Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Richard Stiennon

I think investors have banked in the risk. They don't have a tool that the companies can tell them, you know, other than there's a CISO in place. So maybe that gives them some assurance, but I don't think it's until the regulators, specifically the SEC, get involved and require some level of reporting. I don't think it's until that time that the investors have something that they can use to measure total risk when it comes to their investments.

Richard Stiennon is Chief Research Analyst for IT-Harvest, a firm he founded in 2005, and is a Washington Post best-selling author.

Brian:                          

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host Brian Contos, and we've got a really special guest today. Joining me is Richard Stiennon.

Brian:                          

Welcome to the Cybersecurity Effectiveness Podcast, Richard.

Richard:                      

Hey, Brian. Glad to be here.

Brian:                          

So, Richard, to kick things off, can you just give everyone a little bit of background on yourself?

Richard:                      

Yeah, sure. I'm an Industry Analyst, and no matter how many times I try and break away from that, I fall back into it. So,I was at Gartner in the early 2000's, and I've had a few roles as an Executive at a few security companies. But I always come back to just being an Industry Analyst. So, I write books, I write columns. I do research reports, and I'm a public speaker.

Brian:                          

Fantastic. And definitely for our listeners, if you're not familiar with some of Richard's books such as Up and to the Right, which is about companies working with analysts, and some of his books on cyber warfare, absolutely wonderful reads, so be sure to check those out.

Brian:                          

So, Richard. We've known each other for, boy, I guess going on 15 years, and a lot of our conversations go in the direction of security executives, including CEOs. I'm noticing today that CEOs are really talking a lot about cyber security publicly, and they're discussing how their leveraging cyber security solutions to reduce financial and operational or mission risk. So, my question for you is, why are they doing this, and how is security maturing at that executive leadership level?

Richard:          

Well, I think that what's happened is that over the last decade or so, most large organizations have either begun or are fully into a digital transformation. So now the CEOs, whether it's a CEO of a manufacturer or of a travel firm or a law firm, understands that their entire business is run online. And therefore, security is of top concern to their customers and their employees. So, they have to become knowledgeable and be able to talk about it as if they do know about it. And that's what we're seeing right and left as CEOs at Target and Sony, and back in the day CSX, all learned the dangers of not being able to talk about security.

Brian:                          

Yeah. You know, absolutely. And as you were talking about that, it reminded me of an analogy about the auto manufacturing industry, which of course you're intimately familiar with. You once talked about the Chief Quality Officer and how that relates today's security leaders. In particular, sort of the changing role of the CISO, and how now some CIOs are actually, reporting to CISOs, which was analogous to what happened in the auto industry. I'm wondering if you could take us through that analogy and expand on that a bit.

Richard:                      

Yeah. When I got out of school way back in '82, I joined the auto industry as an engineer. And people who were around back then will remember that quality was not a big issue for automotive manufactures. The typical tolerances on the fit of body sheet metal parts were half and inch to three quarter of an inch. And then along came the Japanese, who of course were learning from Denning and other quality experts who were just ... totally added quality and started refining it, and measuring quality and demonstrating that you can't accomplish something unless you measure it, if you want to control it.

Richard:                      

And the automotive industry started to respond to that here in the US, but they couldn't just crack the whip and get more quality. Right? They couldn't tell Plant Managers, "Get more quality," because they're also telling the Plant Managers to ship cars. And every plant had a Quality Manager internally who reported to the Plant Manager. So, the Quality Managers were going, "These parts that just came in the door are unacceptable. They're out of tolerance or they've got cracks in them or they're dirty." Whatever. "We can't accept them." And the Plant Manager would say, "Yeah. If you don't accept those then I've got to shut my plant down because we just ran out of parts." So, the Plant Manager could always veto the Quality Manager.

Richard:                      

So, the big move started by Ford when they started talking about quality as job one, was to change the reporting structures. So, the quality guys now reported to a Chief Quality Officer. And they could actually veto the Plant Manager, and they could shut the plant down. It eventually translated to the line workers being able to shut down a line if quality was not within the specs that they were tracking. Statistical quality control, we called it. And that was the beginning of seeing control applied to manufacturing in order to, achieve quality.

Brian:                          

Yeah, and I love how that story just shows evolution that focused on quality. And similarly, we're seeing something insecurity, aren't we? As these CISOs seem to have a greater ... And it might not even be a CISO title, it might be a Risk Title or something else. But they have a greater umbrella responsibility in some cases then, even the CIOs did.

Richard:                      

Yeah. And what's bothered me for 18 years now, is that security people do like to measure things and they know they've got to measure things. And unfortunately, one of the things you can measure is how many vulnerabilities do you have on your systems? So that became the thing to measure. And so everybody measures it and, "Okay, we've got 20,000 computers, desktops and servers. 60,000 mobile devices and ITO things, and everyone of them has got an average of four vulnerabilities on it. So, let's patch them." So, it creates this huge path to patching everything all the time, which of course is very disruptive to business continuity.

Richard:                      

And they can measure something, and they can say, "Look. We're better than we were last week. We had 150,000 vulnerabilities, now we've got 90,000 vulnerabilities. We must be doing a good job." And obviously, all it takes is one vulnerability and I like to use the thought experiment. Okay, let's assume you can actually get rid of all the vulnerabilities. You can keep everything patched, completely up-to-date, all the time. What are you doing about zero days? Nothing. You don't know about those vulnerabilities. So, I'm not a big fan of pegging your security metrics to your vulnerability management solution.

