As the new year (and new decade) begins, one thing is certain: cybersecurity will continue to have an increasing impact on business, for better or worse. In this episode, we hear from Stephanie Balaouras, a cybersecurity expert who has spoken to thousands of customers over her 15 years at Forrester Research. She is the vice president and group director of security and risk research, as well as infrastructure and operations research.
Balaouras makes the case that all businesses should have a chief information security officer, or CISO, as the world of cyberthreats becomes more intricate and perilous. "Even companies that have a CISO should take a hard look at how high in the organization they report," Balaouras says. "Do they have the right budget? Do they have enough staff? Have you given them the right span of control?"
Balaouras also reviews some of the biggest cybersecurity trends in 2019 and makes predictions for 2020.
Business Lab is hosted by Laurel Ruma, director of Insights, the custom publishing division of MIT Technology Review. The show is a production of MIT Technology Review, with production help from Collective Next. Music is by Merlean, from Epidemic Sound.
Cybersecurity isnt only about stopping the threats you see. Its about stopping the ones you cant see. Thats why Microsoft Security employs over 3,500 cybercrime experts, and uses AI to help anticipate, identify, and eliminate threats. So you can focus on growing your business, and Microsoft Security can focus on protecting it. Learn more at Microsoft.com/Cybersecurity.
Show notes and links
Forrester Research: Cybersecurity
A CISOs Guide to Leading Change by Jinan Budge, Forrester Research
Stephanie Balaouras
The Need for Complete Cloud Security, an interview with Stephanie Balaouras, on YouTube
Full transcript
Laurel Ruma: From MIT Technology Review, I'm Laurel Ruma and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.
Security threats are everywhere. That's why Microsoft Security has over 3,500 cybercrime experts constantly monitoring for threats to help protect your business. More at microsoft.com/cybersecurity.
Our topic today is cybersecurity and more specifically the role of the chief information security officer, the CISO. We'll also review cybersecurity news from 2019 and look ahead to cybersecurity trends for 2020. One word for you: Deepfakes. My guest is Stephanie Balaouras who is a cybersecurity analyst and has spoken with thousands of customers in her nearly 15 years at Forrester research. Stephanie is the vice president and group director of security and risk research as well as infrastructure and operations research. Stephanie, thank you so much for talking with me on Business Lab.
Stephanie Balaouras: Thanks.
Laurel: So just to start, in 2017 Forester published a report by Jeff Pollard, a member of your team, about the career paths of CISOs, chief information security officers. And I particularly like talking about this role because it is so new to the C-suites in the business. If Citibank just appointed the first CISO ever, in 1995, that's really recent history. But if every company is also a technology company, why doesn't every company have a CISO?
Stephanie: If you look at the history of other roles, like I think the first CMO, chief marketing officer was in the 1950s you still had companies 20, 30 years later without a CMO. So when these emerging roles first start out, it does take some time for it to become the norm. But I will say every company really should have a CISO. Publicly traded companies are required to have a CISO. But what we will often find is, depending on the size of the company, sometimes they'll get away with calling the CIO also the CISO or some other IT executive the CISO as well. So that's pretty common with smaller companiesthey'll get away without having a standalone role.
But what you'll also find is if they have a breach or some sort of major cybersecurity issue or even a major compliance violation that's data security-related, the first thing that they'll do is name a dedicated CISO. And then even companies that have a dedicated CISO, when they have a breach, a lot of times what happens is they realize the CISO didn't report up high enough in the organization or didn't have the right span of responsibilities or enough budget or enough people. So then they'll fix that. Name CISO should be requirement, but I would say even companies that have a CISO should take a hard look at how high in the organization they report. Do they have the right budget? Do they have enough staff? Have you given them the right span of control?
Laurel: Because that's an expensive fix, isn't it?
Stephanie: Yes, exactly.
Laurel: Only after an attack, do we have looking at the roles and responsibilities in a new light, in a more responsible light?
Stephanie: Exactly.
Laurel: So if the perfect CISO is a bit of both a businessperson who can talk directly to the CEO, explain the necessity for security and risk mitigation, but then also talk to customers perhaps as well as other employees and talk about security and how that role is important to the company. Where are these people coming from? Where are they getting all of this education?
Stephanie: When we looked at CISO career paths, we did find most of them did come up through the security ranks. So typically they did start off as security professionals. They gained decades of experience in the role. But what we often found is the majority of them often would go back for graduate degrees, and they would actually go after a business degree. They would often get MBAs, and it was because they needed to satisfy both of those requirements, which is, yes, I'm a technology executive, but at the same time I'm a technology executive that in a large company reports to the board on a quarterly basis or reports directly to the CIO or directly to the CEO. So it's definitely a combination of education and experience.
I would say universities are doing a better job of providing undergraduate and graduate degrees in information security. There's some areas where they're incredibly weak, like application security is not taught well at the undergraduate level, if at all. It's done really poorly. The other thing I'll pick on universities about is they're not doing a good job of recruiting women into undergraduate and graduate programs. There is a huge skills gap as well as a staffing issue in security, and at Forrester we like to say it's largely self-inflicted because we're not recruiting from half of the population, and we're not recruiting people from diverse backgrounds. We've got this one mold of individual that we recruit from, and then we're shocked when we can't find enough people with this very narrow skill set, so.
Laurel: Yeah, the report said nine out of 10 CISOs are male.
Stephanie: Exactly, exactly. We haven't looked at the end of 2019 yet, but the last couple of years that's been true. And if you look at the staff as well, it's worse than the general security industry. It's at about 11% of security staff are female. It's worse than general IT. General IT also has a problem, but it's more somewhere between 20% to 30%, so security is even worse.
Laurel: So when we talk about lack of diversity in security in general, how are companies trying to respond to that? Are you seeing any particular companies showing best practices?
Stephanie: There are definitely some best practices. Actually, I've seen a lot of vendors, like large technology vendors, they're actually partnering with universities and they're actually even partnering at the high school level. For example, with the Girl Scouts of America, to actually foster programs that get girls excited and interested in cybersecurity from a very young age and then want to continue to pursue it at an undergraduate and graduate level. At a number of universities, there's pretty aggressive scholarship programs.
And then also there's just a lot of introspection that's happening at the corporate level where we kind of look at the culture of security teams. We look at a lot of the traditional routes from where we recruit from, which is conferences that are male-dominated or again, we have these job descriptions that emphasize a lot of military experience as an example. So it's sort of like broadening the aperture of people that will recruit into the security industry, a willingness to develop their skill set as well as doing a much better job of actually filling the funnel, filling the actual pipeline over the long term.
But to your point, diverse teams make better decisions, and in the long run they're higher-performing. And then the second thing I would say is there are so many open jobs in security, not just in the US, but also globally. It's also a math problem. We are not going to fill these open positions if we're not recruiting from half the population.
Laurel: Also, it seemed like not a lot of security talent was necessarily promoted from within. In the reports from Forrester, it sounded like you had more likelihood to be given a promotion if you went to a different company. Are companies now re-examining their own talents?
Stephanie: That's actually true at kind of the individual level as well as the CISO level. So we've found amongst the Fortune 500 that first-time CISOs were rare, and they weren't promoted from within. So they'd like to hire externally for CISOs, and they wanted CISOs that had prior experience as a CISO. And actually if you are somebody in security, so that means if you want to be promoted into CISO, your best opportunity is actually to look externally, outside your company. And we also found that when companies hired CISOs externally as opposed to promoting them from within, they were more likely to have them report higher up in the organization. So yeah, at the CISO level, companies could do a better job of looking within and giving those individuals the right opportunity to report higher in the organization.
But we also found things similar again at manager levels and individual contributor levels, which is they weren't hiring from within the company or when they did hire individuals, they weren't giving them good career paths and ongoing skills development. So again, if those individuals really wanted to further their career, most of them ended up leaving. So that's why we say so much of the skills and the staffing challenges are completely self-inflicted.
Laurel: So it's a bit of a blind spot that probably everyone could do a little bit better on, right?
Stephanie: Exactly. Yeah.
Laurel: I was reading this Ponemon Institute report, and this particular phrase jumped out at me and as we were talking about the CISO and what kind of person would do that role in the first place and the experience they had, more than just a resume, it's also your attitude and ability to act really quickly and really smartly and also communicate very well. But the quote was, and I'm paraphrasing a bit here, technology has transformed the internet age into a period of cruel miracles for security professionals. All of our cruel miracles are that we have devices in every pocket. We can go anywhere, we can talk to anybody at anytime, and we can do it at the speed of a lightning bolt, but at the same time if you're a CISO, how do you secure it all?
Stephanie: Right. Yeah. All of these devices that extend the four walls of the company, they are basically extending the attack surface of the organization. So for CISOs, it's been sort of this march away from a traditional perimeter-based approach to security and actually taking more of a data-centric and application-centric, and I would even say identity-centric approach to security.
Not that the network's not important, network security is hugely important, but it's more of the perimeter-based approach to security that's changed dramatically. So again, where there's no true four walls of the corporation. The perimeter is actually much smaller. So we tend to think of secure enclaves. How do I build a micro perimeter around our most important assets?
When we talk about an extended network of all kinds of devices like you mentioned or the computing environment itself, which could be a combination of on-premise, cloud, hosted private cloud, and every variation thereof and any kind of user population that interacts with the company systems and data. That could be your own employees, it could be consumers and customers, it could be third-party partners. So when you think about devices, user populations and different computing models, there is no perimeter. So the focus becomes on protecting the data itself regardless of where it travels and regardless of the hosting model or the location. Really, really taking a hard look at identity. So limiting and strictly enforcing access, both human and nonhuman. So it does kind of flip the traditional security paradigm on its head. You move away from perimeter-centric to data- and identity-centric.
That's what we typically recommend to CISOs. And we call that the zero-trust model of security, which is you assume you already have a breach, and you never assume trust in your environment. You just always assume that something's going wrong somewhere, but it works. It perhaps is not the most positive spin in the world, like, oh, zero trust, but it works. It's very effective.
The other thing I would say is I would really encourage manufacturers of all these devices, IoT sensors, IoT devices, everything that you can think of to really do a better job of building security into the device itself from the beginning. That would definitely make the CISO's job much easier. It's just so frustrating. It's largely out of their control as well.
Laurel: Right? Well, especially
Stephanie: Except for the CISOs that actually work at product companies. You should be involved in product development. You should be advising the organization.
Laurel: And it's interesting because security doesn't always come first, does it?
Stephanie: No.
Laurel: Especially when you're doing product design. So do you see that happening often though? CISOs actually actively involved in product design?
Stephanie: Not to date, unfortunately, but it is something that we do recommend. And I would say some CISOs don't necessarily see it as their traditional role, like their traditional role has been to secure the back-end systems of record and infrastructure and the company's data and not necessarily get involved in development, but we actually actively encourage CISOs to get involved in product design and product development to really help the organization secure what you sell. So whatever it is you sell, whatever service it is you're delivering to a consumer, a patient, a citizen, another corporation, if you're a B2B organization, actively being involved in securing what you sell.
Laurel: And that's certainly a competitive differentiator, isn't it?
Stephanie: Yeah, absolutely. Absolutely. We found security, as well as privacyand those aren't synonymous, but sometimes they do go hand in handdoes create competitive differentiation for companies.
Laurel: Yeah. And that's an important differentiator, and all the noise that you have coming out. So if there's something very specific that you can market, that would be a good one. But we're also kind of talking about the CISO really taking an active role in everything. So you have to be this multi-talented person who can talk and understand product as well as be out and about in the community, right? All at the same time sharing, but not sharing, company secrets and how you defend the data because there is this idea, especially in the tech community, where you do share your best practices and what you've learned from. And I was just wondering a bit about that, how do CISOs actually share but not share everything?
Stephanie: Yeah, there is that challenge. A lot of CISOs are very loathe to talk about specifics about their deployments, and I don't necessarily see that changing anytime soon. Sometimes in smaller groups though, there are a lot of communities that support CISOs. Actually at Forester, we have a peer networking group of about a 100 CISOs. There's all kinds of ISACs and intelligence sharing communities amongst like CISOs that are industry specific. So often in tightknit communities where there's an understanding that everything's under NDA, where there's candidness, where there's some personal relationships, CISOs will share a lot more. But I have found CISOs willing to talk about overall strategy. When I mentioned moving from perimeter-based approaches to data- and identity-centric. Talking about culture. Culture is actually hugely important, not just at the CISO but for the rest of the security organization as well.
Because you need an organization that has the right kind of staff that can actually talk to developers and be part of secure application development, that can work with infrastructure and operations teams to secure cloud deployments. That could actually work with marketing teams to help them understand privacy implications of how they might be personalizing services and data and ads to consumers. So you need also the security team itself, not just the CISO, the security team itself to be vocal and outspoken, collaborative and willing to insert themselves into core business and IT processes throughout the organization. So they'll talk about culture, they'll talk about staffing, they'll talk about the kind of skills that are required as well. We definitely see some change there.
Laurel: And also the business has to be willing to allow security kind of come full circle on this idea but not just product but then also everyone else. So marketing, thinking, again, security first or security at some point. How do you then have this conversation, so everyone is a bit educated? You don't have to be an expert in security if you're in marketing, but you have to be willing to listen.
Stephanie: A lot of times CISOs would kind of tell the stories and everything was doom and gloom. I think taking a much more risk-based approach where you're helping the business understand future risks and helping them just understand both probability and impact and advising them on making the right decisions, like moving from that department of no to more of that consultative role I think helps. The more you become that consultative subject matter expert more, I think you can bring along the rest of the organization with you. I think that that's a big help and it sort of varies by CISO skill set as to how good they are at doing that. I think anytime you can put things in a positive business terms as well, that helps.
There was an analyst on my team that wrote this report, it was called security for profit, and in it he outlined ways that security could potentially be a revenue generator for the company. Again, it could be value-added features that people were willing to pay more, or it becomes a competitive differentiator in a product or service that you offer. So it could actually contribute to the top line. And then he also outlined all the ways that can actually save the company money beyond breach avoidance and avoidance of compliance fines.
There's all kinds of ways where if you do security right, it can actually dramatically improve employee experience and reduce operational costs within the company. Identity is one of the biggest examples, when you think about onboarding an employee and the ability to automate all the ways that you give them access to the systems that they need. Resetting passwords. I mean, there's so many just low-hanging fruit where you can make employees lives easier, but then you're actually really reducing hard costs.
Laurel: Yeah. And that's certainly something you don't think about, but you are certainly frustrated when you have to redo your password and it takes forever and/or you have to go on a different system and blah, blah, blah. But that kind of streamlining is not just from a security perspective, but as you said, it's from everyone's perspective to just make their lives easier, which is what ultimately every employee wants.
Stephanie: Yep.
Laurel: So how do CISOs stay on top of the latest trends? I mean, conferences, those small groups that they talk to?
Stephanie: Yeah, I think they do do their own research, whether it's publications like yours, firms like Forrester, the other big kind of strategy consulting firms as well. They do do their own research though. They'll often send their staff to a lot of the conferences. And then I do think those peer-networking groups help dramatically as well. But it is hard to stay on top of every single possible trend. So I do think it always helps to have some sort of external advice as well, to give you a heads up on emerging threats, on emerging risks, emerging compliance and regulations that are happening all over the globe.
Laurel: Yeah, and then just like you said, having that peer group to establish trust and some kind of transparency with sharing best practices and just hearing various stories, even if it's from a friend I've heard, to kind of get those warnings out to various organizations and people. Speaking of that, other than in these peer groups, is there much cooperation between government and business? Are you seeing more of it or do people pretty much pretty stay in their lane because there are other conflicts to worry about with businesses and governments?
Stephanie: Yeah. In the US and actually other countries like the UK, if you're considered a critical infrastructure industry, you will need to have close relationships with federal government officials. If you're in critical infrastructure, I mean, there's going to be industry-specific cybersecurity regulations that you have to follow, you know, if you're in energy. I mean, even financial services is considered critical infrastructure. So then you'll have to follow NIST guidelines, as an example. Anybody doing business with the federal government will have to follow NIST.
You don't want to wait to form relationships with the federal government or specific agencies, like the FBI. You don't want to wait until you suspect something or have a breach. Or in a lot of cases, it's the reverse which is, they've detected something, they're alerting you to it. Sometimes, they can't offer you specifics because their hands are tied as part of a larger investigation. So you can actually develop relationships with a lot of the US federal government agencies ahead of time, so that you can share threat intelligence. Or again, should something actually really occur, you already have those pre-existing relationships in place.
Laurel: Yeah, and speaking of something already occurring and preparation plans, are you seeing more companies develop those preparation plans for, again, not if, but when they are hacked or a cyberattack happens and they need to go public with it?
Stephanie: So with incident response, there's sort of the internal incident response, which is sort of all of the processes that you need to detect, then remediate, and then respond. And a lot of the responding is more of what we call kind of a forensic level responding: determining exactly what happened, remediating it, potentially collecting forensic evidence if you decided that you were actually going to pursue legal action, depending on who it was afterwards. Then there's the external response, and you really need both. You really need a sophisticated incident response, process and initiative within the company with dedicated experts, particularly if you're a large enterprise.
But I think where companies often really fall down is on external breach response. And again, regulations require that if it's consumer-related, if it's affected individuals, you are required to notify them within specific days. In many cases, it's 30 days. Under GDPR in Europe, it's 72 hours or less. And we have seen companies royally botch the external breach response, meaning that they were cagey about offering information to consumers.
I don't want to pick on companies because victim blaming often isn't all that helpful, but I've seen companies kind of blame the consumer, in a way, saying, "Oh, if you had better password hygiene, if you were monitoring your own accounts much more closely, this wouldn't be as big of an impact." No. You need to show empathy with your customers. Put them first. Do everything you can to protect them. Don't be cagey about sharing information because of CYA kinds of concerns. And in some cases, if you do it right, it's an opportunity to not lose their trust, but potentially even to reinforce it and build it up, if you've put them first. But you can really botch it and make the breach so much worse than it needed to be.
Laurel: And that just cost the company even more money.
Stephanie: Exactly.
Laurel: When you look back at 2019 and there's a lot to talk about cybersecurity wise, if we kind of look at three specific areas, first off is just cyberattacks, but very specifically on cities and municipalities. So New Orleans was the most recent, as of the end of the year, that we know of, but it was also on the heels of the State of Louisiana having a cybersecurity attack. We know it's happening across the country. So to ask a very loaded question, why are cities and municipalities being targeted for cyberattacks when they're not necessarily the most well-funded outfits?
Stephanie: Yeah. So that's why, because they're easy targets. So if they've been underfunding their security efforts for years, then they're much easier to penetrate and then ask for a ransom, even if the ransom if small.
Laurel: It's better than nothing.
Stephanie: It's better than nothing. That's actually the consensus of a lot of the team, is so many of these local, city, and state governments and municipalities are just such easy targets because they have been underfunded and understaffed for years. And most of the time, there is financial motivation, but there are other types of motivation. It could be political, social. If you get to a larger kind of states or federal agency, you might even get into geopolitical and even military in some of the nature.
Actually, the City of New Orleans, what was interesting about that is the attackers didn't ask for a ransom. So they used ransomware to disable them. Everything was encrypted and forced them. I think they were replacing tons of computer infrastructure. It can be really difficult to recover from backups. We say that so flippantly, like, "Oh, just recover from your backups." Most backups complete with errors and the ability to recover from a backup at scale is actually very, very difficult. And who knows when the ransomware was actually introduced? So then you're just reinstalling the ransomware.
Laurel: Interesting.
Stephanie: But yeah. From my understanding, they didn't actually ask for a ransom. So their motivation wasn't financial. So it could've been ...
Laurel: Just disruption.
Stephanie: ... just disruption for the sake of it.
Laurel: To see if they could do it, yeah.
Stephanie: Or interestingly enough, I read this article where it's forced the city to replace a ton of computer infrastructure, laptops, desktops, server infrastructure. So theres a part of me that's wondering, "Oh, it could be city employees. I know how to get the city to upgrade."
Laurel: Right, right. Force them.
Stephanie: Force them.
Laurel: By ruining everything.
Stephanie: Yeah. So they're easy targets and the motivations for the attack are much varied, I think, when it comes to critical infrastructure and then city, state, and local government.
Laurel: And that's not necessarily when a ransom is asked for that you ever find out where they're coming from or who they are or if they are foreign state actors.
Stephanie: Yeah, you don't necessarily know.
Laurel: You'll never know. It's just a guess.
Stephanie: Yeah. We actually put out a controversial report this year that said, in some cases, organizations might want to consider paying the ransom. I'll be honest, I think for city, state, and local governments they might be prohibited from paying the ransom. I don't know. I would have to look into that, but private-sector companies, even though I'm sure FBI and other law enforcement agencies would prefer that they not do so, in some cases, it might actually make sense. And cyber insurers would even say that it might make sense in some cases. And there are actually firms that specialize in helping companies pay the ransom. Sometimes, you can actually negotiate for a lower ransom. It's like bartering. They'll act as the go-between between the various characters in the company. Obviously, you're paying them in a cryptocurrency. You're not just transferring cash.
Laurel: Of course.
Stephanie: So they can facilitate that, as well. I mean, if you look at the City of Baltimore, what they ended up spending to recover from the ransomware attack was probably a hundred times more than the actual ransom. I forget the numbers, but the difference was ridiculous.
Laurel: So some advice to cities and municipalities would be to actually look at your systems an try to get them up to date and protected, in some way.
Stephanie: Yeah. Certainly with ransomware, make sure all your systems are up to date, patched. If you look at most successful attacks, external attacks, they're taking advantage of vulnerabilities and other types of software exploits. It's nothing fancy. Everybody always loves to use advanced attacks or state-sponsored attacks. The reality is most of these attacks are pretty low budget, but yet still effective.
The other thing is take a close look at your backups. I can't emphasize it enough. People always overlook their backups. It becomes this rote IT process that nobody ever looks twice at or people demean it and call it not important. It could be more important today if you don't want to pay the ransom.
****
Laurel: Cybersecurity isn't only about stopping the threats you see. It's about stopping the ones you can't see. That's why Microsoft Security employs over 3,500 cybercrime experts and uses AI to help anticipate, identify, and eliminate threats so you can focus on growing your business and Microsoft Security can focus on protecting it. Learn more at microsoft.com/cybersecurity.
****
Laurel: So another interesting topic coming out of 2019 were just general data breaches. So 2019, it did really seem like, every other day, some company or someone was announcing a data breach. And then, according to Risk Based Security, 2019 saw more than seven billion records exposed. So when we get back to CISOs, how are CISOs and company executives really responding to that if 2019 was sort of this year where we [have seen so many] breaches, in one year?
Stephanie: Yeah. I do think 2019 was finally the year of breach fatigue. I mean, it was even difficult for us to keep up with every breach that hit the news. I do think it helps to put it in perspective. Not every one of these breaches was an attack. A lot of them actually were the result of accidental exposures. So if, for example, you misconfigured cloud storage, that's actually considered a breach, even though there's not necessarily any proof that any kind of third party or external attacker or organization actually misused or abused the data. Just the fact that somebody either internally or, oftentimes, it's the security researcher actually who discovers that all the information was less exposed. That is considered a breach.
But yeah. If you look at breaches, themselves, 51% of companies had at least one breach in the past year. And that number is probably higher because a lot of organizations don't know about it immediately. But then, there are a large percentage of them, actually the majority, are internal, a result of internal incidents, third-party incidents, or just lost or stolen devices. And if you do look at true external breaches, where it was an external party that attacked you and gained access to your sensitive data, getting back to a lot of it's low budget, the top three attack vectors were a direct attack on your application, taking advantage of a software vulnerability, or compromised user credentials.
See original here:
Cybersecurity in 2020: The rise of the CISO - MIT Technology Review