, the less suc- speak the same language. This evolution is
cessful we will be in advising these lead- unique to each organization and CISOs
ers about the risks around cyber. These are must drive it.
business leaders who, while consumers of
technology, have no practical knowledge Advice for CISOs
about the subject. Get smart quickly about how to talk the
In today’s environment, cybersecurity language of business. Nothing makes
professionals need to learn a new language. board members and executive manage-
The language of money. That’s when board ment sit up straight in a board meeting
members and executive management pay like the subject of how risk can impact the
attention. They are interested in the bot- bottom line for their business. Have num-
tom line and need to know what the bers ready and be prepared to answer their
investment is really buying and whether it questions. Just like a good attorney, antic-
will protect the organization. ipate what they will ask, be ready with an
209
answer, and watch out for questions from talking about elastic scalability, but putting
left field. it in terms that the board could relate to.
The second part of that conversation
Advice for Executive Management was about risk, because risk, along with
and Board Members cost, is what needs to be managed. With
Establish a regular cadence that includes the cloud, the point we made is that, just
the topic of security in your meetings. because we were physically moving our
Insist that the security teams present infor- environment to a third-party, it didn’t
mation in language and formats that are mean we were also moving our risk. The
clear, simple to understand, relatable, and reality is that we always have risk, whether
focused specifically on the value to the physical infrastructure is on site or in the
business. cloud. It’s a matter of managing risk prop-
Support your cybersecurity lead- erly and ensuring that we always have con-
ers. They are fighting a nameless, faceless trol of our data and visibility into the envi-
adversary on your behalf. They have to be ronment, regardless of where it lives.
right thousands of times a day; the bad
guys have to be right just once. In order Use the News
to be successful in the cyber world, both As a CISO, there are many ways to get the
parties must be in sync, and only through attention of board members, but you must
these conversations will that be possible. take the time to understand what makes
them tick, what inspires them, what scares
If It Helps, Use Taylor Swift them, and what will make them sit up and
In addition to speaking the language of take notice.
business you should use whatever refer- One of the things I’ve found among
ences you can to engage meaningfully with board members with whom I regularly
your leaders. I’ll give you an example: Tay- interact: They follow the news, whether
lor Swift is a huge icon and the queen of it’s The New York Times, Wall Street Jour-
social media. When I was making a presen- nal, Bloomberg or 60 Minutes, CNN, or
tation to the board about the risks of mov- CNBC. If there is something about cyber-
ing certain operations to the cloud, I was security above the fold, on the scroll at
able to invoke her name to make my case. the bottom of the screen, or highlighted
Can you imagine, I told the board, on a news-magazine program, I know it
if a photograph of our logo was on an is something my board members will have
umbrella that Taylor Swift carried out of questions about—in particular if what was
a restaurant. She has 240 million followers reported affects our business.
on social media. Her fans would look up In our discussions, I make sure to
our brand, maybe even choose one of our address the news and tie it back to what
products. With our existing infrastructure, we’re doing at our organization. They want
we wouldn’t be able to ingest that much to know: “Is it possible that something
business at once. It would shut down our similar could occur here?” The answer is
systems. typically “Yes.” I explain up front what
However, moving to the cloud would we have in place to deter it and how we
give us the flexibility to meet that demand are prepared to react to a similar event if it
without requiring us to make huge invest- impacts us directly. I always make it per-
ments in hardware and personnel. I was sonal and in the language of business—
210 Strategy
money, risk, reputation, customer relation- This is what the board is paying for. I
ships, employee morale, productivity, and would also recommend walking your board
compliance. through a cyber incident response exercise.
This will especially help them understand
Cybersecurity Education 101: the consequences of a real-world event and
Risk Mitigation the pieces you’ve put in place—with their
In the language of business, there are two funding—to defend and respond.
areas that are always bound to resonate.
One is risk and its consequences. The other Cybersecurity Education 102: Busi-
is business enablement. ness Enablement
With risk, I often compare cybersecu- Business enablement is the other area that
rity to an insurance policy. When you buy will always get the board’s attention—
car insurance, for example, you are miti- if the CISO presents it properly. In our
gating the consequences of risk in case organization, we brought software devel-
something bad happens. But you are not opment in-house and identified the need
doing anything to specifically reduce the for secure lifecycle management and assur-
risk or the likelihood that something bad ance. This was a complex undertaking and
will actually happen. required investments in technology, peo-
Cybersecurity investment is a different ple, and processes to build this program
type of insurance policy. By investing in from scratch.
cybersecurity, you are actually taking steps After presenting the need, we focused
to prevent something from happening and on the money. We showed the board that
protecting the business, not merely miti- the cost of addressing a potential security
gating the consequences. This differs from problem at the beginning of the develop-
an insurance policy in that you are reduc- ment cycle costs much less than address-
ing risk, not transferring it. ing just prior to launch. If the application
What does that mean, in language that security team doesn’t look at the project
relates to the board? I tell board members until the end, it could be a showstopper.
that we spend a lot of money on state-of- It could delay a launch while the problem
the-art technology, yet without the right gets fixed or, worse, put the business in the
investment, we could be vulnerable to an position of possibly launching a product
attack if a single person in our organization with a vulnerability.
clicks a link in the wrong email. We worked hard to convince the board
How can that be prevented? You need that it makes more business sense to find
multiple layers of cybersecurity protec- out if there’s a problem at the beginning,
tions, focusing on people, technology, and fix it, and get the product to market. We
processes. If someone clicks on a malware showed the cost of remediation early, mid-
link, you have to have the pieces in place way, and at the end of the development
to ensure this does not have an adverse lifecycle, and the board fully funded our
effect on the business. You need a cycle program.
of incident response with technology to In a case such as this, it is clear that the
detect anomalous behavior, the processes role of the CISO is as a business enabler.
to respond to it, and the people trained to It’s not our job to say “No.” Our job is
investigate and take the necessary steps to to advise on the risk and put the controls
contain it. in place to appropriately limit that risk.
Junk the Jargon: In Today’s World, Money Talks 211

When the business needs the board’s sign- language, they understand that everybody has
off, I must be able to address the risk in skin in this game. That’s really the only way
language the board members understand. to get folks to buy in—to ensure that they
understand that this directly affects them and
Conclusion that they have an obligation as users of the
In our organization, we include the board internet to secure their piece of it.
members, at their request, in communica- Our security team works hard to engage
tions we send to our employees about how with everyone in our organization around
to protect the organization and themselves cybersecurity. We always make sure that
from cybersecurity risk. They not only our language is not too technical or filled
want to understand what we share with with jargon. With the business leaders
our fellow team members; they want to and the board, money is the universal lan-
improve their cybersecurity chops as well. guage. However, it is our obligation as
Because we’ve taken the time to educate security professionals to clearly articulate
our board on cybersecurity and speak their cyber risk, regardless of the audience.
212 Strategy
32
Zero Trust: The Strategic Approach
to Stop Data Breaches
John Kindervag — Field Chief Technology Officer, Palo Alto Networks
Addressing today’s cybersecurity challenges levels of the organization while being

requires a new approach, one that is focused fully implementable at the levels
more on strategy and less on tactics. At a below.
high level, strategic thinkers agree that there 3. Tactics: These are the things we use to
are four basic levels of engagement: execute on the big idea, so that we are
1. Grand strategy: This is the ultimate able to achieve the ultimate goal. Most
goal of any entity. The grand strate- people confuse strategy and tactics:
gic direction of an entity—whether it They think they are strategic when, in
is a corporation or a nation-state—is fact, they are tactical. Tactics are imple-
determined at the highest levels. For mented in the organization at the next
nations, it’s done by presidents and lower levels in the organization.
prime ministers; in corporations, it is 4. Operations: This is the way in which
done by CEOs and members of the we use the things we have. The oper-
board of directors. A grand strategy ational aspects are often overlooked
provides the vision and direction of because we are focused on stuff, or
the entity. tactics, without understanding the
2. Strategy: This is the big idea that is importance of operational integra-
used to achieve the ultimate goal, as tion. Tactics and operations align at
defined in the grand strategic objec- this level to execute the strategic big
tive. It is done at the next level down idea so that the grand strategic goals
in the entity. For nation-states, it’s can be achieved.
done by agency heads, legislatures, So, what can those of us in the cyber-
or generals. In companies, vice presi- security community do to align with the
dents and line of business leaders pro- grand strategic initiatives of the entities we
vide strategic vision. Strategy provides are duty-bound to protect?
the ideas that give tangible momen- First, we must articulate a grand strate-
tum to the grand strategic vision. gic objective for cybersecurity in the Dig-
More importantly, to be strategic, the ital Age; and it must be this: to stop data
idea must resonate with the highest breaches.
213
To stop breaches, we must update what 1. Security must align with the business
we think a breach is. Often, we cling to the function.
old-school castle/moat analogy: “Some- 2. Security must be embedded in the
one breached the castle walls and they are design of networks and applications.
inside!” This is actually an intrusion, not
3. Security must be agile and dynamic,
a breach.
with the flexibility to design for
The term “breach” is now a term of art
change.
in the legal and regulatory professions.
Think GDPR. The breach happens when We can achieve each of these goals, and
data is exfiltrated from an organization’s others, with the Zero Trust model. With
network or systems and placed into the Zero Trust, organizations can position
hands of unauthorized entities, especially themselves for a future in which they are
malicious actors. Therefore, to be success- not in constant reactive mode to threats,
ful in cybersecurity, we must prevent sensi- but instead have cybersecurity built into
tive or regulated data from falling into the their technologies, cultures, and opera-
wrong hands. To do this we need a strategy. tions.
That strategy is Zero Trust.
Why Zero Trust, Why Now?
The Broken Trust Model Today, business-level decision-makers must
There exists in our industry a broken trust be on top of the challenges facing their
model for security, built on the axiom, IT and security teams, particularly this
“Trust but verify.” This model of anthro- important paradigm shift: When it comes
pomorphizing the network and giving it to cybersecurity, the biggest issue facing
attributes of trust is the fundamental prob- practitioners is the breakdown of their
lem we have in cybersecurity today. Trust traditional trust model, which is based on
is a vulnerability. It serves no purpose for the “trust-but-verify” approach to cyberse-
your organization. Trust is not necessary to curity.
move packets across a network. In this model, the network was bro-
The only users who benefit from trust ken into two sides, an external side—
in our systems are the malicious actors who the “untrusted” network that connected
exploit it for nefarious purposes. We must the organization to the public internet—
eliminate the idea of trust from our digital and the “trusted” side, where all internal
systems if we have any hope of protecting users had access to sensitive resources. This
sensitive data and assets from exploitation is best illustrated by the labeling of the
and breaches by malicious actors. To do interfaces of early firewalls. They gener-
this, we must adopt the Zero Trust model. ally had two interfaces: One interface was
I will describe the concepts behind labeled “trusted,” and the other was labeled
Zero Trust in further detail. First let me “untrusted.”
discuss why it is essential connective tissue This pervasive model means that almost
for the chapters on transforming cyberse- all negative security events—including
curity from a cost center into a business data breaches—are an exploitation of that
enabler. To achieve this transformation, trust model. External attackers know that
business and technology leaders need to if they can get their packets of code past
rethink their approach to security in sev- the “trust” boundary, they will be given
eral important ways, including: privileges—trust—based upon the loca-
214 Strategy
tion of the packets as they traverse the net- Transforming the Security Model
work. Rebuilding security from the inside out
Additionally, threats from malicious means that the Zero Trust model replaces
insiders are a really big deal, but cybersecu- traditional perimeter defense with ubiqui-
rity professionals are conditioned to think tous treatment of security throughout the
of the internal network as “safe” and the organization. When assessing how to best
internet as “evil.” Users of internal network redesign the network, companies often
resources are even called “trusted” users. choose the Zero Trust framework because:
But some of the most highly visible inci-
dents of our time—including the Chel- • Security needs to align with the busi-
sea Manning1 and Edward Snowden2 data ness function. The working environ-
breaches—happened by so-called “trusted” ment needs security to align with the
users on a so-called “trusted” internal net- business function. Most organizations
work. are split into different departments and
Zero Trust is built upon the idea that not all teams require the same amount
security must become ubiquitous through- of privileges. Enforcing strict access
out the infrastructure. The model is privileges where necessary and doing so
designed to be strategically resonant at efficiently is a priority for those adopt-
the highest levels of any organization, and ing Zero Trust.
yet be tactically implementable by prac- • Modern organizations require elas-
titioners using commercial off-the-shelf ticity and the ability to design for
technology. The concepts of Zero Trust are change. Different SLAs, admins, audit
simple: requirements, regulations, and certifi-
• All resources are accessed in a secure cations necessitate flexibility and trans-
manner, regardless of location. parency for auditors and management.
Infrastructure and security teams need
• Access control is on a “need-to-know” an architecture that allows for quick
basis and is strictly enforced. changes and optimizations unhindered
• All traffic is inspected and logged. by controls and complexity.
• The network is designed from the in- • Zero Trust is not rigid. Another im-
side out. portant aspect of Zero Trust is that it
doesn’t have one single approach. It is
• The network is designed to verify ev- not cookie cutter and can be designed
erything and never trust anything. specifically around the data, applica-
Zero Trust is designed to stop data tions, assets, or services that an organi-
breaches. Stopping data breaches must zation needs to have protected.
be the grand strategic objective of cyber-
security because a data breach is the only Business Drivers
IT event that can get a CEO or company Today, companies are looking to leverage
president fired. Therefore, Zero Trust is the technology to position their internal tech-
only cybersecurity strategy. Everything else nology management toward better security
is just tactics. and manageability. Many organizations are
trying to reimagine security outside of tra-
Zero Trust: The Strategic Approach to Stop Data Breaches 215

ditional parameters and redefine their secu- tions, such as cloud computing and
rity practices to meet both current threats user mobility, mean that organizations
and dynamically changing business needs. can no longer stay within the bounds
But to get from here to there, organi- of old IT’s capabilities. Zero Trust uses
zations must rethink legacy network secu- technology and architecture to its ad-
rity to make it simpler and more efficient. vantage to make IT a business enabler
When businesses attempt these types of instead of a business inhibitor.
transformational projects, they typically
• Cloud enablement: Server virtual-
face onerous challenges. Zero Trust initia-
ization and cloud services change the
tives help address these challenges in the
rules of the game. Most organizations
following ways:
want to collapse the network infra-
• Cost management: Security teams structure to reduce the number of
often face significant restraints on fi- servers by leveraging virtualization and
nancial, budgetary, and organizational public cloud infrastructure. The securi-
resources. Zero Trust initiatives help ty aspects of these technological shifts
maximize resources. Many companies remain challenging. How do you put
adopt a startup mode when beginning security controls in a virtual environ-
the Zero Trust journey. Therefore, they ment? How is traffic going to be man-
handle their money very carefully, aged? What happens when applications
making sure spending is in line with and data are in multiple clouds? How
the team’s core competencies, in terms do you maintain visibility and control?
of manageability, maintainability, and Zero Trust network architecture is vir-
scalability. tualized and cloud-friendly.
• Personnel resources: Working teams
are already lean. Companies face staff- Conclusion
ing issues and most of the staff is al- One of the keystones of protecting our
ready strained by daily operational digital way of life is preventing the breach
needs. Zero Trust teams must start of sensitive data. It is a core of every busi-
small and leverage the existing archi- ness strategy that relies upon connected
tecture and technology to address the digital technologies. To do this, incorpo-
environment in a new way. rate a Zero Trust model to ensure that all
resources are accessed in a secure man-
• Legacy architectures: Traditional IT
ner and all traffic is logged and inspected.
is inefficient. Most existing networks
With Zero Trust, we can take the next step
have grown organically and are not de-
forward in trusting that cybersecurity can
signed to be agile and efficient enough
be a true enabler of business success and
to meet business needs. New innova-
differentiation.
1
“Everything you need to know about Chelsea Manning,” ABC News, May 16, 2017
2
“This is everything Edward Snowden revealed in one year of unprecedented top-secret leaks,”
Business Insider UK, September 16, 2016
216 Strategy
THE CASE FOR THE ZERO TRUST MODEL
• A broken trust model is the most urgent issue facing cybersecurity

today.
• All users are effectively “untrusted.”
• Security must be embedded throughout the network, not just on the
perimeter.
• Networks must be designed from the inside-out, based upon the ele-
ments in the network that need to be protected.
• Networks must be designed with compliance in mind.
• All resources must be accessed securely.
• All traffic traversing the network must be inspected and logged.
• Zero Trust is the future of cybersecurity.
THE BUSINESS VALUE OF THE ZERO TRUST MODEL
• Visibility and security: The new infrastructure allows network admin-

istrators tremendous visibility into users and systems. With enhanced
visibility, the environment is more lenient in terms of monitoring and
allocating resources. Along with better visibility, Zero Trust forces the
application, systems, and security teams to work together more effec-
tively. Zero Trust encourages interdepartmental communication and
breaks down silos that inhibit innovation.
• Cost-effectiveness: Companies that deploy Zero Trust typically see tan-
gible capital and operational cost benefits. Zero Trust networks require
fewer people to manage large, complex, and more secure deployments.
Companies experience reductions in people and equipment costs, as
well as improvements in uptime and failure rates.
• Assessment and compliance: Implementing Zero Trust makes audit-
ing much more straightforward, simple, and quick. Zero Trust networks
often have fewer audit findings because auditors can understand and
conceptualize them more easily. Many compliance items are built into
a Zero Trust network by default, and many current audit requirements
were designed to uplift legacy networks and are not applicable in Zero
Trust environments.
Zero Trust: The Strategic Approach to Stop Data Breaches 217

People
33
Making Boardroom Changes Today to
Ensure a Cyber-Secure Tomorrow
Kal Bittianda — Head of North America Technology Practice, Egon Zehnder
Selena Loh LaCroix — Global Lead, Technology and Communications Practice,
Egon Zehnder
William Houston — Advisor, Technology and Communications
& Industrial Practices, Egon Zehnder
Go to our firm’s website and click the is going to thrive in an era of intensified
“What We Do” link. The first three words cybersecurity risk, or be steamrolled by it.
you’ll read describe the key drivers that As boards typically do, sorting out the
frame our scope of work as management issues, debating the options, and arriv-
consultants and executive search experts: ing at the most appropriate recommenda-
Globalization. Convergence. Disruption. tions involves asking and getting answers
We could just as easily apply those to high-impact questions. But instead of
words to the tumultuous state of cyber- simply posing those questions to manage-
security—and, in particular, the unique ment, now boards have to look inward and
demands now faced by and debated in ask those questions of themselves.
every boardroom. In fact, it would not be And one thing we have learned during
an overstatement to say that cybersecurity our collective years of experience at advis-
is reshaping how boards assess risk, prac- ing the C-suite and board members is
tice governance, advise management, and this: Not every board member is going to
ensure the very long-term viability and embrace this kind of change easily. And in
prosperity of their organizations. In cyber- some cases, not at all. Get ready.
security, global risks are being accelerated
by technology convergence at a rate never Why Changes Are Necessary at the
before seen, causing untold disruption in Board Level
our work, our lives, and our communities. Aligning your board with the dramatic
And, as is typically true of all forms of changes going on in cybersecurity risk
dramatic change, board members face crit- is a strategic issue, one requiring a lot of
ical questions that will determine if the thought, deliberation, debate, cajoling, and
board—and the overall organization— even a little good luck. Making the right
221
moves in how the board operates is a facil- know what to do. This is likely to become
itator in risk management. The technology more and more urgent as cyberattacks have
shaping cybersecurity issues is undergoing material impact on an organization’s finan-
dramatic change—AI, machine learning, cial performance, regulatory standing,
blockchain, Internet of Things, and more. legal exposure, and customer confidence.
The technology risks are getting more The next shoe to drop may be successful
complex and dynamic, but at the same lawsuits aimed directly at board members
time, they reflect important new business for failing to meet their fiduciary responsi-
opportunities that cannot be shunted aside bilities in a cyber breach situation. If you’re
simply because of new/greater risk. a board member, that will undoubtedly
The right board composition, coupled make you sit up and take notice.
with setting the right mandate for leader- This is where board dynamics become
ship and action, is the best way for board very important. If you have a board whose
members to make the greatest impact. It’s members are honest, open, and willing to
about making the right choice, not the safe listen to “different” ideas, it’s far easier to
choice. deal with the uncertainty and magnitude
After all, nothing comes with zero risk. of cyber risk. Board members need to be
Boards have always had to deal with geo- fearless in proposing ideas that may seem
political, financial, regulatory, and product unconventional, or even radical. That can
risks, and cybersecurity is the latest addi- be a very powerful force for debate and
tion to the mix. The experience, exper- change, even when your board is properly
tise, mindset, and attitude of your board composed.
is critical to juggling the classic risk/reward
equation. How You Know You Are Succeeding
There’s another important factor— Truth be told, a very small minority of
one that is a bit “delicate,” to say the least. companies proactively come to us and ask
Although the pace of technology change for help in defining their board composi-
in the past 20 to 30 years has been dra- tion with an eye toward the future. An ini-
matic, this is nothing compared to what tial step we believe bodes well for a board
we will experience over the next few years. readying itself for the impact of cyberse-
That’s extraordinarily difficult for anyone curity risk is recognizing the need for an
to manage, even experienced people. The orderly board succession plan and then
reality is that the mean age of board mem- laying out a methodical execution plan
bers is creeping up in many organizations over a two-to-five-year period. Savvy board
and industries, and it is becoming harder chairs will meet their evolving needs, such
and harder for some to stay on top of the as in cybersecurity risk evaluation and gov-
changes. Yet as the threats grow in number ernance, by thoughtfully planning around
and sophistication, with new types of bad upcoming retirements and departures.
actors and threat vectors, people with cur- A successful board transition begins
rent operating experience, fresh ideas, and with a documented strategic plan that
greater comfort with technology will be defines the board member archetypes
needed to help guide policy and priorities. who will be recruited to the board over
Although many boards understand the the period, and sometimes even identifies
need to come armed with fresh perspec- specific/aspirational people to approach.
tives, not enough board members actually Unfortunately, too few organizations actu-
222 People
ally think this through and invest the time After all, the days when board mem-
and energy to map it. Often boards real- bers spent 20 years in their seats and then
ize, “Oops, this person is retiring next year, retired gracefully are quickly passing us by.
we need to find an audit committee chair.” These are ground-shaking times, requiring
Or they may have been dinged with a poor a more proactive board willing to explore
diversity score from ISS or Glass Lewis new ideas and new ways to achieve success.
that triggers a search for a female board Remember: We’re not recommending
member. overhauling your board by orchestrating
Experience has also shown us that suc- a palace coup in the boardroom. We’ve all
cessful transition plans involve creating and seen examples of how messy those can get
maintaining synergies and strong working and the kind of unproductive, even hostile,
relationships in the boardroom. While it environments they can create. The evolu-
doesn’t mean everyone has to spend qual- tion of the board needs to be designed
ity time together outside the boardroom, it with its future desired state in mind, in
does mean avoiding adversarial, confron- conjunction with managing affected board
tational meetings where personalities and members in a thoughtful, respectful, and
perceived slights get in the way of doing personal manner.
productive work. Give a lot of thought Make no mistake: It has to be done.
to the intellectual, personal, and political The very future of your organization and
dynamics of your board. its success depends upon it.
ESSENTIAL QUESTIONS FOR THE BOARD … ABOUT THE BOARD
We’ve often seen that boards that are most successful at anticipating and
coping with sea changes of the magnitude in cybersecurity risk are willing to
look inward and ask very tough, often uncomfortable, questions. Four come
to mind:
Are the right people on our board? A successful board starts with having
the right people around the boardroom table. However, the answers to the
question, “Do you have the right people—and if not, who should they be?”
will vary widely depending on the type of organization you have and the cur-
rent mix of experience on your board.
• If you decide to bring a cyber expert onto the board, unless you are
actually expanding the board, that’s a board seat you’re giving up to a
specialist. If having that kind of expertise is a strategic differentiator in
your industry (e.g., technology, financial services), or if you want to dra-
matically shift the cyber posture of your company, that may be a smart
decision.
• But if your organization believes it has less cyber risk, you may not want
to devote that seat to a cyber expert. Instead, you may decide to focus
on ensuring the company has a world-class organization with strong
cybersecurity credentials (and the business acumen to match), including
strong leaders who will regularly meet with and brief the board.
Making Boardroom Changes Today to Ensure a Cyber-Secure Tomorrow 223

ESSENTIAL QUESTIONS FOR THE BOARD (CONTD.)
Do you have the right committee structure for evaluating and governing
cybersecurity risk? Committees and sub-committees are important to give
weight and light to such functions as audit, HR, regulatory, strategic plan-
ning, risk, and cybersecurity.
• If you’re in an industry where the risk of a cyber breach could have a
devastating impact on the company, you’ll probably need a technology
committee.
• It may be harder for boards in industries that have traditionally not
relied as heavily on technology, such as retail and trucking, to justify a
dedicated technology committee. Ironically, they could be the ones that
need it most, as they probably don’t possess sufficient technical talent
in their organizations.
• Cybersecurity could also be incorporated into an existing committee,
such as the risk or audit committees.
What should board members talk about? Board discussions around cyber-
security must be proactive and center on such issues as:
a. Organization structure: Have the CEO and CISO properly structured
the organization to address information security? Do we have the opti-
mal reporting structure and the right people in the right roles?
b. Investment: Are we allocating the right budgetary resources for our cur-
rent and future risk profile? Are we making the right budget allocation,
and do we know what we get from/for this investment? (Hint: Setting
security spending levels is not a mathematical exercise.)
c. Accountability: Do we have the right person in the CISO role? Do they
have the right goals, and are they properly incented for the desired out-
comes?
d. Improvement: How do we know that our “non-mitigated” risk footprint
is shrinking? What metrics are we using to determine this, and are they
still appropriate? (For example: What portion of issues are resolved once
and for all? Are the resolution times decreasing over time?)
Of course, the board also needs answers to forward-looking questions:
Which threats are imminent that we have yet to address? What would hap-
pen to our bottom line if we lost our ability to take orders online for an
hour? A day? A week?
224 People
What are the responsibilities for the rest of the board? Even if you’re not
the board’s resident cyber expert or you don’t sit on a relevant committee
responsible for cybersecurity oversight and governance, you have a critical
role to play.
• Every board member needs to be involved in the discussions and delib-
erations around cybersecurity.
• You may decide to let your colleagues take the lead on the issues, but
you still can and must ask good questions.
• And don’t assume that because a fellow board member experienced
zero-day attacks at their own company, they are the only one qualified
to ask questions about the organization’s threat detection, prevention,
and remediation practices.
• One smart practice we’ve seen some boards take is to have the
less-technical board members spend a day, at least once a year, with the
cyber team to watch what they do, ask questions, and get a practical
education from people on the frontlines.
Making Boardroom Changes Today to Ensure a Cyber-Secure Tomorrow 225

34
Creating a Culture of Cybersecurity
Patric J.M. Versteeg, MSc.
Creating a culture of cybersecurity across have been implemented, the senders

an organization is not only doable—it is should be open for a dialog with the
essential! receivers about the next level of cyber-
When it comes to cybersecurity, culture security to be achieved throughout the
is a huge deal, and it is a very real com- organization.
ponent for creating a more secure organi-
• Second, leaders must learn to lis-
zation. All people across an organization,
ten—or, as an homage to organiza-
regardless of their roles, are responsible for
tional guru Simon Sinek, learn to
being vigilant and taking the right steps to
speak last. All too often, business lead-
securely use technologies and processes.
ers—and many CISOs, also—come
Defining and “living” a cybersecurity
into organizations with their ideas fully
culture requires viewing the issue from
formed: “We’re going to do this with
two different, yet interdependent, perspec-
access and identity management; this
tives—as senders and receivers.
with authentication; and change all
Senders in organizational hierarchies
processes according to X, Y, and Z.” It’s
are the leaders—the business C-level exec-
essential for senders to prove to the rest
utives, CISOs, and board members. They
of the organization that their perspec-
are the ones who set policies, enforce pro-
tives matter. Great ideas and effective
cesses, ensure governance, and set the gen-
policies must be the product of multi-
eral direction for the rest of the organiza-
ple points of input, each coming from
tion. Moreover, for senders, there are two
a unique perspective. Listen first, speak
significant things to remember about the
last.
culture of cybersecurity.
Receivers are those who take in, pro-
• First, when it comes to cybersecurity,
cess, and “live” the directives and priori-
culture is neither a democracy nor a
ties established by the senders. And it
dictatorship. Senders establish base-
is important that they see themselves as
lines for requirements that act as the
actively participating in the development
foundation for the organization’s cy-
and promotion of a cybersecurity culture,
bersecurity, in alignment not only with
not just passively accepting the rules and
business goals, but also with cultural
regulations.
values and behavior. After the baselines
227
In a culture of cybersecurity, receiv- between this framework and the challenge
ers have skin in the game. Their day- organizations face in creating a culture
to-day responsibilities are profoundly around cybersecurity.
shaped by the policies, processes, and For instance, the Quinn & Rohrbaugh
procedures set forth to govern good model in Figure 1 shows us how an organi-
cyber hygiene—and not only as a bene- zation’s culture can be defined. Depending
fit to the organization. Those steps also on the organization’s culture—specifically,
must protect their digital safety, so they about how that culture affects people’s
do not become reliant on cybersecurity ability to embrace change—the culture of
technology and processes to keep them cybersecurity is shaped accordingly. This
and their organization safe. If the send- model centers on four distinct, yet inter-
ers do their job right, receivers are not woven, organizational culture models:
the weakest link but the strongest, in
the cybersecurity chain. 1. Open Systems Model: This model is
based on an organic system, empha-
Learning how receivers shape, and ulti-
sis on adaptability, readiness, growth,
mately fit into, a culture of cybersecurity
resource acquisition and external sup-
isn’t easy, given the seemingly infinite dif-
port. These processes bring innova-
ferences between how any two people
tion and creativity. People are not
interpret processes and are motivated to
controlled but inspired.2
contribute to the building and caring of
a cybersecurity culture. Fortunately, there 2. Rational Goal Model: This model is
are several effective models that help us based on profit, emphasis on rational
understand how culture is defined inside action. It assumes that planning and
an organization. One is the Compet- goal setting results into productivity
ing Value Framework by Quinn & Rohr- and efficiency. Tasks are clarified,
baugh. There is an important synergy objectives are set, and action is taken.2
Figure 1: An overview of the Competing Values Framework by Quinn & Rohrbaugh1
228 People
3. Internal Process Model: This model is The exact definition of the mentioned
based on hierarchy, emphasis on mea- leadership roles (Innovator, Broker, Pro-
surement, documentation, and infor- ducer, Director, Coordinator, Monitor,
mation management. These processes Facilitator, Mentor,) is beyond the scope
bring stability and control. Hierar- of this chapter. But to give some more
chies seem to function best when the insight, you can probably imagine that if
task to be done is well understood and the tone at the top (senders) is driven from
when time is not an important factor.2 the Director Role (lower right, in Figure
4. Human Relations Model: This model 2), it will not be adopted well or easily for
is based on cohesion and morale, with receivers in a company that has a Human
emphasis on human resource and Relations Model (upper left, Figure 1).
training. People are seen not as iso- The models illustrate that defining and
lated individuals, but as cooperating understanding the organizational culture
members of a common social system is an essential step toward getting a bet-
with a common stake in what hap- ter grasp on how to steer the organization
pens.2 toward a more cyber-secure-centric culture.
Using the Quinn & Rohrbaugh frame- The Power and Necessity
work, it is possible to define leadership of Change Management
roles (Figure 2) that have the most posi- Despite most everyone’s best intentions,
tive outcome when it comes to supporting many cybersecurity programs languish or
a company’s culture and therefore shaping outright fail to keep the organization and
the most effective culture of cybersecurity. its digital assets secure because people on
Figure 2: Leadership roles mapped in the Quinn & Rohrbaugh model3
Creating a Culture of Cybersecurity 229

both the business side and the techni- the emphasis has always been on what not
cal side are reluctant to change. It is this to do, and why that can’t be allowed.
intransigence that puts up the biggest But leaders have to fight against this
roadblock in getting people to agree on the tendency when creating a cybersecurity
delicate balance between prudent cyberse- culture: We have to find ways to let people
curity and business opportunity. think they can do something, that they are
After all, people are creatures of habit. allowed and even encouraged to do some-
We all love to do things in a certain way, thing, to take action, and to minimize a
and senior management is often the most reliance on technology and processes.
likely to dig in their heels against change. In setting a culture of cybersecurity,
“I’ve been running this business my way, leaders (senders) develop criteria—remem-
it’s working well, and we haven’t had any ber, by listening to their teams (receiv-
issues,” I hear over and over. Unfortu- ers), rather than speaking at them—for
nately, very often this attitude gets trans- what can be done, how it can be done,
lated into statements like, “We can’t do and under which circumstances. Leaders
that,” or “No, that’s not allowed,” when it should focus more on goals than tactics,
comes to cybersecurity. on facilitating rather than creating road-
And let’s be clear: We need changes in blocks, on outcomes rather than minutiae.
how organizations plan, implement, and When leaders build and promote a cul-
measure effective cybersecurity because the ture that encourages teams to make smart
threat vectors are always expanding and the decisions that assess and consider risks and
cyber attackers are bolder, more resource- rewards, it becomes easier to put reason-
ful, and even more collaborative than ever. able limits around what can and can’t be
Our rate of change must exceed theirs if we done in cybersecurity. We can more eas-
want to keep our businesses sustainable. ily evolve to “Yes, in the following circum-
Cybersecurity culture is all about stances with the following xyz controls” or
change management, from the executive “Yes, but in this manner,” when we have
leadership on down. Whether we want to established that your culture requires you
admit it or not, many of us crave change to start with “Yes.”
or we risk stagnation, boredom, and losing Of course, there are some things that
our competitive edge. I know I need this: your culture of cybersecurity cannot and
Every few years, I move into a new com- should not allow. You can’t sell private
pany to enable myself to learn new things patient information to data brokers; you
and apply my skills in different environ- can’t break the law; and you can’t put the
ments and different cultures. If I’m not organization into legal jeopardy. But even
willing to change as a business leader, I’m then, there are choices that can be made.
going to fail terribly. Let me give you a hypothetical exam-
And in today’s high-pitched cybersecu- ple. Suppose your CISO, or their boss,
rity environment, failing is unacceptable! reads about a data breach at an organiza-
tion that was prompted by a security flaw
Getting to Yes with a public cloud file-sharing service. If
Ultimately, one of the best ways to think you have a strong get to “yes” culture that
of a culture of cybersecurity is to talk about promotes initiative and prudent risk-tak-
what I call getting to “yes.” This may sound ing, your senior executives may have set
counter-intuitive in cybersecurity, where data storage policies to establish a clear bal-
230 People
ance between risk on one side, and agility Board members and executives should
and empowerment on the other. use a mix of statistical analytics tools and
But if you don’t have such a culture of old-fashioned “management by walking
cybersecurity, not yet driven by “yes,” what around” to get both a quantitative and qual-
your executives say may be a knee-jerk itative assessment of how senders and receiv-
response to news of the latest public cloud ers are aligned—or if they are aligned at all.
security breach: “No one can use file shar- This alignment is critical to building
ing services.” a thriving culture of cybersecurity. After
It’s OK and even necessary to raise all, if senders set a tone that is directive,
questions about security, but when leaders authoritarian, and overly top-down, this
(senders) issue directives without consider- could foster a passive response by the
ing implications or alternatives, it under- receivers if they are used to a Human Rela-
mines the culture of cybersecurity. Most tions Model organization culture.
likely it will create a (personal/receivers) Use engaging and interactive sessions
shadow IT project that, in the end, might to help senders experience situations and
bring in even more risks. understand receivers’ reactions, so senders
To help the team get to “yes” leaders can better understand the implications of
should think of the goal, which in this case their actions.
is to have a secure, efficient way to transfer I am convinced that a culture of cyber-
files between businesses or with customers. security can be achieved where the human
However, you have to trust your people to element is the strongest link in the cyberse-
come up with appropriate solutions that curity chain, but only if your “yes” message
balance risk with business opportunity. It’s is presented as a fit to organizational cul-
not about stopping the use of file sharing; ture. If not, your “yes” message might be
it’s about managing the risk. misinterpreted as a resounding “no.” And
nobody likes to hear—or receive— “no.”
Getting Started Toward a Culture of
Cybersecurity Conclusion
To empower change and drive a culture of Any good venture capitalist will tell you
cybersecurity, executives and board mem- that the most important thing they con-
bers need to consider some essential issues. sider when evaluating all the investment
For instance, business leaders should deter- proposals they receive is the quality of the
mine what type of culture for receivers is leadership team. After all, products come
predominant within the organization; this and go, and markets continuously evolve.
will go a long way toward shaping how But a great team will anticipate and adapt
messages, directives, and policies should be to change to ensure the organization stays
presented and communicated throughout on track toward achieving its goals.
the organization. The same is true for creating a culture
At the same time, it’s important to of cybersecurity. Business executives and
assess the tone set by the top (the send- boards, in concert with their cybersecurity
ers) in talking about cybersecurity, and to and IT leaders, need to understand and
ensure the leadership style is in sync with shape their organization’s culture in order
how the organization receives the message to create the right cybersecurity mindset—
and gives life to the desired cybersecurity even before setting policies, procedures,
culture. and priorities around cybersecurity.
Creating a Culture of Cybersecurity 231

Our apocryphal file sharing story is a They are also more cost-efficient, with less
good example of how culture can either rancor and politics, than organizations
inhibit or promote smart, successful cyber- that fail to understand the critical role cul-
security. Organizations that build and ture—set both by senders and receivers—
nourish the right culture around cyberse- plays in their efforts.
curity find ways to get to the goal faster. Let’s all find a way to get to “Yes.”
1
Quinn, Robert E., and John Rohrbaugh. “A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach
to Organizational Analysis,” Management Science 29, no. 3 (1983): 363-77. http://www.jstor.org/stable/2631061
2
“Competing Values Framework,” University of Twente https://www.utwente.nl/en/bms/communication-theories/sorted-by-
cluster/Organizational%20Communication/Competing_Values_Framework/
3
“Competing values leadership: quadrant roles and personality traits,” Alan Belasen and Nancy Frank (2007) https://www.
researchgate.net/publication/242337141_Competing_values_leadership_Quadrant_roles_and_personality_traits
232 People
35
Recognizing, Developing, and Deploying
Good Cybersecurity Habits
George Finney — Chief Security Officer, Southern Methodist University
I’m a Chief Security Officer for a major organization’s cybersecurity arsenal. But
United States university. I love my job, it’s not enough. You also need everyone in
even with its frenetic, unpredictable twists the organization—and everyone the orga-
and turns. I thank my lucky stars every nization deals with outside the firewalls—
day that I don’t have a boring job where to have well-honed and expertly deployed
I know what to expect when I show up at cybersecurity habits.
the office or log in to my email. That’s because cybersecurity is not a
And that’s not all I do. I’m a writer— skill to be learned, nor is it a competency.
seriously. I’ve written books, short sto- How do I know this? Simple: Because
ries, crime novels, and screenplays. But we’ve always assumed that making employ-
since they tell me that writers should write ees undergo training sessions for good
about the things they know best, my last cyber hygiene will yield improved results.
four books have been about cybersecu- And that isn’t happening, not in any way,
rity. In my most recent book, No More shape, or form.
Magic Wands: Transformative Cybersecurity Cybersecurity is a habit, like getting up
Change for Everyone, I introduced the topic in the morning to exercise, showing affec-
with something I knew would become tion to your children, and adjusting your
more and more important as we continued car’s mirrors before you back out of the
to battle with cyber adversaries: driveway. And when you look at cyberse-
“If security is everyone’s job, everyone curity through that lens, it’s not surprising
needs to have the right tools to actually do at all that making your employees watch a
the job. Not some of the tools. Not a little short video on security doesn’t change their
bit of the tools. All of it.” behavior. It’s like reading a manual about
And one of the most important tools using a treadmill. It’s not going to make
anyone can have—whether you’re a CSO, you any healthier.
a CEO, a board member, or anyone who
uses technology to do nearly anything—is Getting Started: Identifying Good
good habits. Yes, next-generation firewalls, Habits
automated monitoring, and threat intel- I didn’t come up with this epiphany early in
ligent services all are must-haves in any my cybersecurity career. Like pretty much
233
everything else, I had to learn it through session. If senior executives don’t buy into
trial and error. Years ago, we were doing this and send strong signals that cybersecu-
what everyone else did, delivering online rity is a potential threat not only to organi-
cybersecurity training videos, brownbag zations but also to employees, we will have
sessions, and simulated phishing messages. to confront a major challenge.
But we continued to encounter cyber- What are some good cybersecurity
security events—just like everyone else, habits?
of course—so we knew we were missing Don’t react. Don’t just look at some-
something. thing and start acting. Try to “see” what is
Two things stood out in my mind. happening by taking your time and notic-
First, I remembered my childhood experi- ing the details. If this sounds like “can’t
ence of learning tae kwon do, especially the see the forest for the trees,” you’re right.
realization that simply learning the moves Chances are you are not just seeing an
didn’t really translate into success. I even- isolated incident or two, but rather data
tually figured out that the drills are what points in a pattern that can be viewed in
made the difference, and that I had to ultra-high-definition, if you take the time
put in the time and diligence to see real to see the big picture. Automated network
progress. monitoring has done great things to help
Second, my HR colleagues and I identify abnormal data movement patterns
decided to model our cybersecurity train- in and out of your systems, but we still
ing around something that we knew had need to rely on smart, discerning, curious
succeeded: wellness programs. These days, people to review the information before
most HR departments have established we allow that very large file transfer to the
health and wellness programs as employee Ukraine to go through.
benefits—partly because many employ- Trust your gut. Instincts are power-
ees like the idea of trying to take charge ful defense mechanisms—if we pay atten-
of their health, but more because they tion to them. I’m not suggesting that you
actually work. Wellness training succeeds overthink everything, and fall into the
in large part because we can educate and “paralysis by analysis” mode. But if that
influence people about the benefits of eat- email from the CFO seems slightly differ-
ing healthier or working out, but also how ent from past communications, don’t just
to actually make it habitual. And they use assume it’s legitimate. Reply with a ques-
incentives like free vacation days to give tion, or, better yet, pick up the phone or
employees even more motivation to build walk down the hall.
new routines. These programs succeed Rely on community. One of the big
because they force people to confront, mistakes we often make, both in business
acknowledge, and act upon the notion that and at home, is that we are afraid to ask
wellness is a habit, not a skill. for help—or even just validation. We don’t
To make wellness work in cybersecu- want people to see us as less than confident
rity, we had to focus on identifying good in our knowledge, or we may feel that by
cybersecurity habits and then doing drills bringing others into our thought process
with people. These habits need to be insti- we are giving away some kind of “com-
tutionalized, starting with top manage- petitive advantage” as we seek to advance
ment and board members, not just the in our careers. We’re not alone, and when
CSO having a monthly lunch-and-learn it comes to cybersecurity, it’s far better to
234 People
get another point of view. For instance, Her husband received a text from Pay-
organizations should consider joining a Pal, alerting him that a $1,000 transac-
cyber-intelligence-sharing consortium. tion had been made in his account. He
Don’t worry, you won’t be giving up the was initially confused and then immedi-
company secrets, but you may be learning ately irate, convinced that someone at Pay-
something you didn’t know. Pal had made an error. He told his wife,
Slow down. Because so many factors— sitting across the dinner table, what had
including the pace of technology change— happened, and said, “I’m going to see what
are accelerating the decision-making pro- they’re talking about.” Just before he could
cess, we too often feel the need to “ready, click the PayPal link in the text, the wife
fire, aim.” We often make decisions screamed, “Wait!” and grabbed the phone
based on the “bias for action” philoso- from his hand. As you can now imagine,
phy espoused by business leaders. A bias her good cybersecurity habits warned her
for action is great, except when it results in that something was amiss, and that her
bad decisions that were based on incom- husband was a nanosecond away from
plete information and made just to be the enabling a phishing attempt.
first to market. Think about that when This kind of thing undoubtedly hap-
your product development team wants pens all the time in our organizations, from
to roll out the industry’s first IoT-enabled the largest governments and multi-na-
widget and they haven’t baked in the secu- tional corporations to small retail stores
rity protocols. using technology to manage their finances,
Nothing is random; make planning track inventory, and pay employees. We
a habit. When bad things happen—prop- have become so dependent upon technol-
erty crimes, shootings, motor vehicle acci- ogy for everything in our business and per-
dents, and more—we ask ourselves, “What sonal lives that we sometimes let down our
could we have done differently?” That guard—often with catastrophic results.
kind of introspection is good, but only if it
results in making scenario planning a sys- What Can and Should Business
tematic, thoughtful process. For instance, Leaders Do?
our employees and third parties access- While good cybersecurity habits are devel-
ing our proprietary data have to log on to oped and honed by individuals, the C-suite
Wi-Fi networks securely and with the right and the board play outsized roles in pro-
permissions. Everyone also must change moting this kind of good behavior.
their passwords in a thoughtful and sincere First, keep in mind something Patric
manner and avoid leaving those passwords Versteeg says in his chapter about creating
on Post-It Notes on our screens. Good a culture of cybersecurity. Patric notes that
planning—and repeating good habits—is culture is shaped by management and then
essential. is embodied in the organization’s people
Let me give you a real-world example and processes. It’s very trendy to talk about
of what I’m talking about. I recently met a a bottom-up approach to problem-solv-
business journalist who had written about ing, and it often makes a lot of sense. But
cybersecurity. We got to talking about the don’t kid yourselves; we still are very prone
subject and my focus on good habits, and to hierarchical organizations, and execu-
she excitedly told me a story about what tives remain the most powerful and influ-
had happened the night before. ential force in the enterprise. Executives
Recognizing, Developing, and Deploying Good Cybersecurity Habits 235

need to exhibit “intentionality,” based on be a micromanager on cybersecurity, but
the things they do, what they say, how they a CEO who abdicates their leadership role
ask questions, and so on. in this area is a big, red warning light for
Second, it’s unfortunate to say that too board members.
many executives display an air of entitle-
ment when it comes to cybersecurity hab- Conclusion
its. It is often personified by that frightening Aristotle once said, “We are what we
word: Exceptions. Picture the stereotypical repeatedly do. Excellence, therefore, is not
CEO. He or she may urgently need some- an act, but a habit.” Today, he’d either be
thing done, so they demand action. Of a $1,000-an-hour management consultant
course, they may feel they don’t need to go or a CSO.
through the proper cybersecurity protocols Leaders must take big steps toward
to request that large payment to a strate- institutionalizing good cybersecurity hab-
gic vendor that is trying to deliver a criti- its throughout their organizations; without
cal part. When that email comes through it becoming part of the corporate culture,
to the treasurer or CFO, everyone jumps it will never be actualized by employees at
to attention, only to find out that the the office, on the road, or at home.
request is really from a hacker mimicking So, keep investing in cutting-edge
the CEO’s email account. technologies, sophisticated analytics, and
Third, executives need to support the innovative cybersecurity tools. Make sure
CSO and the HR director in institutional- your SOC is properly staffed, your busi-
izing training programs for good cyberse- ness units have embedded security pro-
curity habit development—and they need fessionals, and your CSO is as well-versed
to participate in them, as well. If execu- on inventory turns and competitive differ-
tives are going to be taken seriously in pro- entiation as they are on botnets and spear
moting the importance of good cyberse- phishing.
curity habits, it must become a leadership But also remember to put in place the
mandate. In my book, No More Magic steps covered earlier in this chapter:
Wands, the main character of the book isn’t Don’t react.
the CSO, it’s the business executive who Trust your gut.
champions and pushes for change. It is Rely on community.
incredibly important for business leaders Slow down.
to be seen as the agents of transformation Make planning a habit.
for good cybersecurity habits, not seen as
just sitting back and directing the CSO to Then, please give me a call to share your
lead the way. Nobody wants the CEO to experiences. We can write a book about it.
236 People
36
Social Engineering Attacks:
We’re All Targets
Yorck O.A. Reuber — Head of Infrastructure Services & CTO, North Europe, AXA IT
In today’s environment, professional imally convincing way. They use social

attackers know how to avoid your secu- media to discover details about projects,
rity technology by using social engineer- names, dependencies between departments
ing and picking out human victims within and individuals, and friendships between
your company. In fact, human targets have colleagues. Once they have the baseline
moved ahead of machines as the top tar- information, it’s simple to approach an
get for cyber criminals. As noted by IDG’s employee, appear legitimate, and obtain
publication, CSO, “Hackers smell blood corporate information or access to corpo-
now, not silicon.”1 rate networks. Here are some examples of
Your employees can be difficult to pro- approaches used:
tect. Adversaries will use people’s emotions Cyberattack calling: A call via the
and their readiness to be helpful to obtain switchboard results in what appears to be
information that helps launch a highly tar- an internal call. In this call, an urgently
geted and often believable attack. Process required support activity will be refer-
and technology alone will not address this. enced: “Our colleague, Mrs. X, has not
Raising awareness and increasing vigilance given me the data I urgently need to finish
will help you protect your employees and the report for board member Y. She is now
your organization. More importantly, it on holiday; I am sure I will be fired if I do
will help you build a culture of cybersecu- not send it immediately. Please help me …
rity. I can’t afford to lose my job.” Far too often,
financial, corporate, or personal informa-
Cyberattack Calling and tion is then disclosed in an attempt to help
Other Modes of Attack the caller do their job.
Targets of a social engineering attack need Corporate network access: An
not be executive staff or members of the employee receives an email from someone
research department working on a secret who appears to be working in the same
project. More often, criminals target a ran- company. The mail signature is correct,
dom employee they spied in advance to and the content fits with the daily routine
ensure the attack is formulated in a max- of the recipient. The inhibition threshold
237
to open the malware-infected attachment • No, we use antivirus from vendor Z
or to click the malicious link is very low. In
Every name mentioned, every connec-
95% of all cases, this click will then result
tion from day-to-day business, will help
in a successful malware infection. This is
the attackers prepare the next call so it’s
the entry point for a far more sophisticated
even more efficient or targets a more fit-
campaign, which gives the attacker back-
ting contact person.
door access to the corporate network that
Train your employees and yourself to
may only transpire several months later.
always stay critical and never divulge any-
CEO fraud: The cybercriminal pre-
thing to unknown parties on the phone.
tends to be a general manager, CEO, CFO,
Managers, especially, tend to underesti-
or other high-ranking employee. The email
mate this type of attack as they consider
might read as follows: “A secret company
themselves unlikely to ever reveal any-
takeover is coming and only you have the
thing. This can be a very dangerous mis-
trust of senior management. Further infor-
take.
mation will be transmitted to you from
Raising employee awareness to sus-
(pretend) Bank Clerk X from (corrupt)
picious phone and email communica-
Bank Y.” The follow-up email will contain
tions is key. Some of the triggers employ-
bank account details of an account con-
ees should be trained to look for include:
trolled by the fraud organization and an
amount to be paid. • Subtle errors or differences in URLs or
The consistent theme, regardless of email addresses that on first look seem
approach, is that the cybercriminals will normal. Sometimes the sender’s name
have used social engineering to make their is correct, but when you look at the ad-
approach appear as legitimate as possible. dress, it’s subtly different.
Unless employee’s awareness is raised to be
• Most attacks will be focused on get-
vigilant at all times, these attacks can be
ting you to click something within an
treated as a normal communication from a
email. If you are being asked to provide
colleague or manager.
personal or corporate information via a
Defeating Social Engineering link, or if the actual address you’re di-
Through Training rected to go to doesn’t look legitimate,
call to check its legitimacy first.
Cyberattacks via social engineering are
nothing more than old-school acquisition • While many emails and phone calls are
of information through hands-on research. well-created, look for language mis-
Many attackers and social engineers try to takes, as adversaries may not be using
take advantage of people’s emotions and their first language.
readiness to help others. And their suc-
• Use of corporate graphics or images to
cesses come from the ways in which their
make their emails seem genuine.
attacks appear absolutely believable. Little
hints can help the attacker move forward, • Use of language in the email that is de-
such as: signed to make you take action.
• Colleague X is on vacation If there’s any doubt, it’s best to call and
verify if it is real or not, even if it seems
• This is done by Department A
the email has come from within the com-
• Yes, our CFO is usually very impatient pany. IT security teams should contin-
238 People
uously train and inform employees and figured is not only expensive, it can also
colleagues. This can happen via employee frustrate employees to the point where
meetings or via automated penetration they start writing down their keys again.
tests that check password quality. In this case, the company would have to
Especially effective are self-designed spend a lot of money while decreasing the
phishing emails. These are created by your level of security. With a much less expen-
cybersecurity team and used to increase sive employee event, the company might
employee awareness of potential phishing have achieved far more. Events that thrill
emails. You can use a variety of incentives the employees with concrete examples help
to mislead the recipient to click a contam- generate awareness of cybersecurity chal-
inated link—different people will respond lenges.
to different stimuli. You might try to tap It also helps to recognize behavioral
into an emotional response or offer a tab- changes of employees and colleagues as
let or smartphone as a prize. A phone call early as possible. Anomalies can be log-
after a click explaining how to avoid the ins from unknown places or data accessed
mistake in the future will not only reduce from previously inactive seats. Modern
risk that the employee will make the same protective tools and processes can help by
mistake again, it will also encourage people recognizing anomalies and automatically
to come forward and report a similar situ- alert IT and security personnel to proac-
ation in the future. This type of targeted tively shut security gaps and contain and
education is far more efficient than generic limit the damage of a successful attack.
training and preaching the same doctrine It makes more sense to watch the crit-
to all employees in a sterile environment. ical data with this type of process than to
Every email the IT department can establish stronger barriers around the data
identify directly after—or even before— center. These days, intrusions into the
the first click lowers the chance of a suc- company network are hard to prevent; it
cessful phishing attack. As soon as the is crucial to notice manipulations and data
attack path is known, the IT team can loss immediately in order to limit them.
block access to malicious web addresses,
prevent the execution of the malware, and Posing Critical Questions
reset potentially phished passwords. To get a feel for the organization’s vulner-
For these tests and training to be effec- ability to social engineering, and the type
tive, it is critical that there be a no-blame of training that would be most effective,
culture. Employees must understand how the IT team can pose specific questions to
to report a situation in the future. And you managers and employees, including senior-
need a way of monitoring people who do level executives and board members. Ques-
not report when they have clicked a con- tions to ask include:
taminated link so you can work with them
• What percentage of individuals have a
to ensure they do report it in the future.
general security awareness?
The combination of deploying differ-
ent activities and repeating them regu- • What is the common understanding of
larly is key to success. However, don’t go cybersecurity across the people in your
overboard or you will achieve the oppo- department? How does that change
site effect. A tool that checks the quality across the company?
of passwords, is too old, or is poorly con-
Social Engineering Attacks: We’re All Targets 239

• How well are the organization’s secu- • What is the risk of delaying the invest-
rity experts understood, or do the IT ment—can we delay it six months, or
and security teams speak a different can we speed it up?
language than the business people?
• Do we have anything similar already
• What obstacles have data security con- in place? Why is this not already suffi-
cerns created at work? cient?
• Has the security situation produced
concerns, and what overreactions has it Raising Awareness for Every Single
created? Employee
Top executive management needs to be
• Who are the in-house, social engineer-
willing to bear the consequences of cyber-
ing or forensics experts, and how do
attacks and ensure appropriate and bal-
they keep themselves updated?
anced communications to all employees.
The answers to these questions will be There are some basic points I would urge
different, depending on the business unit. all executives to look at within their depart-
Executives at a regulated company han- ments and across their organizations.
dling health data might exhibit greater Employees must be aware that infor-
awareness than those at an unregulated mation, such as, “Who is working where
company. The reality, however, is that and with whom?” is extremely interest-
every company is vulnerable, and every ing for industrial spies and the people sup-
organization has data that needs to be pro- plying them with background informa-
tected. tion. This is the same as it is in private life,
The potential for harm is endless. The where burglars are notified by Facebook
organization must be aware of the risk. To when a house is empty due to a long-dis-
reduce this risk, it is important to prevent tance trip and where the house is located.
an overreaction, which complicates inter- This example can easily be transferred to
actions with customers and reduces your work life. Pictures from the last company
employees’ ability to work. party deliver information regarding which
In addition to posing questions to employee knows which colleague and what
employees, organizations can benefit when their names are. This might already be
senior-level executives pose specific ques- enough information to tune a spear-phish-
tions to their cybersecurity leaders. These ing email with personalized information
questions can help determine what inten- and provoke the fatal click.
tions and goals they are trying to achieve Obviously, you can’t prevent employees
with their cybersecurity investments: from using social media, but you can ask
them not to post work-related informa-
• What is your intent with this invest-
tion, i.e., people’s roles, names of projects,
ment? In other words, what are you
etc. These days, every comment on the web
protecting?
can manipulate public opinion regarding
• What is the business impact of doing so? the employer or provide important infor-
mation that adversaries can use to start an
• What is the business impact of not do-
attack against IT or other departments.
ing it?
240 People
Conclusion: We Are All United can organizations ensure that security risks
Every employee on every level of the orga- are identified and, even more importantly,
nization must be actively aware that he or reported.
she is personally responsible for data secu- It is also important that in-house secu-
rity and the image of the company. Only rity experts—and other leaders—network
with continuous and engaging commu- effectively and empower the right culture.
nication can security awareness be estab- By sharing information with colleagues
lished and a culture of cybersecurity be from other companies, your IT and secu-
developed. Only by making employees rity teams will know what questions to ask
aware of the risks and consequences can internally. Leaders can learn from the fail-
carelessness be prevented and sensibility ures of others, and also from their suc-
raised. Only through constant vigilance cesses. In the war against cybercriminals,
all companies must be united.
1
“Top 5 cybersecurity facts, figures and statistics for 2018,” CSO from IDG, Jan. 23, 2018
Social Engineering Attacks: We’re All Targets 241

37
Hunting for the Cyber Leader With the
Best Board-Level Credentials
Matt Aiello — Partner, Heidrick & Struggles, United States of America
Gavin Colman — Partner, Heidrick & Struggles, United Kingdom
Max Randria — Principal, Heidrick & Struggles, Australia
The billionaire founder of a New York- portfolio but because he had the ability to
based online games business with a global deal with the highest levels of risk. Under
franchise was deeply concerned. His com- his leadership, the business’ revenue leak-
pany had developed market-leading and age was stanched. Crisis averted.
inspiring games that attracted millions of This real-world scenario illustrates why
tech-savvy customers. But many of those searching for and landing the right CISO
avid customers were too tech-savvy: They is more important than ever. It also sheds
had uncovered and exploited multiple light on why the process is challenging for
ways of circumventing the paywall, and even experienced board members and their
were playing for free. organizations’ C-suite executives. That’s
The company’s board knew they because there is no universal playbook for
were facing a pivotal moment—one that identifying the perfect CISO candidate.
demanded the combination of technical In fact, there is no such thing as the per-
skills and business acumen of a world-class fect CISO candidate. What boards should
chief information security officer. Recog- look for—and what they should demand
nizing the critical business issues at play, in executive searches for their next CISO—
the board initially targeted a specific, big- is a candidate who is perfect for their orga-
ticket CISO, only to discover during the nization. After all, no two organizations
recruitment and interview process that the are the same; each has different economic,
candidate didn’t have the skill set required operational, and reputational risks, and
to address cybersecurity at the highest pos- cybersecurity strategies must account for
sible strategic level. those unique circumstances. That means
Instead, the board held out for a dif- that the qualities, experiences, skills, and
ferent kind of CISO, one who was able attitudes that make one candidate ideal for
to tackle the strategic issue of ensuring Organization A may make them a com-
application security. He was recruited, not plete misfit for Organization B.
because he had the best all-around skills
243
And there’s another important consid- now has a built-in, even eager, audience
eration for boards to keep in mind. No that wants to hear about cyber risk and,
matter who you tap as your next CISO, importantly, what is being done about it.
or what reporting structure you adopt for This means that board members need to
your new cyber chief, the CISO exists to demand the hiring of a CISO with exec-
serve the needs of the very top echelon of utive personality, not just one who spouts
the organization. a technical vocabulary that does little but
As important as the CISO is, the ulti- confuse people. While the CISO must
mate decision-makers on cybersecurity have requisite technical skills, those can be
remain the board and the CEO. If the identified and even “bought” far more eas-
CISO fails to execute their job well enough ily than someone with significant board-
to protect the organization, its data, and its room presence.
competitive position, the blame ultimately And board members should be aware of
falls at the feet of the board. the risks in elevating those who can “talk
That means boards need to exercise the talk,” but who are out of their depth
even more diligence than ever when deter- should a crisis erupt. The board must be
mining who to hire, how to structure their confident that the CISO they appoint is
roles and responsibilities, where to look both operationally sound and has board-ap-
to recruit them, and which tradeoffs are proved procedures in place to respond to a
appropriate to make in order to land the major attack. This CISO must also be able
best possible candidate. to work in parallel with the CEO and other
C-suite executives to ensure they are fully
In Defense of Reputation and Brands briefed on all eventualities. Most of all, the
As cyberattacks have become more auda- CISO needs to have the full confidence of
cious and damaging to organizational their peers and the board that they have
reputations, board members have had to the full sphere of technical, financial, reg-
embrace new responsibility for ensuring ulatory, and operational bases covered—
the protection of the business. Well-known and will be calm, reassuring, and confident
brands have been targeted and attacked, when a crisis hits.
raising the stakes for everyone through- After all, your organization’s brand rep-
out the organization—and often reshaping utation can rise or fall based on how good
the way CISOs are viewed by their boards. a job your CISO does in preparing the
CISOs, long accustomed to fighting for air organization to respond appropriately and
time to talk about threats, now are being quickly when a data breach takes down
cast in the center stage at board and com- your customer-facing systems for an hour.
mittee meetings.
This is an important development for When Demand Exceeds Supply of
business-savvy CISOs, who now are being Elite CISOs
seen as trusted advisors responsible for pro- Most cyber leaders are trying to build
tecting the “corporate shield,” rather than as robust teams of security professionals to
doomsday fearmongers warning about tech- handle multiple threats; but building those
nical weaknesses threatening to expose the teams requires a willingness to search far
organization’s crown jewels to cyber thieves. and wide for the best and the brightest—
Instead of convincing fellow executives starting with the CISO. There is a rela-
to take him or her seriously, the CISO tively small, finite number of prized pro-
244 People
fessionals to fill the CISO role, and they Cyber talent also is increasing in num-
are regularly on the move across national ber and depth in other geographies—
and even international borders. Our firm although it is still not able to meet the
recently assembled a shortlist of top candi- rising demand. For instance, Australia is
dates to fill an open CISO slot, only to see known as an exporter of talent in the secu-
our list whittled down every day as candi- rity industry. In the last two years in Aus-
dates were snapped up by rival offers. tralia, there has been an enormous increase
As the cyber leader’s role is maturing, in CISO positions in all industries and at
the process of identifying and recruiting all levels. Israel is another excellent source
the next CISO is becoming more complex. for security talent. Israel plays a dominant
But there may be lessons learned by look- role in cyber-security, with high-growth
ing at potential candidates through both start-ups and major product developments
industry and geographic filters. In Silicon outsourced by the major Silicon Valley
Valley and other technology hubs, digi- tech companies.
tal-native organizations employ security In order to attract the ideal CISO,
professionals who are charged with pro- boards increasingly are giving consider-
tecting their organizations against some ation to what type of reporting structure
of the most relentless and sophisticated they should have with the CISO in order to
attacks. And in financial services firms ensure that cybersecurity receives its proper
in New York and other financial centers, prioritization and attention, and that the
security professionals have had to up their CISO receives the right mix of resources,
game in order to withstand a broadening responsibility, and accountability.
set of attack vectors. We are seeing several iterations of this
In Washington, DC, government agen- reporting structure, depending on the size
cies are at the leading edge in the battle for and scope of the organization. Tech firms,
top cyber talent, where a lot of this indus- financial services institutions, and consum-
try expertise has been forged under fire. er-facing companies dependent on tech
These agencies are excellent places to find transactions, such as retail, hospitality, air-
top cyber talent, though generally below lines, and healthcare, are increasingly see-
the C-level. ing the need for a board-level cyber leader.
Major European enterprises have expe- Rapidly catching up are large infrastruc-
rienced sophisticated and prolonged ture providers such as energy, oil and gas,
cyber-attacks from malicious actors, and large-scale manufacturing.
including rogue states, who are deploy- Reporting structures may not always be
ing massive resources to attack legitimate a perfect representation of the priority an
targets to extort money and data. Increas- organization places on cybersecurity. But
ingly, private-sector companies depend on there is a lot to be said for the message it
a collaborative cyber community, includ- sends to your ideal CISO candidate when
ing European government agencies, such they are told that they will have direct
as NATO, NCSC-NL, and GCHQ, that access and accountability to the board.
shares cyber alerts and stays updated with
businesses that are willing to step in to help Don’t Wait for Perfection
those under attack. This kind of extra-cur- The French philosopher Voltaire is often
ricular networking activity should be dis- credited with saying some variation of,
cussed and sanctioned by the board. “Perfect is the enemy of good.” He must
Hunting for the Cyber Leader With the Best Board-Level Credentials 245
have been anticipating boards’ current This results in the building of a strong fel-
dilemma in their searches for the so-called lowship of collaboration among those who
“perfect CISO.” embark on this mission.
As stated above, there is no perfect Another important consideration is for
CISO candidate, so boards and executives boards to think down the road during their
should not wait for perfection. However, CISO-hunting expedition. As the rate of
they must not hire sub-optimally either, as cyber-change accelerates and as threats
the costs will vastly outweigh the benefits rapidly transform, it’s essential for boards
of a compromised hire. With such rapid to hire a CISO not just for today’s needs,
change in cybersecurity threats, vulnerabil- but particularly for where you want your
ities, and risks, it is difficult for a “pretty business to be in three years’ time. For
good” candidate to have the luxury of time instance, it might be better to “overhire”
to grow into the CISO role. If a compro- and pay more than feels comfortable to
mise must be made, focus on hiring for the attract a candidate best suited for tomor-
skill set associated with the highest risk. row’s needs. Remember: Your cyber-secu-
Evaluate your operations and technology rity requirements will undoubtedly change
environment, and hire a CISO who fits over time.
that environment. Be open to restructur-
ing the role around the person, as well. Conclusion
Today’s leading CISOs possess a blend Ask 10 board members which corporate
of leadership traits, including an air of cred- role, after the CEO, is most critical to an
ibility, board-level presentation skills, and organization’s success, and you’ll likely get
strong business acumen, and tomorrow’s 10 different answers. Sales, finance, oper-
CISOs will need to lead more by influence ations, engineering, IT, marketing—they
than authority. Boards must look for agile, all are essential to the organization’s long-
risk-focused people who are quick learners term health and success, and the C-level
and are comfortable positioning security as executives overseeing those and other func-
a strategic advantage and marketplace dif- tions need to be top performers.
ferentiator. Now, cybersecurity must be considered
The board also is looking for supe- at the same apex of the corporate organiza-
rior levels of personal integrity and ethical tion. A board’s decision on its next CISO
trust. It is vital to understand that CISOs can make the difference between market
are not always motivated by the size of leadership and a badly damaged brand,
their pay check, but by the mission and the profits and losses, customer confidence,
higher purpose of the organization. Often, or mistrust. It’s a decision-making process
the cyber leader has a quasi-spiritual deter- that must be taken seriously at the board
mination to defend the enterprise, the level.
data, the customers, and the entire organi- Your organization’s long-term health
zational ecosystem from malicious intent. and viability depend upon it.
246 People
Process
38
How to Manage a Data Breach
Lisa J. Sotto — Partner, Hunton Andrews Kurth LLP
Every organization is vulnerable to cyberat- Event and Mobilization

tack. But being aware that an entity is vul- To understand the arc of a data breach, it
nerable is not the same as being prepared is important to consider each step in the
to manage such an event. The number of timeline on the next page. Regardless of
data breaches annually continues to sky- industry sector, every organization experi-
rocket. According to the most recent data encing a cyber event generally will experi-
breach report by Verizon, there were 2,216 ence the stages set out in this timeline.
data breaches in 2017, across 65 countries. The response effort commences imme-
More than three quarters of those breaches diately following identification of an
were financially motivated.1 attack. The organization must quickly
Managing a data breach is a major mobilize the proper resources for a coordi-
undertaking that can quickly overwhelm nated response.
an organization in the throes of an attack. Businesses may learn about a cyber-
Depending on the size and scope of the security event through a variety of chan-
incident, it could monopolize virtually nels. For example, the information secu-
all of management’s time and energy for rity function of an organization may find
months. Worse, it could expose the organi- an anomaly in the company’s systems, sig-
zation to enormous risk—financial, legal, naling a breach of the system. Or the entity
and reputational—if the appropriate steps might be contacted by law enforcement
are not taken from the beginning to help officials who identified data linked to the
ensure a proper investigation, reporting, company on the Dark Web. Alternatively,
notification, and communication. a company’s customer service center might
Among the most effective ways to pre- receive a sudden barrage of customer calls
pare for a data breach is to have a clear suggesting that fraud has occurred. The
understanding of the process involved media also is active in identifying cyber
in responding to an intrusion. There are events and notifying companies before
many lessons to be learned from best prac- they find the issue in their own systems.
tices that have evolved over the years and Although there are many different avenues
enabled organizations to successfully nav- by which an organization might identify
igate global data breaches. an issue, the key is to respond immediately
and start putting the right plan in place.
249
Once aware of an issue, the organiza- that relevant records be preserved. Coun-
tion’s chief information security officer and sel also may raise the possibility that the
her team generally will take the lead, along breach constitutes a material event requir-
with the company’s general counsel. Out- ing disclosure under the securities laws.
side counsel frequently is brought into the Finally, counsel may suggest notifying the
fray in an effort to preserve the company’s relevant insurer.
legal posture, including protecting privi- Counsel will work with the organi-
lege—to the extent possible—around the zation to determine whether to retain an
investigation. If the breach appears signifi- outside forensic investigator. For a major
cant, counsel likely will advise the organi- breach, several different investigative teams
zation to implement a legal hold, requiring might be brought in, each with different
250 Process
areas of expertise. For example, some exter- required to notify government authorities
nal experts have deep technical knowledge of a personal data breach within 72 hours
in finding and following the footprints of of becoming aware of such an incident.
an attacker. Others may be adept at gath- Given the aggressive timing require-
ering intel and determining the attribution ments of certain breach notification laws,
of a threat actor. Still others, such as certi- organizations often are in the unenviable
fied PCI forensic investigators, may focus position of having to issue notification
exclusively on the payment card aspects of while the forensic investigation is taking
a breach. place. The difficulty of this position is that
In addition to hiring forensics experts, the findings from a forensic investigation
it also may be appropriate to contact law frequently change as the investigation pro-
enforcement authorities during the early ceeds; entities would be wise to avoid rely-
stages of awareness and investigation. ing on their first instincts when trying to
Depending on the circumstances, the scope the issue. The forensic investigation
company might choose to contact either a will need to unfold before the nature and
federal or a local law enforcement agency. scope of the breach can be properly under-
It is important that the group handling stood and assessed.
the incident be limited to need-to-know In these early stages, counsel typically
personnel. Keeping the circle of breach begins working to craft the appropriate
responders small can help to prevent leaks documents, which could take the form of
and speculation. notifications to regulatory authorities; let-
ters or emails to affected individuals; and
Notification notices to a variety of other stakeholders,
As the forensic investigation is proceed- such as business partners, enterprise cus-
ing, the relevant legal analysis is occurring tomers, service providers, media, employ-
simultaneously. Among the questions at ees, and relevant government entities (in
this stage are the following: What type of addition to regulators).
data is involved? Is the affected informa- There may be many parties to consider
tion considered personal data? If so, what and numerous stakeholders to manage.
data elements are affected? What are the Crafting a communication strategy can be
jurisdictions of the individuals whose data challenging, and external PR experts may
may have been impacted? How many peo- provide sorely needed assistance. Adding
ple’s data is at risk? Over what time period to the pressure, this strategy often must be
did the attack occur? Is the intruder still in crafted within a tight time frame when the
the system? Myriad questions will need to facts are not clear. As mentioned above, in
be answered at this stage. the EU, there is a 72-hour-notice require-
With respect to breach notification, in ment for notification to the appropriate
the U.S. alone, it may be necessary to ana- government regulator. In certain indus-
lyze the laws of each of the 50 states (and a tries, such as the energy sector, notification
number of other jurisdictions with breach to the regulator could be required in as lit-
notification requirements, such as Guam, tle as one hour.
Puerto Rico, the U.S. Virgin Islands, and It is also important to understand that
Washington, D.C.). In the EU, with the the evolving narrative may not be in the
enactment of the General Data Protec- company’s control. Social media plays
tion Regulation (GDPR), companies are a significant role in today’s information
How to Manage a Data Breach 251

environment. News of a data breach will organization’s overall security posture.
go viral quickly, even before an affected Business leaders should anticipate a multi-
organization has had an opportunity to month, or even a multi-year, exchange of
coordinate a communication strategy. A information and dialogue with regulators.
third-party public relations firm may be With respect to regulator activity fol-
able to provide assistance in helping to lowing a data breach, most government
manage the message and craft the right PR inquiries result only in an investigation,
framework. not enforcement. Should an investiga-
The notification generally should be tion culminate in an enforcement action,
sent directly to the affected individuals. fines may be imposed by some regula-
Alternatively, if the impacted organization tors (such as state attorneys general and
does not have contact information for the some overseas data protection authorities).
relevant individuals, or the cost of mailing Other regulators, such as the U.S. Fed-
a notice to the affected population would eral Trade Commission (FTC), have lim-
result in expenses exceeding an amount ited authority to impose monetary penal-
specified by law, “substitute” notification is ties and instead often seek equitable relief.
available. This enables the affected organi- In actions involving the FTC, enforce-
zation to provide the public with informa- ment associated with data breaches typi-
tion regarding the data breach. The substi- cally results in a settlement in the form of a
tute notification rules require the affected consent order. The FTC could impose sig-
entity to post information about the nificant financial penalties for violation of
breach on its website, provide notification a consent order.
to statewide media (which is most com- In addition to regulatory activity, law-
monly accomplished via a press release), suits are likely to follow most signifi-
and send an email to the relevant individu- cant data breaches. These actions may
als if email addresses are known. be brought by affected individuals, issu-
Sending the notification in a timely ing banks, shareholders, and other par-
manner is essential. To assist with the mail- ties directly or indirectly impacted by
ing, companies often retain external mail the breach. Lawsuits resulting from data
houses. In addition, the services of third- breaches can take years to resolve. Between
party call centers are frequently invoked litigation and regulatory action, organiza-
to assist with the inevitable barrage of calls tions will be dealing with the ramifications
following notification of a data breach. It of a breach long after the actual event.
is helpful to use skilled customer service
agents, particularly those in specialty call Being Prepared
centers that routinely handle data breaches. In addition to understanding the processes
involved in managing a data breach, there
Going Live are steps organizations can take to be bet-
Once the event has been announced pub- ter prepared before they suffer a breach and
licly, the affected company can expect an are thrust into response mode. Although
immediate barrage of inquiries—from fed- some cyberattacks are inevitable and can-
eral regulators to state attorneys general to not readily be prevented, being prepared to
foreign data protection authorities. The identify intruders quickly and manage the
company will be faced with myriad ques- fallout is critical in today’s pernicious cyber
tions about the data breach, as well as the environment.
252 Process
One key readiness step is to build rela- their respective roles and responsibilities in
tionships in advance with cybersecurity the event of a cyberattack. Tabletop exercises
experts. The better-prepared companies help build institutional muscle memory and
know which forensic firm, counsel, PR will serve to streamline an entity’s breach
firm, call center, credit monitoring service, response, mitigating harm associated with
and mail house they will retain in the event an actual event. Although cyber incidents
of a breach. These breach response provid- are inevitable, practicing managing such an
ers may be listed, for example, in the com- event through a tabletop exercise can serve
pany’s incident response plan. to reduce inefficiencies and organizational
Purchasing cybersecurity insurance also stress associated with real events.
is a key cyber preparedness step. The orga-
nization’s cyber insurer can play a signifi- Conclusion
cant role in helping to assemble a breach The threat of cyberattacks continues to
response team. Cyber insurers often have grow. Whether criminal hackers, nation-
significant experience managing breaches; states, or hacktivists, cyber intruders are
compromised companies can leverage that often technically savvy, well-funded, and
experience to help accelerate and coordi- highly organized. Because of the poten-
nate the response. tial havoc cyber attackers can bring, it is
Other key cyber preparedness steps incumbent upon all companies, regardless
include maintaining a state-of-the-art inci- of industry sector, to take appropriate steps
dent response plan. This plan typically is to prevent successful attacks.
a dynamic document that should be revis- In today’s precarious cyber environ-
ited frequently to reflect the rapidly evolv- ment, organizations need to be aware that
ing threat landscape. It is also important the increased scrutiny that could result
to establish a relationship with relevant law from a data breach could have a profound
enforcement authorities before experienc- impact on a business’s operations, financial
ing an attack. Get to know local cyber law position, and reputation. How an organi-
enforcement teams in advance, and begin zation responds to a data breach is often a
building a collaborative relationship before bigger test than the breach itself. By know-
an incident occurs. ing what it takes to respond, business lead-
Many organizations conduct tabletop ers can be better prepared to provide the
exercises to practice their incident response leadership and guidance necessary to suc-
plans and help ensure that the members of cessfully steer their organization through a
their incident response team understand cyberattack.
1
“2018 Data Breach Investigations Report,” Verizon, March 2018
How to Manage a Data Breach 253

39
Incident Response: How to
Deal With a Cyberattack
Dr. Andreas Rohr — Chief Technology Officer,
Compromised networks are the new nor- of water is bound to hit the target), these
mal. It does not matter which sector a attackers search across wide areas for vul-
company operates in or how large or small nerable infrastructures.
it is: Professional attackers find data in By contrast, professionals with a tar-
every organization that can later be turned geted approach can generally overcome
into economic advantage or cash on the these hygiene security mechanisms. In
black markets. For some time, the ques- most cases, they do this by selecting one
tion—from the criminals’ perspective— or more employees in the target organi-
has not been whether an organization can zation and turning them into unknowing
be successfully attacked; it has been only a accomplices for the leap over the firewall,
matter of when. via social engineering. Another common
While it may be uncomfortable to mechanism is to use less-secure entry
acknowledge this new reality, it is neces- points at a subsidiary or supplier location
sary. By recognizing that total protection is that are connected to the corporate net-
not economically feasible, leaders in busi- work.
ness, IT, and security can focus on the real
task at hand—minimizing the chance and Allow the Attacker to Have Their
impact of a data leak and getting back to Moment
the work agenda. In such cases, attackers initially have one
Of course, even in a world where suc- objective: remaining undiscovered for as
cessful attacks are a part of daily business, long as possible in order to tap into com-
your organization cannot get by with- pany secrets. If data thieves have compro-
out security mechanisms such as fire- mised your network, managers should
walls, virus scanners, ID and access man- take time to reflect on the situation. They
agement, etc. These components generally should not act on their instinctive response
ward off attackers that are not operat- to take the affected systems offline and
ing in a targeted fashion; adopting the delete or even dispose of them in order to
watering-can principle (one of the sprays keep the loss as small as possible.
255
Modern, smart attackers set up sev- Nearly all attackers have the patience
eral back doors, allowing them to regain to wait until a company shuts down parts
access to the network. In today’s com- of its network, so a shutdown without
plex IT infrastructures, often distributed rebuilding is insufficient. As long as the
across countries, it is easy to set up vari- intruders are only creeping through the
ous hidden access routes. So, if the com- network by lateral movements, cybersecu-
pany deletes parts of the criminal’s toolkit rity specialists can track their movements,
or footprint, it does not take out the data making it quicker to identify the entry
thief ’s full arsenal of weaponry. points and tools used.
This takes the company into a more In an extended organization, this pro-
dangerous phase because people think cess of illumination and tracking can take
they can relax. But that relaxation is, at anywhere from eight weeks to six months.
best, deceptive. Think about it this way: If Admittedly, a waiting period such as this
you discover an intruder in a bedroom in can be hard to tolerate. For that reason, if
your home because his flashlight has given an incident does occur, company manage-
him away, your instinctive response is to ment needs to be united in its response,
drive him off. But in doing so, you may in advance of the attack. If the discussion
have overlooked an accomplice lurking in starts when you learn about the intrusion,
the darkened kitchen. valuable time is being lost—especially
Waiting has the additional advantage since the outcome of the discussion could
of allowing your team to learn about pos- well be of questionable quality, due to the
sible additional back doors by observing massive pressure from the crisis situation.
the behavior and tools used. Moreover,
by gathering information, it is possible Who Turns the Tap Off, and When?
for your team to gain insights into what It needs to be clear who in the company
is motivating the intruders, possibly even is allowed to do what in the event of an
discovering their identity. attack being detected. Which commit-
tee or which employee is empowered to
Plan Countermeasures in Secret decide that the connection gets cut? Who
Naturally, you cannot allow the intrusion releases what information to outside par-
to progress to the point where data thieves ties, lawyers, supervisory authorities, the
are clearing out the company silverware stock exchange supervisory authority, cus-
under the gaze of company management. tomers, and the press?
If criminals are starting to work on data- It does no good getting together for the
bases, design drawings, confidential con- first time to thrash this all out as the intru-
tracts, or the entire customer base, you sion is actually happening. Being prepared
must disable the ability of the attacker to also means developing as detailed a sce-
act, and cut connection immediately. nario as possible for “pulling the plug,” i.e.,
But shutting systems or connections determining which data is not permitted
down is not enough. In order to avoid to be transferred outside the company by
data being copied again once the connec- thieves under any circumstances, and how
tion is switched back on, the data needs the shutdown of the affected systems is to
to be completely removed from the com- be carried out.
promised network and a transitional struc- In most cases, you will bring on an
ture created. external incident-response service pro-
256 Process
vider to handle illuminating the network nization for which separate administrator
and the hoped-for detection of the attack- rights are required: network infrastructure,
ers. This service provider should be tied in applications such as SAP, databases, etc.
to the company under contract at an ear- It is possible that specific areas are being
lier stage, and should not be brought on operated by external partners. Advance
board in a frantic rush as the damage is clarification is needed with all these parties
being done. as to which rights are to be granted in the
At the same time, it is the service pro- crisis situation.
vider’s duty to protect the customer from
misuse by overly curious employees. Con- Empowering a Crisis Team
fidentiality clauses are therefore essential. Prior to a crisis, the organization should
In order to enable the inspection of sys- have an ad-hoc committee in place that has
tems, networks, and services operated by a clearly defined path for decision-making
external service providers, these rights need and can meet as soon as a crisis occurs.
to be firmly anchored contractually in The chair of the committee—probably
advance under outsourcing arrangements. the CIO or CISO—must be empowered
to make decisions even against the votes of
Set Out Responsibilities and Get All committee members.
Stakeholders on Board The crisis committee should comprise
It is necessary to decide who will be mak- representatives of individual corporate
ing decisions in the event of a crisis, functions, i.e. legal, IT, IT security/group
because no matter how good the prepara- security, finance, HR, communications,
tion, unique situations will always arise. In etc. The committee should meet regularly
bigger companies, it is probably the CIO, for sessions lasting a maximum of 15 min-
unless the CISO reports directly to the utes, delegating the matters discussed to
executive board. In that case, preference the relevant departments for implementa-
goes to the CISO, since the CISO’s area tion. The decisions should not be discussed
of expertise relates directly to the technical with the company’s top management, but
issues involved. If neither post exists, then only within the committee.
probably the only option is the CEO or Conversely, the organization should
managing director, due to the significance not spend too much time preparing for
of the decisions. a crisis situation by devising various crisis
In all instances, it is important that the scenarios. No matter how many employ-
security specialists and experts running the ees take part in these planning games,
IT systems act as a unit. Trust-based col- they will still be surprised by the creativ-
laboration during times of peace is vital. ity shown and routines adopted by attack-
Without it, when the crisis hits it triggers ers. Accordingly, it should be sufficient to
superfluous, time-consuming discussions list the five or 10 most plausible attack sce-
and turf wars that detract from the actual narios (threat modeling) and play these
objective. through. Employees can rehearse some of
You also need to determine how the these scenarios in a war game. It is more
crisis manager or the service provider important to plan for response capabilities
entrusted with monitoring the environ- such as gaining visibility, given certain trig-
ment can gain access to areas of the orga- ger information.
Incident Response: How to Deal With a Cyberattack 257

Steps for Dealing With 5. It is not only IT security experts who
the Crisis Situation need to work in shifts in a crisis situ-
Preparing for the crisis situation includes ation; IT personnel running applica-
defining the necessary steps and recording tions also need to ensure they can be
them so that no valuable time is lost if you contacted around the clock. Attackers
are faced with the threat of data loss. It is often favor moving through networks
true that every crisis involves something at times outside their victims’ normal
different, and every organization brings office hours. If a monitoring sensor
a different set of conditions to the table. is triggered, an applications specialist
Nevertheless, you can map out a viable may need to be brought on board to
plan in advance. Here are some key consid- minimize the consequences.
erations that may not be apparent if you’ve 6. Even if it is difficult for top manage-
never been through a cybersecurity crisis: ment, the reporting that would nor-
mally happen needs to become a lower
1. Never switch off the computers
priority during the first two weeks
affected; instead, monitor the attack-
after becoming aware that the net-
ers by creating (real-time) visibility.
work has been compromised. Perhaps
2. Do not waste time trying to elaborate a committee member can be available
on the root cause or assigning blame. once a day for 10 minutes to bring
This slows down your ability to deal management up to speed on the lat-
with the crisis, because the people est developments. One typical nail in
potentially affected will not be open the coffin in responding to an attack
about the situation, and they won’t is when management wants individ-
collaborate. Likewise, it is pointless to ual reporting, which can require a
assign blame. Ultimately, it is the job great deal of time and effort. While it
of the audit team to answer this ques- is an understandable stress reaction, it
tion during its follow-up. is a disastrous diversion from the work
3. Top management should sit down that is really essential.
with the ad-hoc crisis committee at 7. Once you are past the first two weeks,
the start and then allow the team to a central control body should coordi-
get on with its work. That includes nate all further measures and, above
making all required resources avail- all, obtain the necessary resources
able to the committee. It is as sim- because, in most cases, there are no
ple as it sounds: Give them two suit- budgets for such situations. The
able rooms, a budget for catering, and employee entrusted with this role
release them from filling out irritating should have sufficient experience in
forms; tasks involving too much orga- having budget discussions with top
nizational detail should be handled by management and in issuing instruc-
others. tions to the specialist departments
4. The chair of the committee and his/ involved. This normally rules out
her respective authorizations must be external consultants.
identified to the whole organization
in advance.
258 Process
8. Another critical question is: Who Conclusion
pays for needed software or external The time has come to acknowledge that
experts? It is clear that the tendering complete protection against cyberattacks
process that would ordinarily be used has become uneconomical and unrealis-
has to be set aside, otherwise the orga- tic. Instead of spending the entire cyber-
nization will not be able to act in a security budget on prevention, a good
timely manner in the event of a cri- portion of the money should be invested
sis. It is possible for a written power in mechanisms for identifying successful
of attorney to be deposited in advance attacks (detection) and after-care measures
or, in the best-case scenario, even for (response capabilities).
a budget to be allocated. Alternatively, It is also important to remember that
corresponding framework agreements technology is only one part of the solu-
can be put in place for possible sup- tion. People will determine your success in
port, which can then be called on as minimizing the damage of a cyberattack,
the process dictates. so make sure you make budgets available
9. A secure communications platform for raising their awareness. Without the
should be made available for commu- knowledge of what a social engineering
nicating with everyone involved—the campaign conducted by criminals looks
ad-hoc committee, employees in spe- like, employees can quickly fall victim to
cialist departments, top management, an attack.
external consultants, and auditors. In the face of an attack, standard pro-
The systems otherwise used for email cesses within the company and otherwise
or instant messaging should gener- customary methods of risk management
ally be considered as compromised, come up against their limits. It may sound
and therefore should be ruled out as crazy and counterintuitive to allow cyber-
a channel for exchanging confidential criminals to continue their work once they
information. Suitable arrangements have been discovered, but that is often an
include internet data rooms and important way to minimize damage.
email SaaS platforms with two-factor If we are indeed at a time when com-
authentication that are independent plete protection is unrealistic, we must take
of the company infrastructure. the time and make the proper investments
to ensure that we can respond quickly and
appropriately if an attack takes place. In
this case, it is an ounce of preparation that
is worth a pound of cure.
Incident Response: How to Deal With a Cyberattack 259

40
Don’t Wait for a Breach to Build
Your Communications Strategy
Robert Boyce — Managing Director, Accenture Security, Accenture
Justin Harvey — Managing Director, Accenture Security, Accenture
When it comes to cybersecurity breaches, est to assume it will be hit—likely again

there are two types of organizations: those and again—and have a detailed, action-
who’ve been breached and those who don’t able, and well-rehearsed communications
know they’ve been breached. plan already in place when a breach hap-
So, let’s assume the inevitable: Your pens.
organization has been breached. An
unknown quantity of data has been stolen, The Fundamentals of
records have been compromised, poten- Breach Communications
tially damaging information may now be Breach communications is more than
on a Wikipedia page, and your customers’ sending letters to customers, talking to the
personally identifiable information is float- media, or engaging lawyers. It is a com-
ing around the internet. It’s time to plot prehensive system of gathering, vetting,
your communications strategy. Oh, wait. and sharing information with all relevant
Too late. internal and external audiences. It also is
Unfortunately, no matter how many designed to help ensure an organization’s
smart steps you’ve taken to shore up your ability to recover and restore operations
cyber defenses—girding your networks, after a data breach, regardless of data loss
and protecting your data with sophisti- or financial and brand damage.
cated tools and services—it’s important In our many client engagements, we’ve
to plan for a breach, especially consider- seen a fair share of data breaches. We’ve
ing that data breaches are occurring more seen smart, disciplined, well-planned, and
frequently and with increasingly insidious meticulously executed communications
intent and impact. strategies. But unfortunately, we’ve also
Equally important, data breaches aren’t seen some regrettable, unstructured, and
one-time-only events. Successful compro- poorly executed efforts. In assessing both
mises beget more hacking attempts and, the successes and failures, we can offer
thus, it’s in every organization’s best inter- actionable advice in two main areas: com-
261
ponents of a breach communications plan game planning the response, and for
and potential landmines to avoid. assigning the proper roles and respon-
Please forgive the cliché, but we know sibilities. Every functional group in
that “hope is not a strategy.” So, as you the organization must be engaged,
build out your breach communications and the right external resources—law-
plan or modernize an existing one, we yers, forensic analysts, crisis manage-
encourage you to begin with a few funda- ment communications firms—must
mentals: be identified and recruited. Waiting
until a breach happens to start com-
1. Stay calm. The first few hours fol-
munications planning is much too
lowing the discovery of a potentially
late, and if you’re missing even one
damaging breach are critical, and you
key contributor to the breach com-
can undermine your organization’s
munications team, you risk leaving
well-intentioned efforts to minimize
out critical elements from your plan.
the internal and external damage if
you allow yourself to be overcome by
adrenaline, fear, or a misplaced need Key Components of a Breach
to seem bold and aggressive. The abil- Communications Plan
ity to remain calm and proceed in an At the heart of every breach communica-
orderly fashion will instill confidence tions plan is what you do before, during,
in your employees, customers, trading and after a breach hits. Being prepared is
partners, suppliers, opinion shapers, a critical component of your breach com-
and regulators. It also can help min- munications strategy, but what are the
imize the potential for shooting from actual steps you should put in place?
the hip with incomplete or inaccurate Assign roles and responsibilities.
information, which could cause even Once you’ve engaged all key players from
greater damage. all key functional groups, you need to
2. Be prepared. It is an egregious failure decide who is doing what. At this point,
of an executive’s or a board member’s don’t worry about “committee creep” by
fiduciary responsibility to not take the including too many people. Some peo-
time and energy to prepare an action ple and functions may participate in the
plan that includes steps to take before, overall communications planning, others
during, and after a breach. Earlier in may focus on customer outreach. Some
this book, Exabeam Chief Security may concentrate on governance, risk, and
Strategist Stephen Moore laid out compliance-related matters, and a few may
some sound advice about cybersecu- be involved in every element of the plan’s
rity preparation, including a smart development and deployment. The key is
idea to write your breach notification crystallizing everyone’s role so that when a
letter before you suffer a breach. breach happens and time is of the essence,
there’s no ambiguity around who does
3. Engage all key players well in
what when.
advance. When a breach occurs,
Take a broad view of your communi-
everyone must know his or her role—
cations targets. It’s natural for organiza-
which requires that the right people
tions—especially large, well-known brands
are recruited for input on the plan’s
with global recognition—to put media
development, for involvement in
262 Process
outlets at the top of the list for post-breach it could be something more realistic, such
communications. Obviously, consumer, as a full-on simulation where participants
business, and trade media are important, are not told it’s a drill and might do every-
but they are far from the only people and thing short of notifying law enforcement.
groups with whom you need to communi- Determine how you will communi-
cate. Regulators will also be keenly inter- cate. Depending upon the type and sever-
ested in the status of your efforts, the extent ity of the breach, your normal commu-
of the breach, and your plan to stanch the nications media—email, internet, even
damage. If you’re a publicly traded com- phones—may not be available to you,
pany, stock analysts will be asking you either because they have been damaged or
questions while also answering others from their security has been compromised. Have
the media about any potential impact to a plan to utilize out-of-band communica-
your stock price or competitive position. tions and, even, engage in face-to-face dis-
And don’t forget law enforcement organi- cussions. And be careful what you put in
zations, who may see your data breach as writing. While we certainly don’t advocate
part of an organized digital crime ring or doing anything illegal or improper, it’s cru-
another data point in an ongoing pattern cial to understand that written communi-
of cybercrime they are investigating. cations may become essential in legal dis-
Identify and engage experienced covery well after a breach has been resolved.
third parties. Crisis communications Keep the board informed. You’re not
firms, outside legal counsel, investor rela- necessarily asking for their permission on
tions firms, and cybersecurity consultants any aspect of your plan, but there’s a good
all provide valuable perspectives from dif- chance that some, if not most, of your
ferent areas of expertise. Undoubtedly, board members have dealt with similar sit-
they’ve all been involved in similar inci- uations in their own organizations. Listen
dents with other firms in the recent past, to their experiences and heed their advice
so they will be able to share advice based about steps to take in developing a more
on real-world perspectives. effective breach communications plan.
Pressure-test your plan. Okay, you’ve Engage law enforcement. Depend-
done everything listed above. You’ve ing on the nature of your breach and the
got a comprehensive plan and everyone expertise of the law enforcement jurisdic-
knows their role. Now what? Do you just tion, this step can be tricky. Not surpris-
sit around and wait? Well, does the mili- ingly, the increasing incidence of cyber-
tary wait for their country to be attacked? crime has driven law enforcement agencies
Do police forces wait for a crime wave to to treat digital crimes on the same level as
hit? Of course not. They all practice, prac- crimes of the physical world—robbery,
tice, practice. They stage rehearsals under assault, and others. A local sheriff’s depart-
as close to real-world settings as they can ment, for example, is not going to have the
manage—and so, too, should you. Pres- same capabilities—or maybe even the same
sure-testing your plan is one of the most interest—around data breaches as the U.S.
important things your organization can do Federal Bureau of Investigation or Inter-
before a breach hits. It could involve some- pol. While schools of thought are divided
thing as simple as tabletop exercises, where on how proactive organizations need to be
a pseudo-breach is assumed and everyone in involving local law enforcement when a
talks about what they are going to do. Or, breach occurs, it’s a smart practice to build
Don’t Wait for a Breach to Build Your Communications Strategy 263

relationships with law enforcement as part updates on their efforts to “help” in miti-
of your pre-breach planning. This way, you gating the impact of a data breach. Sadly,
have a familiar voice on the other end of we’ve seen this happen more than once.
the line when you suspect your data breach Most often, employees are simply trying
may be part of something bigger. to be good ambassadors of the organiza-
tion to customers and visitors. To avoid
Potential Landmines to Avoid any potential issues, make sure employ-
While it’s unlikely that your planning will ees know that all social media communi-
anticipate every potential twist and turn cations related to a breach must be autho-
leading up to and following a data breach, rized by a designated functional group.
there are some clear problem areas you In her chapter on managing a data
should anticipate and plan to avoid when breach, Hunter & Williams partner Lisa
developing and implementing your breach Sotto provides important advice on the
communications program. right way to use social media as an inte-
Fight the urge to overcommunicate. gral part of a coordinated breach com-
This recommendation may run counter to munications strategy. Her key point rings
what executives are used to doing in their loudly: “News of a data breach will go viral
day-to-day business roles, but we’ve seen quickly, even before an affected organiza-
numerous instances of organizations saying tion has had an opportunity to coordinate
too much, too soon after a breach. Let’s say a communications strategy.”
Company A has a breach and loses data on Take executive responsibility.
100,000 accounts; they release a statement Remember the actions of Johnson &
talking about those numbers only to dis- Johnson in the immediate aftermath of
cover two days later that 500,000 accounts the 1982 Tylenol tampering scandal? The
were compromised. While companies may company’s CEO was front and center,
need to keep regulators well informed on embracing responsibility and even advis-
a regular and timely basis, it’s good to not ing the public not to take Tylenol; his
have escalating data breach numbers played leadership gained the organization much-
out in headlines, day after day. needed credibility and leeway in re-estab-
Don’t overlook the need to test your lishing consumer trust.1 Contrast that with
communications plan. We’ve covered this the ill-advised comments of a BP executive
in greater depth above, but one of the big- after the tragic Gulf of Mexico oil spill and
gest mistakes you can make is to develop fire, where he complained, “I want my life
a comprehensive plan and let it collect back.”2
dust on a shelf until the inevitable breach
occurs. It’s important to update your plan Don’t Become a Cautionary Tale
on a regular basis; after all, people come We cannot stress enough how vital it is to
and go, business processes change, regu- have an honest, open, and brutally can-
latory requirements evolve. Don’t assume did discussion among your executive col-
the plan you developed last year will still leagues about your breach communi-
work next year. cations plan. As so many authors in this
Manage and control your employ- book have emphasized, cybersecurity is a
ees’ use of social media. It’s astonishing leadership test—not a technology glitch.
to think that your employees would go It demands the full attention and reso-
on Facebook, LinkedIn, or Twitter to post lute commitment of both business execu-
264 Process
tives and the board, and extends to their cations plan must be every bit as flexible,
involvement in the development of a com- dynamic, and modernized as your technol-
prehensive and actionable breach commu- ogy infrastructure. If it’s not, fix it—and
nications plan, which is too important and fast. It’s not an overstatement to say that
complex to be left to a single individual to your organization’s very viability depends
architect. on it. Thoughtful planning, regular test-
Cybersecurity isn’t a static state; your ing, and meticulous execution of a breach
technology solutions are always evolv- communications plan will separate the
ing to meet the changing nature of threats industry leaders from those that become
and vulnerabilities. Your breach communi- cautionary tales in the wake of a breach.
1
“How Poisoned Tylenol Became a Crisis-Management Teaching Model,” Time, September 2014
2
“BP CEO Apologizes For ‘Thoughtless’ Oil Spill Comment,” Reuters, June 2010
Don’t Wait for a Breach to Build Your Communications Strategy 265

41
Making Cyber Insurance a Strategic Tool in
Reducing Risk and Improving Resilience
Robert Parisi — Managing Director and U.S. Cyber Product Leader, Marsh
If you magically found a spare $2 million to tion to business operations for a material
spend on cybersecurity, what would you do? period of time.
If your CISO was asked, their reaction That’s not a hypothetical scenario.
would be immediate and decisive. “We’ll More and more organizations are fac-
expand our headquarters’ security opera- ing the harsh reality that their technol-
tions center (SOC) and those in our core ogy will fail, a vendor will not be there
international facilities. Then we’ll install when needed, or they will be attacked—if
next-gen endpoint protection, institute it hasn’t happened already—in the future,
biometric access controls to our data cen- with potentially grave financial, opera-
ters, harden our critical infrastructure, and tional, legal, regulatory, and reputational
expand our threat intelligence subscription consequences. Certainly, having the right
services.” technology tools, services and protocols in
Those and similar technology invest- place is essential to fortifying cybersecu-
ments are a smart way to go. But it rity in the face of expanding threats. But
approaches security as a problem to be the cold, hard truth is that bigger technol-
solved rather than as a risk that needs to be ogy spending, in and of itself, isn’t going
managed. Managing any operational risk to stop the problem. It may slow it over-
needs to be more nuanced. So let’s look at all, and it may even relegate certain spe-
it from a different perspective. cific threats to irrelevance. But that’s
Now, what if your CFO and Chief Risk not enough to keep your business hum-
Officer were told that $2 million spent on ming after a supply chain meltdown, data
a bespoke cyber insurance policy could breach, malware campaign, ransomware
take $100 million of risk off their books demand, or distributed denial-of-service
and, at the same time, improve the orga- (DDoS) attack. Cyber risks are not sim-
nization’s operational resilience? In other ply problems that can be spent away. These
words, you would not only be financially are operational risks that need to be man-
protected in case of a costly data breach aged with the same level of attention and
but also ensure that the organization can diligence as any traditional risk that could
withstand the financial impact of a disrup- potentially put you out of business.
267
Cyber risk has now overtaken other, tion tools. At some point along that spec-
more traditional risks and become the trum, those risk tools no longer prove
number-one nightmare for business lead- effective. It is at that point—for the resid-
ers and board members. And that risk has ual risk—that insurance comes into play.
now evolved beyond privacy breaches and You need a cyber insurance policy that
lost credit cards. The modern commercial aligns with your risk profile and that is
entity is now so heavily dependent upon integrated into your overall risk manage-
technology—their own and others’—that ment framework. Cyber insurance is no
the board’s biggest concern is whether or more an alternative to sound risk manage-
not their organization is truly cyber resil- ment principles than technology is a silver
ient and up to the challenge from the myr- bullet against every threat or exploit.
iad threats out there.
It wasn’t that long ago that the C-suite’s Cyber Insurance As a Resilience Play
primary worries about ensuring continu- We all know the traditional insurance
ous operations dealt with things like nat- model. An event occurs that has financial
ural disasters and political risk, partic- impact on a person, a community, or an
ularly for multinational conglomerates. organization. The insurance coverage pays
And those things are certainly still mate- the affected party a sum of money in accor-
rial considerations, but they are no longer dance with the terms of its policies, cover-
likely to be either the most probable or the age limits, and so on.
most severe disruption a company faces. But traditional property and casualty
The Business Continuity Institute, which insurance has left a vacuum by not evolv-
assesses factors that shape business conti- ing its breadth of coverage along with
nuity and their impact on organizations, the changing risk profile of its custom-
recently concluded that unplanned tech- ers. This is where cyber insurance plays a
nology and telecommunications outages critical role. Cyber insurance anticipates
now outpace natural disasters and politi- and accounts for the need for operational
cal risks in disrupting local, national, and and financial resilience. There are massive
even global supply chains. And as severe as hard- and soft-dollar costs associated with
the impact may be when an organization running your business in the Digital Age.
is in a geography hit by a flood, hurricane, Even very small companies depend heav-
or tornado, the potential impact of some- ily—and will depend even more heavily
thing like a ransomware attack—as the in the coming years—on the integrity and
2017 NotPetya malware attack demon- availability of the technology underpin-
strated—is likely to be even greater.1 Not ning their day-to-day operations.
only that, but a ransomware attack is It is a lack of resilience, even more than
far more difficult to predict and defend security, compliance, and the threat of law-
against because its source is rarely known suits, that makes organizations increasingly
until after it hits. Imagine if the hurri- vulnerable to cyber risk. And that’s why
cane could pick and choose where it made cyber insurance must be considered part
landfall based upon where it could cause of an integrated risk management strategy.
the most damage. Now you have an idea
of why cyber risk is scarier than weather. Recognizing, Acknowledging, and
But companies manage their risk across a Acting on the Threat
spectrum, with technology, protocol, and The good news is that cyber insurance is
procedures being the primary risk mitiga- increasingly being viewed that way—as
268 Process
part of a holistic approach to risk manage- how all the defenses and responses, includ-
ment on par with traditional governance, ing cyber insurance, mitigate that. It’s not
risk management, and compliance func- only about “How do we stop that DDoS
tions. Interestingly, research conducted attack that’s going around our industry?”
by Marsh, with Microsoft, indicates that but it also has to cover “What is the finan-
cyber insurance “take up” rates—the per- cial and operational impact to our business
centage of organizations in a particular if our global supply chain is cut off?”
sector that purchased stand-alone cyber Get help in assessing organizational
insurance—have been trending strongly risk. Cyber insurance is still a fairly young
upward in recent years.2 line of business, and as such, it lacks
In virtually every major industry, the rich actuarial data associated with
take-up rates have moved higher in each fixed-asset valuation like cars and plants.
of the past three years, with manufac- But there are a lot of helpful assessment
turing, education, and hospitality/gam- tools to evaluate risk, from both inside
ing demonstrating the highest rates of and outside the firewall. Cyber-risk mod-
increase. Healthcare, meanwhile, remains eling companies run non-invasive scans
the industry with the highest take-up rates. and scrapes, and knock on your virtual
There’s a qualifier to this good news, how- doors to see if ports are left open. They can
ever. The fact is, most organizations have give you susceptibility metric to estimate
yet to move to dedicated cyber insurance attack vulnerability, without being dis-
policies. In fact, only about one in three ruptive to day-to-day business operations.
organizations have done so. Think of it as CCTV cameras on your vir-
tual world that can see where information
What Should You Do First? is flowing in and out, and that help you
Of course, acknowledging the risk and determine what that means. For instance,
the need to close the risk gaps that even if you learn that you’ve got a lot of data
great technology, and incredibly dedicated flowing from a particular port to Kazakh-
and innovative CISOs, can’t fully plug is stan—and you don’t do business with any-
the first step. This is truly a case in which one in that country—it’s a pretty good
denial is not an effective strategy. clue something’s amiss.
Making smart and strategic decisions Take the time to understand relevant
on how, where, and when to use cyber cyber insurance trends on coverages,
insurance to mitigate risk starts with some premiums, and services, and compare
key learnings and actions: your organization with others. Examin-
Cyber risk has to be part of the ing your peer group, however you define it,
board’s normal operational risk discus- is a good way to put your assumptions into
sions. It is business risk, plain and sim- context, and to frame decisions about how
ple. Too often, executives and boards fall to work with your broker to create a cus-
victim to a kind of cyber mysticism when tomized solution. But that analysis should
confronted with cyber risk, throwing up not be limited to just what cyber insurance
their hands because they don’t feel confi- your peers are buying. Some of the assess-
dent they understand the technology. But ment tools mentioned above can bench-
at the end of the day, it’s about looking at mark your threat vulnerability against a
the potential impact of a cyber event, and peer group.
working backwards from that to plot out
Making Cyber Insurance a Strategic Tool in Reducing Risk and Improving Resilience 269
Do a thorough, ongoing evaluation of smart CFOs, CROs, and compliance offi-
the organization’s at-risk asset values. cers are bringing CISOs to the table to get
And be sure to stretch your imagination a better handle on identifying current and
when identifying those assets. Do you have future sources of cyber risk, and to collec-
a lot of personally identifiable informa- tively assess the impact of that risk on their
tion of employees, customers, prospects, operations. And CEOs should do more
and trading partners? Do you have trad- than just stick their heads into the room
ing algorithms? What is your inventory when these discussions are taking place;
of intellectual property? And be sure to they need to have skin in the game, too.
reassess those assets’ value regularly, espe- And the same thing goes for board mem-
cially when corporate “events” like mergers bers. In another chapter in this book, Paul
or the introduction of new products and Jackson of Kroll talks powerfully about
services take place. In addition, NotPetya heightened levels of board-level corporate
made it clear that physical assets are also governance brought on by cyber risk. Ask
at risk from cyber perils, with millions of a director at any organization that has suf-
dollars of smart phones, tablets, PCs, and fered a debilitating and embarrassing cyber-
servers “bricked” by the malware. Being attack if they wished they had asked more
able to understand the value of at risk probing questions about what their insur-
assets and the potential financial impact of ance policies did and didn’t cover when it
a cyber event are critical first steps in deter- came to cyber risk.
mining the right level of insurance.
Be honest about your pain threshold Conclusion
when it comes to cyber risk. Executives Does anyone reading this book honestly
and boards need to be on the same page believe that their organization’s use of tech-
when it comes to evaluating how much nology will do anything except skyrocket
cyber risk they are willing to accept and in the coming years? Of course not. So it’s
how much they want insurance to cover. reasonable to assume that since the bad
One organization may decide to hold the actors aren’t sitting still, your cyber risk
first $25 million in losses as their pain profile is going to expand and deepen.
threshold and expect insurance to step in Cyber risk is not a problem you can
above that, while others may feel uncom- solve with quick technology fixes. You need
fortable waiting for a digital catastrophe to have a smart, sober, responsible plan for
before receiving relief through insurance. mitigating cyber risk that integrates tech-
Regardless, waiting until the disaster hits nology, process, and cyber insurance. Eval-
is not a good way to make that determina- uating cyber risk on an ROI basis is, of
tion; have that discussion now, and revisit course, smart and necessary. But be sure
it regularly. you consider the full impact of a cyber
Make sure all the key players are event on business resilience when decid-
at the table to discuss cyber insurance ing what role cyber insurance plays in your
issues and to make the critical decisions. enterprise-wide risk mitigation and man-
Of course, insurance decisions tradition- agement strategy.
ally have rested in the CFO’s domain, but
1
“NotPetya tops list of worst ransomware attacks,” ComputerWeekly.com, October 31, 2017
2
Marsh Microsoft Global Cyber Risk Perception Survey, 2018
270 Process
WHAT YOUR CYBER INSURANCE SHOULD COVER
Cyber insurance is the yin to traditional insurance’s yang. The latter enables
a company to transfer the risk associated with physical perils, while cyber
insurance responds to risk from non-physical perils arising from the
ever-evolving nature of technology. Born during the dot.com bubble, cyber
insurance now extends to cover a wide spectrum of liability and direct loss
and has at its core the premise that all of a company’s technology risk should
be insurable.
Liability
The heart of liability insurance is coverage for harm that a company causes
third parties. In the case of cyber insurance, the harm is caused by either a
failure of the insured’s computer security or a data or privacy breach, includ-
ing things like wrongful collection or unauthorized access to confidential
data, be it personal or commercial. If such allegations are made against an
insured, the insurance will provide a defense of the claim as well as indemni-
fying the insured for any damages it may be legally liable for.
Regulatory
With the abundance of privacy and data breach regulations, including the
recent coming online of GDPR, the insured will likely face a regulator or the
obligations imposed by statute before they face a civil plaintiff. Cyber insur-
ance provides legal counsel to assist in responding to a regulator’s inquiry
and in determining the extent of any obligation under the statute. Insurance
can also cover fines and penalties assessed against the insured. The underly-
ing thought here is to avoid a misstep that could come back to bite you later
in any civil legal action.
Direct Loss
Cyber insurance indemnifies an insured for loss or damage to its digital
assets, as well as loss of revenue and extra expenses incurred because of a
computer security failure, or any technology failure not caused by a physical
event. Loss of revenue can also be insured if the cause is a security or tech-
nology failure at a business that the insured depends upon in its operations,
such as technology infrastructure vendors and an insured’s supply chain.
This aspect of coverage has been evolving the fastest lately, with some
insurers now offering coverage for loss of revenue due to either a volun-
tary shutdown or the failing reputation in the wake of a cyber event impact-
ing the insured. In addition, insurers have added coverage that touches upon
the “physical” with indemnification for bricking losses.
Making Cyber Insurance a Strategic Tool in Reducing Risk and Improving Resilience 271
WHAT YOUR CYBER INSURANCE SHOULD COVER (CONTD.)
Event Response Expenses

Cyber insurance is unique in that it assists the insured almost from the
moment an event is discovered or suspected. An organization will incur sig-
nificant out-of-pocket expenses investigating the cause and nature of a
breach or failure, responding to the various regulatory obligations such as
breach notification statutes, and addressing the associated reputational
noise. The cyber insurance market has developed two approaches in this
area. The first and more traditional being to provide indemnification for
incurred expenses, with the insurers also providing an insured access to a
panel of expert service providers. The second approach, more popular with
smaller companies, is to essentially have the carrier’s panel step in to man-
age the event for the insured, with the insurer dictating which providers are
to be used.
Miscellany
In addition, cyber insurance indemnifies the insured if it is the victim of an
extortion threat to cause an otherwise covered loss or liability. Cyber insur-
ance also is adept at filling the vacuum created as traditional insurance
lags behind or fails to keep pace with the evolving risk profile of the econ-
omy. Two recent examples are the extension of coverage for liability arising
from a company’s use of IoT technology and the risk associated with block-
chain technology. Finally, cyber insurance also has expressly adapted to align
with traditional insurance as losses become more nuanced, where a physical
injury has some cyber aspect lurking in its chain of causation, to ensure that
an insured can achieve the maximum recovery for the loss.
272 Process
Technology
42
How You Should Use Cybersecurity
Technology to Improve Business Outcomes
Naveen Zutshi — Senior Vice President and Chief Information Officer,
Palo Alto Networks
Throughout this book, you’ve read great manual approaches to keep up with. With
advice from smart people about cybersecu- an increasingly machine-based adversary,
rity, with a recurring theme: Cybersecurity cybersecurity approaches that are manual,
is a business issue, not a technical one. highly fragmented, and point-product-
That’s correct, of course. But it doesn’t based are doomed to fail.
tell the entire story. Instead, we need to take a different
There’s no longer any debate that cyber- approach—one that embraces a compre-
security must be addressed strategically hensive view of security architecture, with
and in a business context by executives and new technology assumptions to make our
board members, in close concert with their organizations more secure, even as we use
CISO, CIO, and security operations (Sec- technology to surface new business oppor-
Ops) teams. But when it comes to cyberse- tunities. While I won’t subject you to a
curity, technology does matter—a lot. chapter riddled with terms like contain-
The right cybersecurity technology can erization, micro segmentation, server-
prevent a vast majority of attacks, detect less compute, or service provisioning, I
vulnerabilities quickly, mitigate cyberse- do feel it is important for business leaders
curity risks, and enable security of strate- to understand that there are some critical
gic business initiatives like digital trans- technology shifts underway that can help
formation. If done right, these business us create a more agile, scalable, and mod-
outcomes can be achieved without imped- ernized cybersecurity layer.
ing the speed of delivery. Of course, that’s And if we don’t make some important
not to say that wasting investment dollars technology shifts, we will:
on yet another point product, or hiring
• Waste money.
mediocre security operations personnel to
manually monitor networks for aberrant • Divert badly needed manpower to per-
data movement, is the way to go. Secu- form manual tasks.
rity threats are dynamic, fast moving, and
• Fail to keep up with the breakneck
can be highly unpredictable for legacy and
pace of new security risks.
275
Without a commitment to a new cyber- But with the adoption of any new tech-
security technology paradigm, we will put nology comes risk—specifically, cyberse-
our organizations in peril, causing irrepa- curity risk. Take cloud, for instance. It has
rable damage to our brands and destroying changed the way we work, and we’ve only
our customers’ confidence in our ability to begun to scratch the surface. Earlier in this
protect them. book, Ann Johnson of Microsoft called
Let me explain why and how. attention to the fact that cloud comput-
ing has quickly evolved from a useful tool
Delivering Speed and Agility— to an essential one, and is now entering a
Securely transformative phase of its development
In the digital world, success requires that will accelerate the pace of change and
organizational speed and agility—more increase our business opportunities.
than ever before, in fact. Every organiza- And, as she said, it will also increase
tion wants, and needs, to move faster and our cybersecurity risks. With public cloud,
become nimbler in spotting and taking there is risk in assuming that, because you
advantage of new business opportunities. are using someone else’s infrastructure,
Technology plays a key role in making that you don’t have to secure it. This is a false,
goal attainable, as many of us learned over and potentially dangerous, notion. Pub-
the past few decades. lic cloud requires a shared security model.
But for a long time, technology needed This typically means that customers are
a large footprint in order to deliver busi- responsible for security above the oper-
ness benefits. Big iron. Big applications. ating system, including all customer data
Big data centers. Big staff to monitor and and IP, and the public cloud provider pro-
manage networks. These big capital expen- vides security of the underlying hardware
diture (Capex) investments and large IT/ and infrastructure.
security workforces were often considered Additionally, in using public cloud,
competitive differentiators for companies. access control API keys can be easily dis-
Unfortunately, this legacy of “big technol- covered and used to compromise vast
ogy and large workforce” has become a amounts of compute resources in minutes,
boat anchor, weighing down our organiza- since hackers have automated tools look-
tions and restricting our ability to achieve ing for those vulnerabilities within systems.
speed and agility. They can then exploit them in ways rang-
Fortunately, new solutions, such as ing from bitcoin mining to much more
cloud computing, Software as a Ser- nefarious means, such as stealing intellec-
vice, and anywhere/anytime connectiv- tual property or customer/employee data.
ity, are changing the technology paradigm Like the public cloud, other ascendant
by delivering breakthrough capabilities technologies like SaaS, big data, machine
faster, less expensively, and with a smaller learning, and increasingly connected Inter-
technology footprint. Additionally, soft- net of Things devices, are today’s dou-
ware-based automation has laid to waste ble-edged sword: big benefits with big
the traditional approaches of problem risks. This, in turn, has put great pressure
solving and are significantly reducing the on IT and security professionals to move
need for massive security operations cen- quickly and embrace agility, while at the
ters (SOCs). same time provide critical security safe-
guards. It’s not easy. But it can be done.
276 Technology
Reject the Shiny Tool Syndrome economy,” as well as traditional indus-
One of the big challenges in addressing tries, is being disrupted by software-based
these technologies is how quickly they approaches.
are being implemented and how fast they Industries thought to be untouchable,
are growing. Keeping up with the pace of such as printing, taxi operations, hospital-
innovation is becoming nearly impossi- ity, brick-and-mortar retail, and energy are
ble. Public-cloud feature development is being disrupted by the software economy.
a good example; AWS released over 497 Traditional silicon-based approaches to
features in their February 2018 quarterly security are being attacked as well. Having
launch.1 And that’s just one cloud provider. a software approach enables our two favor-
Some security and IT professionals suf- ite requirements: speed and agility. Soft-
fer from what I call the “shiny tool syn- ware-defined solutions can be deployed
drome,” while having a fear of missing out faster and provide organizations with the
(FOMO) on all the new tools/features ability to deliver new business solutions
being developed. Unfortunately, the dirty in a more agile manner. And they pro-
little secret is that major cyberattacks hap- vide additional important benefits, such
pen due to poor cyber hygiene. Having as reduced reliance on Capex and a “light”
legacy security architecture that is good on management profile that doesn’t require
paper but doesn’t prevent attacks, porous armies of technicians.
access control, and poor implementation Today’s cybersecurity solutions are fast
of security controls will result in a broad joining the software-defined game, as well.
attack surface that no new shiny tool will Thanks to the development of power-
solve. Focusing first on basic blocking and ful and adaptable machine learning tools
tackling, like patch management, access based on the enormous amount of data
control, service account rotation, certifi- being collected, cybersecurity defenses
cate management, network segmentation, are increasingly shaped by software and
and others—while “uncool”—is a must. A the concepts of automation, integration,
strong, disciplined security process, cou- and cloud optimization. Software-defined
pled with an automated, software-based security is designed and implemented with
approach to security, one that is focused on the understanding that automated, scal-
solving for the right security outcomes will able, cloud-delivered security software
enable a stronger security posture and bet- now enables issues to be discovered and
ter position the company for today’s and remediated in near real time. And as the
tomorrow’s cybersecurity requirements. incidences of zero-day attacks continue to
increase, “real time” carries a whole new
Welcome to the Age of meaning and business impact. In addi-
Software-Defined Security tion, machine learning–based solutions are
Taking an automated, software-based complementing rule-based software to fur-
approach to security is in keeping with one ther shorten the detection lifecycle of zero-
of the important trends rippling across the day attacks and prevent them from caus-
technology spectrum today, which is the ing havoc to our critical infrastructure.
shift to “software-defined” models. Soft- The futuristic vision of machines fighting
ware-defined is typically embodied as an machines may be a few years away, but it
algorithm or application programming is increasingly advisable to choose a purely
interface. What we now call the “software software-defined approach to security.
How You Should Use Cybersecurity Technology to Improve Business Outcomes 277
Software-defined security enables lem. When we experience sharp pain in
embedding security into the software life- our shoulder when working out at the
cycle through automated security tests so gym, we don’t want the orthopedist to give
development lifecycles can be iterative and us the intimate details of the composition
fast. Additionally, Software-defined secu- of the rotator cuff. We want to know how
rity empowers our employees to take more we can stop the pain and maintain our
proactive roles in rooting out vulnerabili- active lifestyles.
ties and reducing risk. Our SOC team can Business leaders obviously don’t need
do penetration testing to hunt for issues to know—and certainly most of them
before they become problems and set up don’t want to know—about the techni-
“honeypots” to attract threats and nip cal underpinnings of their organizations’
them in the bud. This is an entirely new cyber defenses. They do want to know
model for cybersecurity—proactive, auto- whether the CISO has taken the right
mated, and predictive, instead of reactive, defenses for known and anticipated risks,
manual, and based on “best estimates.” has the appropriate funding to ensure suc-
Another aspect of software-defined cess, and has calibrated their cybersecurity
security is to buy security platforms that with their risk/reward profile for new busi-
enable reinforced integrations (each inte- ness opportunities.
gration improves the overall security pos- When business executives talk with the
ture), are scalable as companies grow, are CISO or CIO about cybersecurity tech-
consistent across cloud and on-premise nology, they shouldn’t worry about which
implementation, and automate implemen- tools are being used as much as why and
tation, ongoing upgrade, and policy man- how those tools are delivering improved
agement. security outcomes. After all, business lead-
By using software-defined security plat- ers understand risk, and they have all come
form principles—which are going to be around to the understanding that the right
implemented in an agile, enterprise-wide cybersecurity technology is an enabler to
platform, rather than a variety of point solu- reduce risk while achieving strategic out-
tions for individual threats—organizations comes safely.
can scale security defenses in lockstep with They also now know that the more man-
the development of new environments for ual your security processes are, it becomes
things like testing new business services or exponentially harder to prevent new threat
modeling assumptions on customer behav- vectors from impacting the business, and it
ior or supply chain interruptions. adds cost and complexity.
There’s that speed and agility we talked So, business leaders’ conversations with
about earlier. And that’s what makes soft- CISOs—whether in the boardroom or
ware-defined security a business issue, not impromptu in the hallway—should focus
just a technical issue. But it is really cool on issues like technical risk and technology
technology. process, rather than on trying to learn the
language of bits, bytes, and bots.
How Business Leaders Should Talk For instance, business executives and
About Technology to the CISO board members should ask questions like:
It’s easy to equate business executives
• Do you believe you have the right secu-
talking to technical leaders with what hap-
rity architecture in place for threats that
pens when we go to the doctor for a prob-
have not yet impacted our business?
278 Technology
• Are your security teams embedded in lenge: how to achieve the goals of speed
the business and technology units, or and agility, but in a safe and consistently
are they sitting in ivory towers moni- secure manner. We all know that technol-
toring event logs? ogy has become a critical catalyst for deliv-
ering speed and agility, as it has for ensur-
• How are you quantifying risk, in terms
ing rock-solid cybersecurity.
of our core business assets? What is the
But can we use technology to achieve it
financial impact of an hour of down-
all at the same time? Can we have our dig-
time after a hack?
ital cake and eat it, too?
• How are you minimizing the attack I believe we must. And, fortunately, I’m
surfaces and points of compromise? confident that we can. In fact, it’s already
happening at many enterprises around the
• What business service or product of
world—enterprises whose business lead-
ours are you most concerned about
ers and CISOs have modernized their
from a cybersecurity perspective (our
approaches to cybersecurity technology in
crown jewels), and what are you doing
a software-defined, platform-driven model
about it?
that prizes speed, agility, automation, and
• When we expand our corporate foot- analytics.
print through acquisition or market Traditional approaches to cybersecu-
expansion, can we scale our existing se- rity—encounter a problem, buy some
curity infrastructure without having to technology, plug the gap, then repeat—
make huge new investments in Capex no longer work. They don’t scale with the
and staff? massive expansion of threats and vulnera-
bilities, and the resultant “security sprawl”
• What is our optimal approach to
is expensive, inefficient, and leaves too
adopting a new set of cybersecurity
many gaps.
technologies—crawl, walk, or run?
Organizations can move quicker and
What are the trade-offs of each?
more securely than ever by re-imagining
• Does our current security technology cybersecurity around software-based plat-
adequately protect us against potential forms that are easily deployed, cloud-pow-
problems with our cloud service providers ered for easy scalability and simple main-
or other third parties we connect with? tenance, and well-integrated into the core
business processes.
Conclusion And when they get to that state, they
may even have gotten over the shiny object
As I mentioned earlier in this chapter,
syndrome.
organizations face an important chal-
1
“AWS Released 497 New Services And Features Last Quarter,” AWS News, April 5, 2018
How You Should Use Cybersecurity Technology to Improve Business Outcomes 279
43
Harnessing the Power of Blockchain
Antanas Guoga — Member, European Parliament
Blockchain technology has the potential to ogy. It is time to start adopting it into our
change the world. It could be the founda- lives—allowing it to shape today’s digital
tion for building new levels of trust in elec- economy into tomorrow’s crypto economy
tions, financial transactions, supply chain and ensuring that blockchain can be used
management, and the sharing of health- as a vital tool to build trust in applications
care data. It could be used by political and and environments beyond the world of
government institutions to empower citi- cryptocurrencies.
zens. It could be, and probably should be,
a vital part of the cybersecurity moonshot Understanding Blockchain Technology
effort discussed by Mark McLaughlin at Most people understand that blockchain
the beginning of this book. is the technology behind Bitcoin. But, if
A report from Santander InnoVentures asked to define what it actually is, they
predicts that blockchain technology could would be hard-pressed to give a clear
reduce the infrastructure costs of banks by answer. Here’s a simple explanation, cour-
up to $20 billion a year by 2022.1 Cap- tesy of The New York Times:
gemini has stated that blockchain tech-
The easiest and most basic way to think
nologies will enable consumers to reduce
about the underlying technology is to
banking and insurance fees by $16 billion
think about a technology that keeps a
a year.2 The market for blockchain in retail
master list of everyone who has ever
is expected to reach more than $2.3 billion
interacted with it. It’s a bit of an over-
in 2023, growing at a compound annual
simplification, but if you’ve ever used
rate of 96.4%.3 In the first five months of
Google Docs and allowed others to
2018, the dollar volume invested in block-
share the document so they can make
chain companies reached nearly $1.3 bil-
changes, the programs keep a list of all
lion, already surpassing the totals for the
the changes that are made to the doc-
entire prior year.4
ument and by whom. Blockchain does
Clearly, the potential for blockchain is
that, but in an even more secure way so
making it one of the most widely talked
that every person who ever touches the
about technologies of our time. But it’s one
document is trusted and everyone gets
thing to talk about the potential of block-
a copy of all the changes made so there
chain; we are approaching a new stage in
is never a question about what hap-
the development of this exciting technol-
281
pened along the way. There aren’t mul- • In finance for money transfer, peer-to-
tiple copies of a document and different peer lending and transfer of securities.
versions—there is only one trusted doc-
• By insurance companies for automatic
ument and you can keep track of every-
execution of contracts.
thing that’s ever happened to it.5
• By governments for citizens’ ID man-
Blockchain as a distributed ledger tech-
agement, taxation reporting, develop-
nology, or DLT, when used properly, can
ment aid management, e-voting, and
have a profound impact on cybersecurity
regulatory compliance.
since it is, at its core, a secure database that
is immutable and transparent. Bitcoin pro- • In healthcare to track transactions on
vides a perfect example of the potential: patients’ health records and identifica-
In the nine years of its formation, Bitcoin tion of access.
has successfully warded off all cybersecu-
• For media and intellectual property
rity attacks—something no other online/
companies to directly distribute loy-
digital entity can fully claim. Imagine how
alties to authors of music, videos, and
other industries can benefit from that level
other content.
of trust and security in their transactions.
• For pharmaceutical companies to
The Business Potential of Blockchain verify the drug supply chain.
Although the first historical use cases of
• For retail companies to verify proof of
blockchain have been the disintermediated
authenticity and origin, and to easily
exchange of virtual currencies, distributed
manage provenance supply chain.
ledger technologies can be applied to all
industry and public sector activities. Mul- The graphic below, from crowdfundin-
tiple types of transactions can be recorded sider.com, provides a sense of the current
in a blockchain and various use cases can be use cases for blockchain technology.
implemented. For instance, it can be used:
Note: This figure is based on a list of 132 use cases, grouped into industry segments,
that have been frequently mentioned in public discussions, reports and press releases.
Figure 1: Breakdown of use cases of DTL (Real Estate applications fall under Others)
282 Technology
It is no surprise that banking and finance Moving Forward
are leading the way in early adoption of I believe blockchain technology has much
blockchain technology. In the areas of more to offer than just Bitcoin or crypto-
banking, distributed ledger is incredibly currencies. Apart from its main features
useful because it keeps firms, individuals, of being efficient, transparent, secure and,
and transactions on track and responsible. more importantly, societal—its demo-
Blockchain provides financial institutions cratic aspects should be emphasized.
with a sense of security that was previously Blockchains bring to people the power
unattainable. to control data without the middlemen
and cuts their service costs. Blockchain can
Blockchain Today
also be a solution for secure and transpar-
Blockchain is often compared to the begin- ent e-voting, hence reducing the risk of
ning of the internet, when the potential ballot tampering or political persecution.
was not fully understood or was subject to This is the way that I believe the public’s
confusion by the large majority. Business trust in governments and electoral systems
models were unclear, regulatory frame- can be restored.
works were challenged by front-runners, We are already beginning to see how
and technical constraints hindered the organizations plan to deploy blockchain
uptake. Those who pioneered the inter- technology in innovative use cases across
net and built long-term ecosystems, have the globe:
been the big winners. That could be the
case with blockchain now. • In Australia, the Australian Securities
The biggest issue with blockchain Exchange is looking to replace its set-
today is scaling and cost. In order to bet- tlement system with a distributed led-
ter enable blockchain, we need to continue ger to improve efficiency and security
improving the technology. Blockchain is in transmitting messages and accessing
not a piece of code, it’s an infrastructure information. The managing director
and ecosystem of distributed applications and CEO of the exchange’s operator
as smart contracts. As long as it is built and says moving to blockchain technol-
audited properly and functions correctly, it ogy could save the exchange as much
will be successful. This includes the devel- as $23 billion (AUS). The exchange is
opment of distributed information and looking to roll out the system by the
communications technology (ICT) infra- end of 2020.6
structure and, most importantly, correct • In Canada, the National Research
implementation to actually ensure that Council of Canada, through its In-
businesses remain compliant and aware of dustrial Research Assistance Program,
upcoming security issues. is already using blockchain technolo-
Those provisos aside, there is a gold rush gy to publish grant and contribution
to blockchain because it has such vast poten- data. The government had identified a
tial to address today’s most pressing cyberse- problem in that more than $300 mil-
curity challenges, creating a model for trust- lion (CAN) worth of research grants
based transactions that provide unmatched were being issued every year. However,
security to counter cyberattacks. it was difficult to ensure that contracts
were signed for each, to audit the to-
Harnessing the Power of Blockchain 283

tal amount of grants issued, and make role in the development of blockchain.
the information publicly accessible. As of this writing we have more than 300
Within the first week of launching the European startups in Europe, a num-
blockchain solution, the service had ber that will continue to grow as our eco-
more than a million requests for infor- system grows. The potential benefits for
mation and, as of this writing, more Europe are significant. In cooperation with
than $500 billion of public spending the European Commission and other reg-
has been disclosed.7 ulators we can:
• In the Netherlands, numerous live • Support European industry, seizing the
projects have been presented, such as economic opportunity for more jobs
registering nursery childcare services and growth.
on a blockchain; distributing and
• Improve business processes in govern-
monitoring the use of the “Kindpak-
ments, companies, and organizations.
ket,” a social-benefit policy for children
from low-income families; and trialing • Enable new, disintermediated business
e-voting on a blockchain while keeping models based on direct peer-to-peer
paper voting intact, in parallel. transactions, without the need for cen-
tral platforms.
• In my home country of Lithuania, the
LB Chain initiative has been created by To achieve these benefits, the European
the Bank of Lithuania in response to Commission has already taken important
demand for information and adoption. actions, including:
It will act as a safe technological sand-
• Active engagement in international
box environment, where domestic and
standardization, such as the ISO tech-
foreign companies will be able to de-
nical Committee 307 on Blockchain
velop and test blockchain-based solu-
and Distributed Ledger Technologies.
tions in a regulatory and technological
platform/service. The Bank of Lithu- • Different H2020 Research & Innova-
ania has taken this strategic direction tion projects have been financed and
to accelerate development of a Fin- will continue to be financed in differ-
Tech-conducive regulatory and super- ent domains, such as eGovernment,
visory ecosystem, while still fostering eHealth, transport, energy, and finance.
innovation in the financial sector and So far, 56M€ have been engaged by the
positioning itself to be a world leader EU in blockchain-related projects, and
in FinTech.8 a potential of up to 340M€ could be
engaged in 2018 and 2019.
These are just few of many examples. A
simple internet search will give you many • Proof-of-concept and pilot projects
more potential use cases to consider, as this have been launched in the areas of reg-
innovative technology continues to roll ulatory compliance, tax and customs
out and make its impact around the world. reporting, energy, and identity man-
agement.
Advocacy for European Leadership
In addition, during the first half of
I have been, and continue to be, a strong
2018, the European Commission has:
advocate for Europe to take a leadership
284 Technology
• Launched the EU Blockchain Ob- and the public sector. This resolution is a
servatory and Forum to map relevant strong position by the European Parlia-
blockchain initiatives, share experienc- ment, which shows that the EU wants to
es, and pool and develop expertise on be a strong player in blockchain; therefore
blockchain at the EU level. legal certainty is of utmost importance in
order to secure blockchain-based projects
• Published the Fintech Plan, which aims
and investments.
to help the financial industry make use
Numerous events on blockchain appli-
of rapid tech advancements, such as
cations were organized at the European
blockchain and other IT applications,
Parliament in 2018. And there is a great
and strengthen cybersecurity.
trend that the technology is acknowledged
• Begun assessing the need for, and ben- and better understood. The newest docu-
efits of, an EU blockchain infrastruc- ment to be discussed at the European Par-
ture. The feasibility study would be set- liament is its own initiative report, “Block-
ting the right conditions for the advent chain: a Forward-Looking Trade Policy.”
of an open, innovative, trustworthy, Work on it is in progress in the Interna-
transparent, and EU law-compliant tional Trade Committee, as of this publi-
data and transactional environment. cation. The initiative report proposes to
investigate in detail how trade agreements
• Continued to engage with standards
can facilitate the use of distributed ledger
development organizations (ISO,
technologies and blockchain to underpin
ITU-T, potentially IETF, IEEE).
and streamline customs agreements. A key
• Continued to support R&I projects in advantage of the application of blockchain
different areas. in customs agreements is the potential to
reduce fraudulent transactions. Therefore,
• Supported other EU level projects:
the usage of a secure database could rev-
EFTG, Blockchain for Social Good
olutionize the scope and security of inter-
Prize, PoC TAXUD (taxation and cus-
national trade agreements. In addition,
toms).
the report will assess the potential for the
• Built on member states’ initiatives to EU to use DLTs to develop secure “smart”
consolidate at the EU level. contracts with trading partners in interna-
tional trade agreements.
A blockchain resolution was passed
Even with all of that ongoing activity,
by the European Parliament’s Industry,
I believe it is important to let the industry
Research and Energy Committee on May
itself grow and see where it takes us. I am
16, 2018. By the time this book is pub-
not a technologist, and neither are my fellow
lished, we hope it will have been approved
politicians. We don’t know exactly where
by the entire Parliament. The motion for a
the technology will go. But we should all be
resolution calls for open-minded, progres-
open and aware—and we should definitely
sive, and innovation-friendly regulation
keep educating people on blockchain, cyber-
of blockchain technology. The document
security, and related topics.
looks at the implementation of blockchain
What’s more, we should continue to
technology, not only in the FinTech sec-
fund these types of projects because it is
tor, but also at other sectors such as energy,
more important to contribute than to actu-
healthcare, education, creative industries,
ally make a profit. The smart young people
Harnessing the Power of Blockchain 285

who are creating and using this technology tures that can change the economic and
should be left alone and allowed to con- power dynamics of traditional central-
tinue to advance the industry. Awareness ized bodies. The technology will give free-
should continue to be raised, and the tech- dom to people’s data and, therefore, stim-
nology should be given every opportunity ulate new forms of democratic collective
to advance and flourish. actions, security, trust, and transparency
in daily activities. How far that potential
Conclusion and implementation goes is up to us and
Blockchain technology has immense our ability to operate what the technology
potential to solve real-world problems and provides.
create new types of organizational struc-
1
“Santander: Blockchain Tech Can Save Bands $20 Billion a Year,” Coindesk, June 16, 2015
2
“How Blockchain is Changing Finance,” Harvard Business Review, March 1, 2017
3
“Blockchain in Retail Market Worth 2339.0 Million USD by 2023,” MarketsandMarkets, June 2018
4
“With at least $1.3 billion invested globally in 2018, VC funding for blockchain blows past 2017 totals,” TechCrunch,
May 20, 2018
5
“Dealbook: Demistifying the Blockchain,” The New York Times, June 27, 2018
6
“ASX Head Says New DLT System Could Save Billions,” Coindesk, August 16, 2018
7
Blockchain Conference: “Blockchain - Game Changer of the 4th Industrial Revolution,” at the European Parliament https://
www.youtube.com/watch?v=F7X9AS4AR9w&t=786s Intercontinental
8
“The Bank of Lithuania to launch blockchain sandbox platform-service,” https://www.lb.lt/en/news/the-bank-of-lithuania-to-
launch-blockchain-sandbox-platform-service
286 Technology
44
When It Comes to Shadow IT, What You
Don’t Know—and Don’t Prepare for—
Can Hurt You
Alice Cooper — Global Head of Derivative Trade Processing IT, BNP Paribas CIB
In a fast-paced and dynamic business envi- technicians—and yes, more security pro-
ronment, organizations depend more than fessionals. So, since necessity is the mother
ever on their IT teams as a source of growth, of invention, the business users have come
innovation, and competitive differentia- up with a simple solution: “We’ll do it our-
tion. With those escalating demands have selves.”
come a tricky supply-and-demand balanc-
ing act: how to provide the IT services and Why and How Shadow IT Took Hold
resources needed by everyone, from busi- This trend, widely known as shadow IT,
ness users all the way up to the corner has become increasingly prevalent in enter-
office. prises of all sizes, industries, and geogra-
Many business users have grown frus- phies. Some organizations tacitly sup-
trated and impatient because of a perceived port the practice, while others are blithely
inability of IT departments to meet their unaware of its existence. Regardless,
business needs with new systems, applica- shadow IT has serious cybersecurity ram-
tions, and services in a timely, affordable ifications.
manner. But the harsh truth is that every- What exactly is shadow IT? Global IT
one is clamoring for more support and col- consulting and research firm Gartner puts
laboration from the IT organization at a it succinctly:
time when IT budgets are not growing
“Shadow IT refers to IT devices, software,
fast enough—and sometimes not at all—
and services outside the ownership or
to keep up with skyrocketing and increas-
control of IT organizations.” 1
ingly sophisticated user demands.
Perhaps even more important is the fact Not that long ago, the notion of a
that IT hiring has flatlined in many indus- shadow IT organization was preposter-
tries, despite repeated requests for more ous. IT was a complicated discipline built
programmers, application developers, sys- upon in-depth, often arcane technical
tems analysts, data scientists, help-desk knowledge and access to expensive com-
287
puting infrastructure. But that’s changed CIOs, CISOs, and other technical
dramatically. Today’s workforce—and not executives have been working feverishly to
just the millennials who were born seem- meet the growing demand for IT services
ingly tethered to their numerous Wi-Fi and tools to help their organizations solve
devices—is far more technologically adept strategic problems, ranging from identify-
and more comfortable writing applets, set- ing new competitive threats and reducing
ting up wireless networks, deploying vir- global supply chain costs to mining troves
tual machines, and putting in place digital of new data to make smarter, faster deci-
sandboxes for short-term projects. sions. They want to help the organization
Then there’s the cloud. Affordable, eas- succeed by leveraging technology for busi-
ily accessed cloud services have helped ness benefit, and they want to collaborate
business users launch their own sys- with business colleagues to do that.
tems and procure IT services with a sim- However, what once may have seemed
ple credit card transaction, all without the like a creative way to bypass the IT bottle-
notice, review, approval, and control of the neck in the quest for digital transformation
traditional IT organization. is now a problem. A big problem.
As a result, shadow IT has not just
become a big factor in how IT services Shadow IT’s Impact on Cybersecurity
are developed and deployed, but it also Shadow IT dramatically expands an orga-
is an often-hidden development escaping nization’s cybersecurity threats in many
the vision of IT and business executives. ways and for many reasons. It’s typically
One study noted that 72% of compa- being done innocently enough, certainly
nies don’t know the scope of shadow IT at without malevolent intent. But the impact
their organizations, but want to.2 Another can be really bad.
study pointed out a key reason for this dis- The reasons why shadow IT is so com-
connect: CIOs, on average, dramatically monplace and so problematic today
underestimate the number of cloud ser- include:
vices running within their organizations.
• The dramatic growth of “bring your
How dramatically? By a factor of more
own device” policies (formal and oth-
than 14 to 1.3
erwise), which have introduced a slew
To many business executives and board
of unmanaged and either unprotect-
members, the shadow IT movement seems
ed or under-protected devices on the
like a smart, even necessary, workaround
wrong side of your firewalls.
to a problem: the growing chasm between
demand (for more IT services and solu- • A lack of visibility into, and control of,
tions) and supply (of IT resources to get inbound/outbound data traffic, often
it all done). Initially, business leaders who resulting in compromised data integri-
were aware of this complaint from their ty and extensive data loss.
business teams often applauded their cre-
• The growing popularity of the Internet
ativity and innovation in finding organic,
of Things, which manifests itself both
affordable solutions to their problem. This
in terms of new types of equipment
predisposition for “a bias for action” is, of
that is often security-deficient and in
course, widely supported and even encour-
“rogue” projects that, while exciting
aged by business leaders on their teams.
and full of business potential, can leak
sensitive data like a sieve.
288 Technology
• An increasingly mobile/virtual work- But first, let’s keep an important fact
force, where employees—as well as in mind: The end users themselves—
customers, suppliers, and partners— your employees, primarily—are incredibly
often access sensitive data over open naïve as to the extent they are putting your
networks that can easily be hacked. organization at risk. They’re not connect-
ing the dots, despite the fact that this is a
As I mentioned earlier in this chapter,
topic that is increasingly covered in news
shadow IT often lurks under the radar of
reports and is being talked about by oth-
corporate IT, and thus is shielded from
ers. Even though today’s workers are very
business executives and board members
tech-savvy—especially the new generation
who ultimately bear responsibility for all
of employees—they don’t have a clue what
cybersecurity problems.
happens when they open a gateway in any
Just how bad is the problem? I’ll give
direction. It gives the bad guys the key to
you one example to let your imaginations
the house.
run wild. A research study pointed out that
So, what is the best way to address this
80% of IT professionals said their end users
problem? Education? Audits? Penalties?
have gone around them to set up unap-
Yes.
proved cloud services.4 And do you want
In my organization, we conduct man-
to know the really scary part? That data is
datory cybersecurity training. That train-
five years old, taken at a time when cloud
ing has been extended to topics like
services were still in their infancy. You can
shadow IT, so everyone knows when bad
only imagine how pervasive the problem
security hygiene is taking place and what
is today—and will be in the future. The
its impact will be. Explain to your employ-
question is: What should you do about it?
ees who are acting as “citizen developers”
Addressing the Cybersecurity and are commissioning applications to be
Challenges of Shadow IT built what can happen.
I know that everyone will groan about
Fortunately, there are some common-sense
adding training into employees’ busy days,
steps organizations can and should take
but those sessions don’t have to be long.
to minimize the potential negative cyber-
You can give people reading materials they
security impact of shadow IT. While I
can go through on their own time, but you
don’t think organizations should be tak-
have to have formal training programs on
ing draconian steps to curtail initiative
this, especially for new employees joining
and self-sufficiency of technically astute
the organization. Testing is also a good step
employees, there are some reasonable,
to ensure that users are fully conversant in
collaborative approaches that can create
policy goals and objectives.
stronger partnerships between enterprising
There are times when penalties—such
business users and the security and IT pro-
as shutting down rogue applications or
fessionals whose job it is to keep the orga-
access to certain cloud services—may be
nization’s data and IT assets safe.
necessary. Your very clever people may
Of course, this also means that busi-
know how to get around access controls or
ness leaders and boards must (A) acknowl-
authentication, but do they know which
edge that the problem exists and that it has
actions are likely to open up the organi-
potentially devastating impact, and (B)
zation to bribery or blackmail threats? Do
lead the way in encouraging smart answers
they realize the reputational damage that
to the problem. Denial is not a solution.
can result?
When It Comes to Shadow IT, What You Don’t Know—and Don’t Prepare for—Can Hurt You 289
While we don’t want to stifle innova- utives should issue orders to outlaw the
tion or discourage creative problem solv- shadow IT. I know most organizations—
ing, organizations should send a zero-toler- if they are able to have very honest and
ance message. Your business units may be open conversations with their teams—
demonstrating initiative and even doing can highlight instances where enterprising
some very exciting work on their own, employees working outside the sphere of
but if they are inviting in security risks, the IT organization have done some things
the downside can be much larger than the that resulted in a competitive advantage
upside. Organizations can’t afford to be because they moved quickly and flexibly to
naïve either about the incidence of shadow take advantage of an opportunity.
IT or its potentially catastrophic impact. Still, that doesn’t mean you allow or
This should be part of every organiza- look the other way on reckless behav-
tion’s risk tolerance profile: How much are ior. You don’t know for sure if it’s reckless
we willing to let our employees do in order unless you understand what is happening
to get the work done? and what the risk-to-reward ratio looks
Of course, that opens up another issue: like. If you think you haven’t been bit-
The growing imbalance between what ten by this problem yet, you either haven’t
business units need in IT services and sup- been paying attention or you’ve been lucky.
port, and what the IT organization is able But I can promise you that your luck will
to deliver. This is likely to raise some very not protect you from a data breach, a ser-
challenging, yet important, discussions on vice interruption, a compliance violation,
budgets, manpower, use of outside con- or a lawsuit.
tractors, and how to assess opportunity As with so many things in today’s busi-
versus risk. ness environment, it requires a real give-
But we all have to understand and and-take among business users, IT, secu-
admit that until we address the root causes rity, and business leaders. Once someone
of shadow IT, we will never be able to solve in your organization goes rogue and starts
the problem. their own IT solution or service, it can lead
to a lot of trouble if there is no discussion
Conclusion on the impact.
Despite many organizations’ discom- While it’s true that talk is cheap, the
fort with shadow IT, I do not think exec- cost of a cybersecurity problem is not.
1
Gartner IT Glossary, Shadow IT https://www.gartner.com/it-glossary/shadow
2
“Cloud Adoption Practices and Priorities,” Cloud Security Alliance, 2015
3
“CIOs Vastly Underestimate Extent of Shadow IT,” CIO magazine, 2015
4
“Security, Privacy, and the Shadowy Risks of Bypassing IT,” Spiceworks, 2016
290 Technology
45
Unlocking Productivity With Security
Siân John, MBE — Chief Security Advisor, Microsoft
Mobile working has changed how organi- For instance, so much of the flexibil-
zations conduct business, from the devel- ity, freedom, and balance now available to
opment labs and the factory floor of the us in our work lives is driven not as much
global supply chain all the way to the end by small, lightweight devices as it is by the
customer. Mobile working and its facil- cloud. I’m sure that many of you reading
itators—cloud computing, Internet of this chapter were early adopters of tablets
Things, and IT consumerization—have because they enabled you to leave your lap-
unleashed new waves of innovation that tops at home when out and about while
have resulted in new products and services, still remaining connected to business ser-
an empowered workforce, a streamlined vices. You could access your corporate
global supply chain, and an engaged cus- email, search enterprise databases, or work
tomer base. on presentations or documents—thanks to
But these and other mobile-centric the cloud.
developments have done something else: So, as important as devices are in the
They’ve significantly expanded cyberse- overall process of mobile working, we
curity threat vectors and, in some cases, must look at this trend as an ecosystem of
opened up vulnerabilities that are threat- devices, applications, workflows, and ser-
ening to undermine our aspirations for vices.
agility, efficiency, and productivity. This Unfortunately, mobile working brings
is a common side effect of the move to a with it a host of new security threats that
more digital and mobile world; we just too many of our organizations have yet to
need to be aware of and manage this risk confront, let alone overcome. It should sur-
if we are going to achieve our aspirations. prise no C-level executive or board mem-
By now, you’ve undoubtedly picked up ber to learn that Wi-Fi networks at the air-
on the fact that I’m talking about “mobile port, sporting arena, or your local coffee
working” rather than the more common shop are easy and frequent targets for cyber
“mobility” term. That’s because I believe criminals.
mobility has become synonymous with Unless we commit to integrated secu-
devices, and getting work done when away rity functionalities in our products, ser-
from a traditional fixed-point setting like vices, and workflows from the start, we
an office is about much more than mobile will fail to achieve many of our most essen-
devices. tial business goals. Conversely, if we pay
291
attention to security from the start and tual property drawings downloaded to a
design effective and efficient security safe- personal Dropbox account.
guards into everything, we will unlock and The ability to work anywhere at any
unleash a wave of productivity never seen time, to access data and applications from
before. home or on the road, is central to worker
Let me be clear about what I’m saying. productivity. We’re now firmly entrenched
in the era of non-traditional work hours,
• Security is not an IT issue. It’s a busi-
driven by such factors as a desire to juggle
ness issue, and it demands the support
work and personal commitments, the real-
and leadership of business executives,
ities of the global economy, and a need for
IT and security professionals, board
many so-called knowledge workers to react
members, and end-user stakeholders.
instantaneously to a germ of an idea, to a
• The financial cost of designing security spark of brilliance.
into products, services, and workflows To do that, we must have native secu-
is far, far outweighed by both its long- rity in our devices, applications, and busi-
term economic benefits and the resul- ness processes. And if our organizations
tant costs of remediating problems af- don’t enact steps to bake in security from
ter the fact. the start, the regulators will come knock-
ing on our doors. The new Global Data
• Native security breeds confidence by all
Protection Regulation demands that we
users, which in turn promotes produc-
automatically do the things we should
tivity and delivers economic value.
have been doing all along, in terms of pro-
We need to ensure we are living up to tecting and managing personal informa-
our own expectations of managing these tion.
issues. When it comes to secure mobile work-
ing, GDPR and other data protection
What Secure Mobile Working mandates have simply increased the cost
Can Do for Productivity of doing nothing—which, in my view, is a
It’s important to understand and embrace very good thing.
the notion that you can’t have productiv-
ity in mobile work without security—spe- Why You Can’t Have Digital
cifically, security integrated from the very Transformation Without the
beginning of product development or Right Security for Mobile Work
business-process creation. If there’s any term being bandied about
Before mobile working became the by business executives more than “digital
accepted standard, employees were doing transformation,” then I haven’t heard it. By
it any way they could to get the job done. now, every business leader and board mem-
But they did it by using personal email ber has embraced the notion of using tech-
on personal devices, which do not have nology to further business goals, especially
the same security levels as their work in retasking our bright, creative employees
accounts. They could access sensitive data away from rote, repeatable activities that
sent through email accounts or through can easily be done by technology.
personal subscriptions to public cloud To further the goals of digital trans-
services, for example looking at patient formation, organizations should focus on
records over Gmail or searching intellec- three areas:
292 Technology
• More use of cloud platforms to acceler- This is a crucial role for business
ate the delivery of IT services for busi- leaders—to whom the CISO typically
ness aims. reports—and board members who natu-
rally want to empower their employees to
• Customized, personalized computing
work in a way that engages them. And it all
built around mobile platforms to drive
starts with analyzing business risk, though
greater employee engagement.
doing so can’t be the sole domain of the
• Improved productivity through the business teams; it must include security
paradigm shift that is mobile working. professionals.
Business leaders need to consider the
And to accomplish all of that, organi-
following steps (which your security team
zations must acknowledge that traditional
can definitely help accomplish):
security controls and procedures were not
built in anticipation of digital transforma- • Assess the possible threats that your
tion and all its components. industry and organization are ex-
Too many organizations still cling to posed to. A number of possible threats
the concepts of strong physical bound- will already be known. However, ex-
aries that promote routing back through ecutive support is needed to enable
the physical network, rather than extend- the security team to gain additional
ing the perimeter to the cloud. By embrac- knowledge from cyber threat intelli-
ing the cloud as a tenet of mobile working, gence-sharing organizations (such as
organizations optimize security risk man- UK Cyber Information Sharing Part-
agement by leveraging the investments, ners and TruSTAR), as well as collab-
knowledge, and ability to experiment— orating with law enforcement agencies.
safely—of cloud service providers.
• Understand how identified threats
Done properly, digital transformation
could impact your intended business
is more easily attained when security issues
outcomes. These could include flexible
are anticipated and integrated in advance,
working arrangements, data analytics,
rather than after a security problem arises.
global collaboration, productivity, em-
And it’s important to keep in mind that
ployee empowerment, or more. It’s es-
organizations are only going to embrace
sential to support your security teams’
digital transformation if their customers
efforts in understanding how your busi-
truly trust it. For this reason, the cybersecu-
ness works; and in turn, how business
rity office should be considered an essential
units are affected by cyber risk, not just
part of any digital transformation team; too
from a technical perspective but also
often, they are left to the end of the process.
from a user or operational standpoint.
Enabling Security Professionals to • Define how you can address the
Think About Mobile Work Outcomes, threats you are exposed to, whilst still
Not Security Outcomes achieving the business outcomes. En-
When security is baked into products, ser- sure this happens from a people, pro-
vices, or business processes to support mobile cess, and technology perspective and is
working, everything starts with the consid- articulated so all areas of the business
eration of how security affects business out- can understand what they would need
comes. Although we are fast moving away to do differently, and why.
from old practices of “bolting on” security
after the fact, it still happens far too often.
Unlocking Productivity With Security 293
• Determine what type of digital trans- • How easy is it for a user to access
formation is needed for your security applications, services, and data? You
procedures so that your organization should find that by making user ac-
is protected as you change approaches. cess simple and intuitive, you improve
If the suggestion is to buy more secu- your security posture. More than likely,
rity products, ensure that you ask what your CISO has deployed multifactor
impact they will have on your employ- authentication (MFA) to reduce the
ees. Will it make it easier for them to risk of identity theft and ensure proper
follow procedures intuitively—has this access to data. One key change could
been tested with users? Is there a cloud be to eliminate passwords as the au-
solution that can be deployed very thentication method of choice. While
quickly and easily maintained, rather passwords may continue to be used in
than the protracted route of traditional some MFA protocols, look at other ap-
software? proaches, such as biometrics or single
sign-on using mechanisms such as Ap-
• Ask how you can keep yourself up to
ple FaceID and Windows Hello.
date about the latest risks and threats
and ensure that you are able to re- • What reasonable controls do we
spond to them in a timely manner. have in place to detect unusual and
Make sure the previous four steps are unusually high data movement? This
a continuous loop to ensure that deci- pattern could indicate that users are
sions are always being made to main- working outside of security controls.
tain security and risk management, as What type of data is it affecting and
well as productivity. does that increase our risk exposure?
Are there patterns in the type of data
Improving the Mobile User Experi- moved or applications being accessed
ence With Security—Without that indicate users are working around
Compromising Your Defenses security controls? What actions have
we taken to mitigate that?
Striking the delicate balance between air-
tight security and worker flexibility and • How do we enable collaboration
engagement is harder than ever in the era while protecting information? This
of mobile working. Users will look for the is particularly important—given the
path of least resistance and for shortcuts to widespread use of third-party relation-
bypass what they consider to be cumber- ships in daily business activities—in
some, annoying, and invasive procedures order to ensure that only the right peo-
for authentication and access manage- ple can access sensitive data.
ment. And they won’t hold back in sharing
• Are we able to detect and respond to
that with their colleagues.
threats across the full enterprise eco-
There are questions that board mem-
system? Devices, identities, cloud ser-
bers and executives can ask to understand
vices, data, and more all must be pro-
what can be done to strike the right bal-
tected in order to enable operational
ance between airtight security and mobile
efficiencies and productivity, without
working within their own organization:
introducing unacceptable levels of risk.
294 Technology
• What security outcomes do we need Conclusion
to see? Do we need to adjust our exist- We have only scratched the surface when
ing controls to enable productivity and it comes to the benefits of mobile work-
mobile working, but still maintain our ing, and integrated, native security is a big
risk management levels? reason why this trend will only acceler-
• What about our cloud service pro- ate. As we increasingly adopt over-the-top
viders’ risk management and secu- communications services, security will be
rity procedures? With the continued assumed by users from the start. This will
uptick in cloud services adoption, or- make mobile work a natural extension of
ganizations need to ensure that those the entire work experience and dramati-
providers have put in place the proper cally increase technology.
risk safeguards and strong controls to We must rapidly and zealously con-
enable and protect identity, informa- tinue to move past the old paradigm when
tion, and the entire organization’s digi- security—often in the form of frequent
tal profile. logins, repetitive identity verifications, and
clunky passwords changed far too often—
Finally, ask your security team: Have inhibits productivity. And adopting the
you fully considered how cloud services right security practices and solutions for
and mobile working affects our risk and mobile working can prevent the need to
threat management models? Be sure your lock down and route traffic in ways that
security team has tested its controls for result in unacceptable latency and deploy-
usability on mobile devices and cloud ser- ment issues.
vices, and ask if they have taken all nec- Instead, built-in security will make
essary steps to achieve the visibility and users—employees, customers, and all par-
control needed for those environments, ticipants in the digital ecosystem—more
without impacting productivity. confident in using technology for mobile
In short, good security and a positive working. And while this is great for our
user experience are not mutually exclu- workers, it will undoubtedly be our enter-
sive—not unless you make them so. Please prises that will benefit to the greatest
don’t. extent.
Unlocking Productivity With Security 295

Conclusion
46
How We Can Change Our Approach to
Cybersecurity Today
Nir Zuk – Founder and Chief Technology Officer, Palo Alto Networks
One of the main goals of this book, Nav- if not years, to deploy a new reactive
igating the Digital Age, Second Edition, response. Too often, we maintain a mind-
has been to foster a deeper understanding set of using humans to fight machines,
about cybersecurity between technical and when we should have long since transi-
non-technical executives. As the founder tioned to a model of fighting machines
of several cybersecurity technology com- with machines. If we don’t address these
panies, including Palo Alto Networks, challenges now, they will only get worse
I have had the opportunity to straddle as our adversaries up the ante by using
both worlds, coming from a background technology advances such as automation,
as a technologist and subsequently dealing machine learning, and artificial intelli-
with the challenges involved in building a gence.
successful business and creating a dynamic That’s the bad news. The good news is
corporate culture. that we can fix this. We can build cyberse-
When it comes to cybersecurity, I see curity into our technologies, products, ser-
the world from both the technology and vices, and corporate cultures. We can make
business sides. From either perspective, I cybersecurity a business enabler. We can
see challenges—and opportunities—when create a model of cybersecurity innovation
I look at the approach that most organiza- that goes a long way toward addressing
tions take to cybersecurity today. The fun- the “cybersecurity moonshot” challenges
damental challenge is that our approach to articulated at the start of this book by my
cybersecurity is too reactive and the mech- friend and colleague, Mark McLaughlin.
anisms we have in place are typically too We can fix it, and we will fix it. Here’s
slow and inefficient to react. how.
As our adversaries innovate faster, we
fall behind, coming up with fixes for indi- Challenge No. 1:
vidual threats, but failing to create a sus- Inefficient Consumption
tainable platform to consume innovation The way cybersecurity has worked, thus
quickly and efficiently. Our adversaries are far, is a vicious cycle that keeps adversar-
innovating weekly, and it takes us months, ies one step ahead: Cybercriminals inno-
299
vate quickly and come up with new mech- with people. So every time the adversar-
anisms to cause more damage and make ies add more compute power, you may
more money. Then cybersecurity com- need to increase the size of your team. Of
panies, often led by innovative startups, course, then the adversaries just go out and
develop solutions to stop those specific spend a few more dollars to get more com-
attack mechanisms. These new solutions pute power.
usually take months to evaluate and deploy There’s no possible way to keep up,
and, when they are finally deployed, they either logistically or financially. On the
add to cybersecurity complexity. adversary side, growth is becoming expo-
As this cycle has evolved, our defense nential because of the easy availability of
mechanisms have become cumbersome compute resources. Not only can they go to
and inefficient. Companies now typically the public cloud to get compute resources;
have dozens and sometimes hundreds of they are also stealing them from their vic-
different cybersecurity solutions, which tims, taking over our end-user machines,
don’t necessarily work in concert but rather servers, or anything else they can use on
in silos. The organization is paying to sup- the cheap and on the sly.
port and maintain these solutions, plus Today, we have humans in our secu-
incurring costs to upgrade and replace rity operations centers (SOCs), fight-
them. ing machines with the help of machines.
We have to shift the paradigm and have
Challenge No. 2: machines fighting against machines, with
Humans vs. Machines humans to help the machines. Whenever
Not only are we consuming cybersecu- a machine can’t do something, it can use
rity innovation inefficiently; we continue a human.
to approach cybersecurity from the wrong
mindset. In today’s era, with automation, The Opportunity: A Better Approach
machine learning, and AI, if the battle is to Consuming Innovation
man against machine, machine will have The technology to address these chal-
the upper hand almost every time. We lenges is available today, right now. There
can’t bring humans to that fight and expect are between 2,000 and 3,000 cybersecurity
to win. vendors out there and, contrary to popu-
Machines scale much quicker than lar wisdom, we don’t need consolidation.
humans. Whatever the human capacity Consolidation is not good for innovation.
may be—whether each person can deal In fact, I would argue that we need more
with five security events, or 50 or 500— vendors and more innovation.
when the adversary is automated, it can What we need is a better approach to
always overcome that number simply by consuming that innovation. And we need
throwing more computing resources at the you, as a business executive, to demand
problem. it. Now! If your CISO or security team
From the adversary’s perspective, suc- seeks to buy a cybersecurity solution that
cess is a function of compute, efficiency, will be deployed in a few months or a year,
automation, and ultimately money. As a you have to challenge their basic prem-
defender, if you are relying on people to ise. Here’s what CEOs, CIOs, and board
fight this battle, then you have to scale members should demand:
300 Conclusion
1. Any new cybersecurity solution must other business activities: We transform
be deployed in a day—preferably less cybersecurity to a SaaS model.
than a day—across the entire infra- If you look at most SaaS solutions, all
structure globally. you need to consume them is a web browser,
2. Any new cybersecurity solution can- and your access to innovation is immediate.
not come with the requirement to Cybersecurity needs to be consumed just as
hire more people. easily. However, cybersecurity poses a dif-
ferent challenge than most of those other
3. Our entire cybersecurity team must
business activities because of the neces-
demonstrate an accelerated rate of
sary evil of having the technology deployed
deploying innovation. The bad guys
within the infrastructure. The only way to
are moving fast; we must be moving
get information from the infrastructure
just as fast.
and to act on it, is to be part of the infra-
At first, your CISO and security teams structure. This goes for data centers, pub-
may be flustered because these demands lic clouds, and even end user-devices. So,
fall so far out of the paradigm of how whichever SaaS cybersecurity solutions are
they’ve been doing things for so many deployed, they have to be deployed simul-
years. That’s okay, because the old para- taneously at every single location.
digm is broken. Your cybersecurity profes-
sionals need to go to their vendors with the Cybersecurity as a Platform
same demands: Find us a way to respond The answer to that challenge is actually
to this challenge, to deploy cybersecurity quite simple: Cybersecurity as a platform.
innovation quickly, efficiently, openly, and Look at some of the most successful IT
comprehensively. platforms: Apple, Windows, Facebook,
Salesforce.com They provide a simple way
Cybersecurity Innovation to both provide and consume innovation
Through SaaS by having an open platform that basically
What constitutes a better approach to con- allows anyone with a good idea to come in
suming cybersecurity innovation? In today’s and sell it. With a platform, the ability to
world, software-as-a-service (SaaS) is the deliver value and innovation becomes near
most efficient way to consume IT resources instantaneous.
and innovation. We’ve seen the SaaS model
A platform is when the economic value
work across many business functions: cus-
of everybody that uses it exceeds the
tomer relationship management (CRM);
value of the company that creates it.
salesforce management; human resources;
Then, it’s a platform. — Bill Gates
enterprise resource planning; email; file
sharing; and instant messaging. As our adversaries become better
All of these activities have either moved funded, more sophisticated, and more
to a SaaS model or are moving quickly in adept at leveraging automation, machine
that direction. That’s because SaaS enables learning, and IT, we must fix the funda-
innovation to be consumed easily and mental flaws in our security approach,
quickly. Thus, the answer to the earlier and we must do it now. We must be able
question about addressing the challenges to consume cybersecurity in a way that
to our cybersecurity approach is the same enables us to deploy innovation quickly
for cybersecurity as it is for all of these and fight machines with machines.
How We Can Change Our Approach to Cybersecurity Today 301

Cybersecurity has to become a set of ing issues of our time, not just in busi-
services that you consume, rather than ness, but in the world at large. As Mark
a set of technologies you deploy in net- McLaughlin states in the opening chapter:
works, on endpoints, and in data centers.
Whether we come from business and
As we continue our journey in navigating
industry, academia or government, we all,
the Digital Age, a platform is the path to
as entrusted leaders, have a vested stake in
get from here to there, to change forever
protecting our way of life in the Digital Age.
the model for consuming cybersecurity
If we do our jobs well, we can change
services and innovation. It is the future of
the world for the better.
cybersecurity. And, as Pablo Emilio Tamez
Lopez said so well at the beginning of this You are on the frontlines. You are in a
section: The future is now. position to take action: whether it is set-
ting the tone in your organization, push-
Looking Ahead ing your teams to deploy a SaaS cybersecu-
I am going to refrain from getting into rity model, creating training and awareness
the technical details of how a cybersecu- programs, participating with government
rity SaaS platform model can work. Your officials on regulation, or advocating for a
cybersecurity professionals should be able cybersecurity moonshot.
to explain the details to you. I will say this: There’s much work to be done. Now is
Think about this with a sense of urgency. the time to act. In some ways, it seems like
Your adversaries aren’t waiting, so you can’t the Digital Age has been with us forever.
afford to wait either. In other ways, it seems all brand new. For
We are now at the end of our book and, all of us, there is still within our grasp the
if you’ve read all, most, or even some of the time and the opportunity to help build a
preceding chapters, you can’t help but con- better world. Let the journey continue.
clude that cybersecurity is one of the defin-
302 Conclusion
Matt Aiello — United States of America

Partner
Heidrick & Struggles
Matt Aiello is Partner in Heidrick & Struggles’ Menlo Park, California, office,
where he specializes in the placement of senior-level technology, security, engi-
neering, and operations executives. He leads the firm’s Cybersecurity Prac-
tice and is a member of the Global Technology and Services Practice and the
Global Information Technology Officers Practice.
Dr. Philipp Amann — Netherlands

Head of Strategy
Europol’s European Cybercrime Centre (EC3)
Dr. Philipp Amann is Head of Strategy of Europol’s European Cybercrime
Centre (EC3), which is responsible for the delivery of strategic, situational,
and tactical cyber-related products such as the Internet Organised Crime
Threat Assessment. Prior to EC3, Philipp held management positions with the
Organisation for Security and Cooperation in Europe, the Organisation for
the Prohibition of Chemical Weapons, and the International Criminal Court.
Mark Anderson — United States of America

President
Palo Alto Networks
Mark Anderson is President of Palo Alto Networks, responsible for driv-
ing all sales, go-to-market, support, customer satisfaction, and business and
corporate development. When he joined the company in 2012, and prior to
becoming President in August 2016, Mark served as the company’s Senior
Vice President of Worldwide Field Operations. He has also held sales lead-
ership positions at F5 Networks, Lucent Technologies, RadioFrame Net-
works, Cisco, and Comdisco.
Brad Arkin — United States of America

Vice President and Chief Security Officer
Adobe
Brad Arkin is Vice President and Chief Security Officer at Adobe, ulti-
mately responsible for all security-related decisions and investments across
the company. He previously held management positions at Symantec, @
Stake, and Cigital.
307
Kal Bittianda — United States of America
Head of North America Technology Practice
Egon Zehnder
Kal Bittianda heads Egon Zehnder’s North American Technology Practice,
where he works with companies in the mobility, communications, systems,
software, and technology-enabled services sectors. Previously, he led busi-
ness units at Kyriba, EXL, and Inductis.
Gary A. Bolles — United States of America

Chair, Future of Work at Singularity University;
Co-founder, eParachute.com; Partner, Charrette;
Speaker & Writer
Gary A. Bolles is an internationally recognized expert and lecturer on the
future of work and learning. His focus is on strategies for helping individu-
als, organizations, communities, and countries to thrive in the digital work
economy. He is a partner in the boutique consulting agency Charrette LLC,
Chair for the Future of Work for Singularity University, and co-founder of
eParachute.com.
Michal Boni — Belgium and Poland

Member
European Parliament
Michal Boni has been a Member of the European Parliament since 2014,
and is currently Vice Chair of Delegation to the EU-Moldova Parliamen-
tary Association Committee. He is an active member of several governmen-
tal committees, including: the Civil Liberties, Justice and Home Affairs;
and the Constitutional Affairs and Delegation to the Euronest Parliamen-
tary Assembly. Michal was Poland’s Minister of Administration and Digiti-
zation from November 2011 to November 2013, has been a member of the
Cabinet of Poland, and served in the lower house of the Polish Parliament
and as the Minister of Labor and Social Policy.
Robert Boyce — United States of America

Managing Director, Accenture Security
Accenture
Robert Boyce is Managing Director of Accenture Security. Robert is respon-
sible for the growth and development of Accenture’s Cyber Threat Oper-
ations capabilities. He also provides hands-on consulting services to the
Global 2000 in the areas of advanced security operations, crisis prepared-
ness and response, and cyber defense and protection strategies.
308 Contributor Profiles

Mario Chiock — United States of America
Schlumberger Fellow and CISO Emeritus
Schlumberger
Mario Chiock is a Schlumberger Fellow and former Chief Information
Security Officer, where he was responsible for developing Schlumberger’s
worldwide cybersecurity strategy. He is widely recognized for his leadership
and management in all aspects of cybersecurity. Mario serves on the advi-
sory boards of Palo Alto Networks, Onapsis, and Qualys.
Gavin Colman — United Kingdom

Partner
Gavin Colman is Partner in Heidrick & Struggles’ London office and a
member of the Cybersecurity and the Global IT Practices. He works with
companies across various sectors to fill such senior roles as CISO, CIO, and
CTO, and with technology companies to fill a broad range of executive roles.
Alice Cooper — United Kingdom

Global Head of Derivative Trade Processing IT
BNP Paribas CIB
Alice Cooper is Global Head of Derivative Trade Processing IT at BNP
Paribas CIB. She has held a wide range of responsibilities at BNP Paribas
across a number of IT functions for trades processing, credit, and equity.
Previously, she worked at Mitsubishi Bank and Citibank.
Tom Farley — United States of America

Former President
New York Stock Exchange
Tom Farley is the former President of the NYSE Group. Tom joined the
NYSE when ICE acquired NYSE Euronext in 2013, and served as its
Chief Operating Officer. He has held several leadership positions, includ-
ing Senior Vice President of Financial Markets at ICE, President and Chief
Operating Officer of ICE Futures U.S., President of SunGard Kiodex, and
various positions in investment banking at Montgomery Securities and in
private equity at Gryphon Investors. Tom holds a BA degree in Political Sci-
ence from Georgetown University and is a Chartered Financial Analyst.
George Finney — United States of America

Southern Methodist University
George Finney is the Chief Security Officer for Southern Methodist Uni-
versity and the author of No More Magic Wands: Transformative Cybersecu-
rity Change for Everyone. He previously worked with several startups and
global telecommunications firms. George is a member of the Texas CISO
Council, a governing body member of the Evanta CISO Coalition, a board
member of the Palo Alto Networks FUEL User Group, and an advisory
board member for SecureWorld.
Contributor Profiles 309

Ryan Gillis — United States of America
Vice President for Cybersecurity Strategy and Global Policy
Palo Alto Networks
Ryan Gillis is Vice President for Cybersecurity Strategy and Global Policy
at Palo Alto Networks. He has also held leadership positions in cybersecu-
rity at the U.S. National Security Council and the Department of Home-
land Security.
Marc Goodman — United States of America

Author and Global Security Advisor
Marc Goodman is the author of Future Crimes: Everything Is Connected,
Everyone Is Vulnerable and What We Can Do About It. He is a leading
speaker, author, and global strategist on the impact of technology on all
aspects of our society. He also is a former law enforcement official and has
consulted for such organizations as the FBI, Interpol, and NATO.
Mark Gosling — United States of America

Vice President, Internal Audit
Palo Alto Networks
Mark Gosling is Vice President of Internal Audit at Palo Alto Networks. He
has previously held internal audit, compliance, and risk and controls leader-
ship roles at Pricewaterhouse Coopers, Verisign, and NetApp.
Antanas Guoga — Belgium and Lithuania

Member
European Parliament
Antanas Guoga is a member of the European Parliament, EPP group, and
a widely respected entrepreneur who has founded a number of successful
international companies. He is also a committed philanthropist and former
professional poker legend. He was a shadow rapporteur for the Network
and Information Security Directive, organizing numerous events and con-
sultations with stakeholders on cybersecurity in the European Parliament.
With Blockchain Centre Vilnius, he was responsible for the first interna-
tional blockchain technology center in Europe, connecting Asian and Aus-
tralian blockchain centers.
Justin Harvey — United States of America

Managing Director, Accenture Security
Accenture
Justin Harvey is Managing Director of Accenture Security, with responsibil-
ities for Global Incident Response and the Cyber Fusion Center Consult-
ing Practice. In his role, he provides security thought leadership as a strate-
gic advisor on cyber espionage, cyber war, and cybercrime. Justin previously
held senior positions at Fidelis Cybersecurity, HP/ArcSight, CPSG Partners
Consulting, and Mandiant/FireEye.

William Houston — United States of America
Advisor, Technology and Communications & Industrial Practices
Egon Zehnder
William Houston is an Advisor in Egon Zehnder’s Technology and Com-
munications & Industrial Practices. He previously worked in Google’s
Emerging Business Development Group and has held senior positions at
the U.S. Department of Homeland Security and in U.S. Cyber Command.
Salim Ismail — Canada

Founder, ExO Foundation; Board Member, XPRIZE
Salim Ismail is the best-selling author of Exponential Organizations; he is
also a sought-after business strategist and renowned entrepreneur with ties
to Yahoo, Google, and Singularity University. Salim founded ExO Works
in 2016 to transform global business by catapulting organizations into the
world of exponential thinking.
Paul Jackson, GCFE — Hong Kong

Managing Director, Asia-Pacific Leader, Cyber Risk
Kroll
Paul Jackson is Managing Director and Asia-Pacific Leader for Cyber Risk
at Kroll. He has worked in close concert with such leading organizations as
Interpol, the U.S. Secret Service Electronic Crimes Task Forces, and Micro-
soft’s Digital Crimes Consortium. Paul spent 22 years with the Hong Kong
Police Force, eventually becoming Chief Inspector and Head of the IT
Forensics Practice. He also has held leadership posts at J.P. Morgan Chase
bank.
Siân John, MBE — United Kingdom

Chief Security Advisor
Microsoft
Siân John is Chief Security Advisor for the UK in the Enterprise Cyberse-
curity Group at Microsoft. She previously held a number of senior roles at
the Houses of Parliament, Ubizen, and Symantec. She is the Chair of the
Digital Economy Program Advisory Board for the Engineering and Phys-
ical Sciences Research Council and is Chair of the TechUK Cybersecurity
Management Committee. Siân was made a Member of the Most Excellent
Order of the British Empire (MBE) for Services to Cyber Security in the
New Year’s Honours List for 2018.
Ann Johnson — United States of America

Corporate Vice President, Cybersecurity Solutions
Microsoft
Ann Johnson is Corporate Vice President, Cybersecurity Solutions at
Microsoft. She previously was CEO at Boundless, an open-source geospa-
tial solutions company, and COO at Qualys, a leading supplier of cloud
security and compliance solutions. She also has held executive positions at
RSA and EMC.

John Kindervag — United States of America
Field Chief Technology Officer
Palo Alto Networks
John Kindervag is Field Chief Technology Officer at Palo Alto Networks.
Previously, he was Vice President and Principal Analyst on the Security and
Risk Team at Forrester Research. John is considered one of the world’s fore-
most cybersecurity experts, and is best known for creating the revolutionary
Zero Trust Model of Cybersecurity. John holds numerous industry certifi-
cations and a Bachelor of Arts degree in Communications from The Uni-
versity of Iowa.
Heather King — United States of America

Chief Operating Officer
Cyber Threat Alliance
Heather King is Chief Operating Officer for the Cyber Threat Alliance, a
not-for-profit organization that brings together cybersecurity providers to
improve the cybersecurity of the digital ecosystem. She also held senior roles
for cybersecurity policy at the U.S. National Security Council and other
federal agencies.
Mischel Kwon — United States of America

Founder and Chief Executive Officer
MKACyber
Mischel Kwon is Founder and Chief Executive Officer of MKACyber,
a managed security operations provider and security consulting firm.
Mischel has been in the IT and security field for 36 years. She has served
as Vice-President for Public Sector Security at RSA Security, Director for
US-CERT, and Deputy Director for IT Security Staff at the U.S. Depart-
ment of Justice.
Selena Loh LaCroix — United States of America

Global Lead, Technology and Communications Practice
Egon Zehnder
Selena Loh LaCroix is the Global Lead of Egon Zehnder’s Technology and
Communications Practice, with a focus on semiconductors, smart devices,
and cybersecurity. She previously practiced law in private practice at Gray
Cary Ware & Freidenrich (now DLA Piper) and held legal leadership posi-
tions in-house at Texas Instruments and Honeywell International.
Gerd Leonhard — Switzerland

Author; Executive “Future Trainer;” Strategist;
Gerd Leonhard is an influential and best-selling author of Technology vs.
Humanity and several other books. He is a sought-after executive “future
trainer,” a trusted strategic advisor to Fortune 1000 companies and gov-
ernment officials around the globe, and the CEO of The Futures Agency,
a global network of over 30 leading futurists.

Pablo Emilio Tamez López — Mexico
Chief Information Security Officer
As Chief Information Security Officer of Tecnológico de Monterrey, Pablo
Tamez Lopez is responsible for the security of all its institutions, which
includes Higher Education and Healthcare. Pablo has designed and led the
organization’s cybersecurity strategy, which includes workforce consolida-
tion, security technologies and services, security operation center, and inci-
dent response.
Gary McAlum — United States of America

Chief Security Officer and Senior Vice President
for Enterprise Security
United Services Automobile Association
Gary McAlum is Chief Security Officer and Senior Vice President for
Enterprise Security at United Services Automobile Association. He previ-
ously spent 25 years in the United States Air Force, where he held various
staff and leadership positions in cybersecurity, information technology, tele-
communications, and network operations.
Diane E. McCracken — United States of America

Banking Industry Executive Vice President and Chief Security Officer
Diane E. McCracken is the Executive Vice President and Chief Security
Officer of a mid-sized bank located in the northeastern United States. Her
office includes cyber, information, application, and physical security, as
well as business continuity and disaster recovery. She moved to information
security in 2004 as a security analyst with a super-regional bank and joined
her current firm in 2011 as its information security leader.
Mark McLaughlin — United States of America

Vice Chairman
Palo Alto Networks
Mark McLaughlin is Vice Chairman of Palo Alto Networks, where he pre-
viously served as Chief Executive Officer and Chairman. He was previously
President and CEO of Verisign and, prior to that, held senior positions at
Signio and Gemplus. For nearly a decade, Mark has been a member of the
National Security Telecommunications Advisory Committee, serving terms
as Chairman and Vice-Chairman.
Danny McPherson — United States of America

Executive Vice President and Chief Security Officer
Verisign
Danny McPherson is Executive Vice President and Chief Security Officer
at Verisign. Previously, he was Chief Security Officer at Arbor Networks,
and he has held technical leadership positions at organizations such as
Qwest Communications, MCI Communications, and the U.S. Army Signal
Corps.

Stephen Moore — United States of America
Vice President and Chief Security Strategist
Exabeam
Stephen Moore is the Vice President and Chief Security Strategist at
Exabeam, focused on driving solutions for threat detection/response
and advising customers on breach response. Prior to joining Exabeam,
Stephen has held a variety of cybersecurity practitioner and leadership
roles. He spends his free time advising industry-leading organizations,
mentoring, and helping those in need.
Robert Parisi — United States of America

Managing Director and U.S. Cyber Product Leader
Marsh
Robert Parisi is Managing Director and U.S. Cyber Product Leader for
Marsh. Previously, he was Senior Vice President and Chief Underwriting
Officer of eBusiness risk solutions at AIG, and was legal counsel for sever-
al Lloyds of London syndicates.
Sherri Ramsay — United States of America

Cybersecurity Consultant; Former Director of the U.S. National
Security Agency / Central Security Service Threat Operations Center
Sherri Ramsay is the former Director of the U.S. National Security Agency
/ Central Security Service Threat Operations Center. She currently works as
a consultant, engaged in strategy development and planning and develop-
ment of security operations centers. She is a member of the Board of Advi-
sors for the Hume Research Center at Virginia Tech and a member of the
Board of Advisors for TruSTAR Technology.
Max Randria — Australia

Principal
Max Randria is Principal in Heidrick & Struggles’ Melbourne office and a
member of the Global Technology and Services Practice. He is the Austra-
lia and New Zealand lead for Heidrick & Struggles’ Cybersecurity Practice,
having led numerous C-level searches across the cybersecurity landscape.
Mark Rasch — United States of America

Cybersecurity and Privacy Attorney
Mark Rasch is a cybersecurity and privacy attorney with more than 25 years
of experience in corporate and government cybersecurity, computer privacy,
regulatory compliance, probabilistic risk assessment, resilience, computer
forensics, and incident response. Earlier in his career, Mark was with the
U.S. Department of Justice, where he led the department’s efforts to investi-
gate and prosecute cyber and high-technology crime, starting the computer
crime unit within the Criminal Division’s Fraud Section.

Yorck O.A. Reuber — Germany
Head of Infrastructure Services & CTO, North Europe
AXA IT
Yorck O.A. Reuber is Chief Technology Officer for AXA IT, heading the
domain Infrastructure in Northern Europe. His responsibilities include all
central infrastructure, as well as the transformation to an agile, digital com-
pany that uses multi-cloud scenarios and services its IT globally. A certified
Navy Chief Engineering Officer, Yorck formerly held senior-level positions
at IBM, Verizon, and T-Systems.
Dr. Andreas Rohr — Germany

Chief Technology Officer
Dr. Andreas Rohr is Founding Manager and Chief Technology Officer at
the Deutsche Cyber-Sicherheitsorganisation GmbH (DCSO). In this role,
he leads cyber defense services and security engineering for the operative
business. Previously, he worked in management positions at RWE, Volk-
swagen, and the German Federal Ministry of Defence.
John Scimone — United States of America

Senior Vice President and Chief Security Officer
Dell
John Scimone is Senior Vice President and Chief Security Officer at Dell.
Previously, he was Senior Vice President and Chief Information Security
Officer at Sony and Director of Security Operations at the U.S. Secretary of
Defense Communications Office.
James Shira — United States of America

Network Chief Information Security Officer
PricewaterhouseCoopers
James Shira is Network Chief Information Security Officer at Pricewater-
houseCoopers, where he has led an organization-wide information security
transformation. Previously, he held executive positions at Zurich Insurance
Group, including group CISO, and at American General Financial Ser-
vices, where he was Chief Security Officer.
Justin Somaini — United States of America

SAP
Justin Somaini heads the SAP Global Security (SGS) team. With more than
20 years of information security experience, he is responsible for SAP’s over-
all security strategy. Before joining SAP in 2015, Justin was Chief Trust
Officer at Box. Prior to Box, Justin held the role of Chief Information Secu-
rity Officer (CISO) at Yahoo, Symantec, Verisign, and Charles Schwab.

Lisa J. Sotto — United States of America
Partner
Hunton Andrews Kurth LLP
Lisa Sotto chairs the top-ranked Global Privacy and Cybersecurity practice
at Hunton Andrews Kurth. She is the managing partner of the firm’s New
York office and serves on the firm’s Executive Committee. Lisa has received
widespread recognition for her work in the areas of privacy and cybersecu-
rity and was named among the National Law Journal’s “100 Most Influen-
tial Lawyers.” She also serves as Chairperson of the Department of Home-
land Security’s Data Privacy and Integrity Advisory Committee.
Jennifer Steffens — United States of America

Chief Executive Officer
IOActive
Jennifer Sunshine Steffens is the Chief Executive Officer of IOActive, a
global consulting firm dedicated to making the world a safer place. She has
received numerous industry awards for her leadership in the cybersecurity
industry, including CV Magazine’s IT Security CEO of the Year award for
2018. Previously, she held leadership positions at groundbreaking cyberse-
curity companies such as Sourcefire and NFR Security.
Megan Stifel — United States of America

Attorney; Founder, Silicon Harbor Consultants;
Megan Stifel is an Attorney and the Founder of Silicon Harbor Consul-
tants, which provides strategic cybersecurity operations and counsel. She
also is Cybersecurity Policy Director at Public Knowledge, and has held
cybersecurity leadership posts at the U.S. National Security Council and
the U.S. Department of Justice.
Ed Stroz — United States of America

Founder and Co-President
Stroz Friedberg, an Aon company
Ed Stroz is Founder and Co-President of Stroz Friedberg, an Aon com-
pany, a global leader in investigations, intelligence, and risk management.
Previously, he was a Supervisory Special Agent for the U.S. Federal Bureau
of Investigation, where he established the first Computer Crimes Squad in
their New York Field Office.
Ria Thomas — United Kingdom

Partner and Global Co-Lead for Cybersecurity
Brunswick Group
Ria Thomas is the Global Co-Lead for Brunswick Group’s cyber offering.
She has almost 20 years of experience in private and public sector cyberse-
curity strategies and policies, including advising senior government leaders,
board members and C-suite executives on cyber-focused crisis prepared-
ness, enterprise-wide response, and corporate resilience strategies.

James C. Trainor — United States of America
Senior Vice President, Cyber Solutions Group
Aon
James C. Trainor is Senior Vice President within the Cyber Solutions Group
at Aon, responsible for helping to shape the organization’s overall cyber
strategy. He previously led the Cyber Division at the Federal Bureau of
Investigation, where he led agents and analytics in every major high-profile
cyber investigation involving the FBI.
Rama Vedashree — India

Chief Executive Officer
Data Security Council of India
Rama Vedashree is Chief Executive Officer of the Data Security Council of
India. She previously was Vice-President at NASSCOM, overseeing a wide
range of initiatives, including domestic IT, eGovernance, smart cities, and
healthcare. She also has held executive positions at Microsoft and General
Electric.
Patric J.M. Versteeg, MSc — Netherlands

Patrick J.M. Versteeg has been a cybersecurity professional for more than
20 years. He works with organizations throughout the world on strategic
cybersecurity planning, leadership engagement, and custom solutions that
ensure organizations stay secure and safe in the ever-changing cyber landscape.
Nir Zuk — United States of America

Founder and Chief Technology Officer
Palo Alto Networks
Nir Zuk is Founder and Chief Technology Officer at Palo Alto Networks.
Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Tech-
nologies, which was acquired by Juniper Networks in 2004. Prior to Net-
Screen, Nir was co-founder and CTO at OneSecure, principal engineer at
Check Point Software Technologies, and was one of the developers of state-
ful inspection technology.
Naveen Zutshi — United States of America

Senior Vice President and Chief Information Officer
Palo Alto Networks
Naveen Zutshi is Senior Vice President and Chief Information Officer at
Palo Alto Networks, where he oversees the organization’s IT solutions and
strategy. Previously, he was Senior Vice President for Technology at Gap
Inc., as well as Vice President for Technology and Operations at Encover,
a SaaS-based CRM company. He also held senior technology positions at
Cisco and Wal-Mart.

Navigating the Digital Age | Second Edition
We are at a pivotal moment in the evolution of digital technology. The pace of change
has never been faster or more profound. As we entered this century, there were no
smartphones, tablet computers, or vast social media networks. Now they are deeply
embedded in the fabric of our everyday lives.
Where do we go from here? How do we ensure the technologies we treasure will enrich
us? What inventions and innovations will inspire the next wave of change? Perhaps most
important, how do we ensure that our digital interactions are secure and the people using
them feel safe?
That’s where this book comes in. Our purpose is to shed light on the vast possibilities that
digital technologies present for us, with an emphasis on solving the existential challenge of
cybersecurity. If we fail on the cybersecurity front, we put all of our hopes and aspirations
at risk. So we start this book with a simple proposition: When it comes to cybersecurity, we
must succeed.
Two pressing issues are the lack of cybersecurity education for youth and the anticipated
shortage of cybersecurity talent in the workforce of the future. Your readership enables us
to support and elevate cybersecurity education for all students through the Global
Cybersecurity Education Fund.
How we work together, learn from our mistakes, deliver a secure and safe digital future—
those are the elements that make up the core thinking behind this book. More than 50
experts from around the globe have contributed their thoughts and ideas. Individually, the
chapters are dynamic and thought-provoking. Collectively, they point the way to a more
secure and safe digital future.
We cannot aﬀord to be complacent. Whether you are a leader in business, government, or

education, you should be knowledgeable, diligent, and action-oriented. It is our sincerest
hope that this book provides answers, ideas, and inspiration.
www.navigatingthedigitalage.com

Ndte 2

Uploaded by

Copyright:

Available Formats

Ndte 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ndte 2

Uploaded by

Copyright:

Available Formats

T HE DEFINIT I VE C Y BERSECURIT Y GUIDE

Publisher: Palo Alto Networks

Our goal is to offer cybersecurity education and training to students of all

Unless otherwise stated, all $ amounts are in U.S. dollars.

Part 1 – The Future of Threat and Risks

7 2. To Protect Our Way of Life in the Digital Age,

Seizing the Opportunities, Understanding the Challenges

21 4. The Exhilarating, Exciting, and Sobering World of the Internet

35 6. The Future of Cloud

Why and How We Must Change Our Roles and Behaviors

51 8. Dealing With the Evolving Adversary Mindset

How Work Requirements and Ethical Responsibilities Come Together

83 12. The Ethics of Technology and the Future of Humanity

Part 2 – Lessons From Today’s World

101 14. Compliance Is Not a Cybersecurity Strategy

Cybersecurity Awareness, Understanding, and Leadership

115 16. The Importance of Cybersecurity Preparation and Leadership

The Convergence and Divergence of Compliance and Cybersecurity

145 20. Beyond Compliance: The Human Element of Cyber Resilience

151 21. Why Corporate Governance Matters So Much in Cybersecurity

Part 3 – Make Sure You’re Covered Today

165 23. In Today’s World, Every Company Is a Cybersecurity Company

203 30. Learning and Leveraging the Wisdom of “So What?”

209 31. Junk the Jargon: In Today’s World, Money Talks

227 34. Creating a Culture of Cybersecurity

233 35. Recognizing, Developing, and Deploying Good Cybersecurity Habits

237 36. Social Engineering Attacks: We’re All Targets

xii Table of Contents

255 39. Incident Response: How to Deal With a Cyberattack

Table of Contents xiii

xiv Table of Contents

Our world is about to go from less than Our Immune Systems

16 Seizing the Opportunities, Understanding the Challenges

Why Our Digital DNA Must Evolve—Quickly 17

18 Seizing the Opportunities, Understanding the Challenges

Why Our Digital DNA Must Evolve—Quickly 19

20 Seizing the Opportunities, Understanding the Challenges

22 Seizing the Opportunities, Understanding the Challenges

The Exhilarating, Exciting, and Sobering World of the Internet of Things 23

24 Seizing the Opportunities, Understanding the Challenges

The Exhilarating, Exciting, and Sobering World of the Internet of Things 25

26 Seizing the Opportunities, Understanding the Challenges

28 Seizing the Opportunities, Understanding the Challenges

30 Seizing the Opportunities, Understanding the Challenges

32 Seizing the Opportunities, Understanding the Challenges

36 Seizing the Opportunities, Understanding the Challenges

The Future of Cloud 37

38 Seizing the Opportunities, Understanding the Challenges

The Future of Cloud 39

40 Seizing the Opportunities, Understanding the Challenges

44 Why and How We Must Change our Roles and Behaviors

Understanding the Exciting, Exponential, and Terrifying Future of Cybersecurity 45

46 Why and How We Must Change our Roles and Behaviors

Understanding the Exciting, Exponential, and Terrifying Future of Cybersecurity 47

48 Why and How We Must Change our Roles and Behaviors

Understanding the Exciting, Exponential, and Terrifying Future of Cybersecurity 49

52 Why and How We Must Change Our Roles and Behaviors

Dealing With the Evolving Adversary Mindset 53

54 Why and How We Must Change Our Roles and Behaviors