Brian:                          

You know, it's so funny you brought that up. I was just with a customer the other day, and this is not the first time I've heard people say this. They said, "Yeah, today we measure ... you know, we do a bunch of vulnerability scans, and then we look at the juxtaposition of that and where we are with our patching. And we look at the gap, and that's what we've tried to measure. We try to reduce that gap, and we know it's a horrible metric. We know this isn't what we should be measuring, but it's the only thing that we feel we can trend over time instead of theoretically trying to measure how effective are my security controls, or my people and my processes."

Brian:                          

Let's take it up a step even higher than the executive team or even the CEO. Let's talk about investors. Are investors putting greater value into cybersecurity? And really, the cybersecurity relationship with financial and operational risk. Are they putting greater value in that, and is this what's driving this need for cybersecurity evidence? Actually having something tangible that I can bring to my shareholders, to talk about the value or future expectations?

Richard:                      

I don't think we're there yet, I think investors have banked in the risk. They understand that what happened to Sony could happen to anybody, so they take that into account. They don't have a tool that the companies can tell them, you know, other than there's a CISO in place. Maybe somebody would reveal the budget that they have, as Bank of America does. So maybe that gives them some assurance, but I don't think it's until the regulators, specifically the SEC, get involved and require some level of reporting. I don't think it's until that time that the investors have something that they can use to measure total risk when it comes to their investments.

Brian:                          

Yeah.

Richard:                      

And, luckily, most major breaches don't result in long-term damage to a company stock price. There are a few outliers where it did. Sometimes a company goes away after a breach. Target survived very well, most banks that have been breached have bounced right back. But definitely if you're a short-term trader, you don't want to get caught long and somebody that gets a breach.

Brian:                          

Yeah. Well, let's expand on the evidence a little bit because I know this is a trend that we're seeing, and I agree with your points there. One of the things I've noticed are other strategic business units and organizations, sales, finance operations ... Organizations are really accustomed to having these data-driven decision-making metrics, if you will. Evidence based on KPIs, and I start to think of things like shareholder return reports or client assets, or financial performance. And they've got a gazillion of them, and we've had them forever. I'm starting to see the cybersecurity DNA being put into the annual reports, like the 10-K, Committee Charters, corporate government stocks. And that's all great, it's great we're talking about it. It's great that it's getting in there, it's great there's a level of visibility. And to your point, it'll probably increase even more as perspectives change from a regulatory perspective.

Brian:                          

But let me ask you this. I met with a Financial Services company recently, and they told me that their Chief Risk Officer now reports directly to the board. But even with that high level of visibility and that reporting strategy, who's going to take responsibility over those? Who will really take ownership, does that fall on that Chief Risk Officer? Will it fall on the audit committee of inside the board? Is it the CEO? Ultimately, where does the buck stop, if you will?

Richard:                      

Yeah. The Chief Risk Officer often has a lot more than cyber reporting to him or her. Because obviously there's employee malfeasance risk and legal risks, and geopolitical risks that face a company.On the cyber side, it pretty much falls on the CISO's head. It's probably why there's such turnover in CISO roles around the world.

Brian:                          

Sure.

Richard:          

But I think where it's starting to show up is a combination of concerns over third party supply chain security, and regulation. And I started to see this at my most recent role for a company was traded on the London exchange. Whenever we outsourced any IT function for Human Resource App or anything else like that, we had to validate. The company we were outsourcing to was going to be compliant in the future with GDPR. And if they came to us and said, "Look, we have an Information Security Management System. We're ISO certified, we can get you on the phone with our CISO." That went a long way to giving us some assurance. There's no document or certification they can provide that proves that your data is safe with them, but you can have a quick conversation and either they could lie to you ...

Richard:                      

But usually CISOs are very honest and upfront about what they do and what their processes are, and you quickly get a picture that they do take care of your data. You know, they gotta answer some of the questions correctly. Like, "Everything's encrypted, you keep the keys, we don't have access to them." That sort of thing. And then backup in disaster recovery is got to be in place, too.

Brian:                          

Yeah, yeah. Now those are all very good points. So, I'm wondering, just to kind of wrap up here, in your eyes what's really the future of cybersecurity for the CIO and other non-technical or non-security business executives?

Richard:                      

Yeah, I think it has to be wrapped into their entire digital strategy. They have to realize that, look it, they're getting productivity gains, they're getting marketing and sales and customer gains all thanks to their digital footprint. But they have to bank in the true cost of protecting all of those things, right? So there's no niche of digital world that's not accessible to attack now, so they have to bank in the cost all the time. So, gone are the days when you could just launch a website and take credit cards and all of a sudden have a million customers the next day without investing in the security around it. And that goes many times fold for when you're automating a plant and sending the data from the plant to the cloud, making the just-in-time information available to all of the downstream customers. You have to bank in and budget for the security belt around it. Just like we tell software developers, you got to think about security from Day One. That goes for all business processes now, too.

Brian:                          

Great points, great points. So, our final question, and this is something we ask of all our interviewees and arguably the most important question of the entire podcast: who's your favorite superhero or super villain and why?

Richard:                      

That's so hard, I wish I'd been prepared. I always had a soft spot for Elastic Man. I don't know why, I just thought it was pretty cool to be able to reach your arms way out and grab things.

Brian:                          

So, Elastic Man. Not to be confused with Plastic Man from years prior to that, but Elastic Man from Fantastic Four.

Richard:                      

Correct.

Brian:                          

Very, very cool. Well, that would definitely be a handy skill for sure. Awesome. Well, hey. Thanks, Richard. And again, thanks to all our listeners for joining and be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog