If there was ever a time when a company could afford to be complacent about cybersecurity, the last few years have piled a digital dumper truck’s worth of examples why 2017 isn’t it. As more businesses, from the tiniest garage-startups to online megacorporations, drill ever deeper into their customers’ day-to-day lives, security, privacy and trust translate more and more readily into cash – making the Chief Information Security Officer (CISO) ever more indispensable in the boardroom. When data is currency, the CISO is more than just the person holding the keys to the vault – they hold the key to a company’s entire online kingdom.
“Without a doubt, cybersecurity is now in boardroom discussions,” says Raj Samani, chief scientist at McAfee and a former CISO himself. “When I was a CISO, I saw my boss once in six months. When I was [more recently working] with one of the largest banks, their CISO said, ‘out of every single person who’s briefed the board, I think I’ve been here the most.’
“And I think that is, in part, because these companies aren’t just banks anymore: they’re software houses and hardware firms or information houses. In the past, you could say, ‘this bricks and mortar company does X’. But in fact what we realise now is that the dependency that every organisation has on technology is now almost ubiquitous. From hospitals being taken down to shipping companies being wiped out; we rely upon digital systems.”
The biggest challenge in security? Human nature
For Samani, who will speak at this year’s WIRED Security event, the world of cybercrime and the role of the CISO is muddied by myths and misconceptions. The first is that we should be tacking the word ‘cyber’ onto the front of security in the first place, artificially and arbitrarily dividing the two (“When a computer worm spread across the world, the impact was physical: 80,000 people had their operations cancelled,”). The second is maybe more pertinent: the attitude that there is any company – or even any individual – too small to not be a mark for online criminals.
“Everybody’s a target. Everyone is,” he says. “Small-to-medium-sized businesses, some [of them] say, ‘well, cybersecurity isn’t big for us – we’re a small company, nobody would hit us.’ Well, you know what? That approach now has to change.
“Here’s the beauty of cybercrime: you don’t need to be good. You don’t need to be sophisticated. My eleven-year-old daughter could go online and run a ransomware campaign and probably make more money than her dad. That’s the reality. There’s a misconception that if it’s nation state [backed], it’s really, really good. That’s not the case.
“I don’t think just because you’re a small business you’re going to facing low-level stuff – I think you could be facing some pretty good stuff. It’s easy to do now. If I wanted to go out and compromise you, your life and everything about you, I could go onto Facebook, find out what [you] like, what football clubs [you] support, where you used to work, then I send you an e-mail and make it look convincing… I can do that in, what, eight minutes? Five minutes? I can find out everything about your life. So the technical barriers required to become a cybercriminal are the lowest they’ve ever been – and then continue to fall every single day.”
Part of the reason for that tumbling barrier to entry for the budding cybercriminal is, Samani says, the ease with which pre-written pieces of malware can be disseminated over the internet. But the other is the spiking number of connected consumer devices that we welcome into our homes, or give no thought to carrying on our persons. The attack surface for the average person – as an individual, or an employee and potential weak point in a company’s digital security structure – has grown in-line with smartphones, smart TVs, and the current dawn of in-home personal assistants like Amazon’s Alexa or Google Home. The potential conflict, on the part of the companies hoping to flog such devices, is obvious: how do you balance the cost of producing your devices and services against making – as sure as you can be – that they’re not going to sit in your customer’s living room, hoovering up their personal data in between calling taxis and ordering pizzas?
“Any company must in all cases undertake appropriate due diligence to make sure that the appropriate technical and organisational controls are in place. It really is simple: if a company goes out and doesn’t do their due diligence, then the impact to them will be more significant. If there is a major breach, then you can expect class-action lawsuits, customers leaving you in droves – to be called up in front of Congress or Parliament maybe. That’s the cost of doing business: reasonable controls should be an expectation for every company and every customer.”
How reasonable ‘reasonable’ turns out to be will surely change as the next generation of consumers matures. Privacy-conscious, yet increasingly comfortable sharing their lives online, the drivers of tomorrow’s consumer tech market will change – and the role of the CISO will change with them. Increasingly, the CISO won’t be lazy shorthand for ‘person-who-prevents-digital-disaster’. Rather, CISOs will be the people who secure customer data, and then use – with the earned confidence of those customers – that data to create new and more sharply tailored products that ultimately add to the user’s life and the company’s bottom line.
“I think the role of the CISO should be to guide the business in terms of enabling additional revenue streams that had never been considered before,” Samani says, comparing the chasmic leap that each generation performs with technology. “A great example is car insurance. That is an industry that has evolved and changed dramatically through the advent of technology. Now I can get a black box inside my car which will provide me with additional discounts on insurance. Those types of new business models leverage personal data to generate a new economy. The role of the CISO should be looking at ways to leverage security and privacy in a fashion which addresses consent, transparency and value, to be able to provide additional revenue for the businesses in which they work.
“Trust, in the digital age, will be a key commodity in the future, and the CISO is an integral foundation for the delivery of that trust. They are no longer the person on the outside: they are part of the foundation for that business: the key to that organisation.”