By golly... it's Cyber Ollie

June 15, 2020 | Phil FershtOllie O’Donoghue

Definitely no Dinosaur Whisperer... Ollie O'Donogue (bio) is inspiring HFS' Cybersecurity and Security Services Research 

We've become one huge hyperconnected digital environment - it's as simple as that.  We're all anywhere employees, where we connect invisibly into both our personal and business digital environments.  In fact, we're all anywhere people where we're seamlessly hopping from work, virtual classrooms, social calls, shopping, music sites... you name it, this is our world - and will be until the Internet melts down. Just imagine if Covid had hit 15 years ago?  We'd be in much more serious trouble...

To this end, HFS has made a major pivot of our research over the past few weeks to inspire this new abnormal world, and - as part of this pivot - have focused our lead IT services guru ("veterans" need to be over 40...) to broaden his deep experience in cloud, agile, and service management to take the lead role with our coverage of cybersecurity and security services.  So let's hear a bit more from Ollie O'Donoghue and how he intends to place HFS at the forefront of security service analyst coverage:

Ollie,  please explain to us why has cybersecurity only now really emerging as the number 1 area for concern and investment in this climate? 

Cybersecurity has always been a big topic of conversation in the boardroom – especially when regulators started upping the fines and tightening up loopholes. But for years there's been a sense of inevitability about the whole thing. A couple of years ago, I worked on a study tracking cybersecurity trends, and it was clear executives viewed securing the enterprise as an unassailable task. And sadly, there's a bitter truth to that feeling which is; "we're a big enterprise, and the hackers will find their way in somehow, and if they don't, one of our team will leave an unsanctioned USB stick on a train, or click on a link in an email offering untold riches." And with that wedged into the back of a lot of executive's minds, it's easy to see why cybersecurity never really got the attention it deserved.

And let's face it, to most business leads looking to roll out some cool tech, their security colleagues are just fun-sponges, with their risk assessments and cautions. And while cybersecurity and the role of the CISO have slowly pushed its way into corporate culture, it's only really now since Covid-19 came along that the cyber-killjoys are under the spotlight. Businesses across the globe have banked on a couple of things in the past, centralized systems are easier and cheaper to guard, or at the very least are tough enough to hack that it's a suitable deterrent for all but determined hackers. And people coming into the office are somewhat less likely to do something silly on corporate machines. Both theories are now somewhat irrelevant. Corporate tech estates now sprawl across thousands of home offices, and outside of being pestered on zoom, employees are far freer to use technology as they see fit than they ever have been before, for better and for worse.

Business leaders know that this is going to be a significant problem to solve – and some firms are already licking their wounds as malevolent forces exploit a vast surface area, much of which lay undefended in any real sense. A few of the beleaguered CISO's I've spoken to over the last couple of months have never been so busy, as they figure out how to plug vulnerabilities now, and design security solutions that can offer more long-term reassurance. While there have already been some high-profile hacks and breaches – I won't mention names because it wouldn't be fair to Cognizant – most businesses anticipate the space to heat up, and are happily piling in cash and resources if it makes their business less likely to hit the headlines next week.

When it comes to engaging with a services firm to manage your security needs for you, is this a viable option, or should enterprises manage their own?  What are the considerations in this decision?

In many ways, this has been one of the biggest questions for the services industry to answer. Enterprises, understandably, want to keep their cyber teams in house – it's far from a commodity business and who better understands the vulnerabilities and have the incentive to plug them up than an internal team. This mindset has guided the market to an extent until very recently. Firms may bring in consultants for an outside-in perspective, and many offer cash to professional pen-testers or crowdsourced vulnerability hunters, but outside software spend most enterprises keep their cyber-spooks on the payroll.

But as the diversity and intensity of cyber-risk have evolved, really in the last two or three years, enterprises have looked externally for access to talent and capability with a degree of experience in what the all-round nastiness hackers, criminals, and absent-minded accountants can open their business to. For most firms, there needs to be a careful balancing act between the two – internal teams need to guard the crown jewels, if not because internal risk assessments would grief any over-ambitious outsourcing project. But also because external service providers can be targeted by malevolent forces as gleefully as enterprises. Even so, bringing in providers with real hands-on expertise, and the scale and breadth to defend the outer perimeters is unlikely to be much of a choice for some businesses - particularly given the intense talent shortage in cybersecurity right now.

Coming into this crisis, who were the main security services leaders driving the market?  and are these providers really prepared for the new environment?

The major IT Services firms all have robust offerings in this space – a lot of them homegrown from their need to lock down their tech estates and delivery networks. So, for some enterprises, the safest pair of hands to take on cybersecurity engagements are likely to be the very same firm managing their apps and infrastructure – particularly if they've been servicing it for a few years and know where the chinks in the chainmail are. This is where the TWITCH providers will have an interesting story to tell. Then you have IBM and Accenture, the big heavyweights who, if you can look past the price tag, have the consulting heft and experience. And crucially, exposure to the broad threat landscape to offer the full gamut of cyber services to clients. Accenture, in particular, is pushing a strong security narrative right now and isn't alone in buying cybersecurity firms to keep its talent bench and toolbox well stocked.

Then there are the big consulting firms – KPMG as part of its Powered Enterprise model has embedded security into the core of its vision for the future. And Deloitte, EY, and PWC have similar frameworks, each with a deep pool of talent to help enterprise clients plug gaps now, and build a more resilient enterprise for the future.

But the game has shifted significantly over the last couple of months. Most of the frameworks, services, capabilities, and delivery models focus on the "old" operating model – where centralised offices and hubs reign supreme, and patchwork solutions do the trick when implementing new tech. The truth is there's no telling if most businesses will go back to that model – a few have already said they won't. So the future of the space may well be building a remote, accessible, and secure platform for businesses to run on with talent clocking on from their home offices across the globe. Which brings a raft of fresh challenges for services firms – for example, they now have to consider how to manage physical security from someone's home. Even the best firewalls in the world can't protect a rogue employee taking a picture of client data and emailing it to a rival. A prospect harder to accomplish in a busy and supervised office, while a snug home office is impossible to police. In essence, I expect three big buckets of work to come out of the Pandemic for service providers – all of which must have security as a core building block.

The first is securing the sprawl. Millions of employees decamped from offices at short notice, setting up a plethora of SaaS platforms and spinning up VPNs to keep businesses running. Securing this mess is a short-term priority for many, but with no return to normal on the horizon yet, short-term will very quickly become medium-term. And even the thriftiest firms will eventually have to sign some cheques to at least paper over the exposed cracks.

The second is securing existing platforms undergoing re-engineering work to support remote business operations. From candid conversations with executives, these platforms were intended for teams of 100 or less and are now suddenly spinning up as the bedrock of the entire business's workflows. Others are in their POC stage as some forward-thinking companies looked at flexible working pre-Covid in a bid to attract new talent but have since needed to bootstrap experiments into functioning platforms.

And the final one is designing brand new platforms for businesses to run their operations on in the post-Covid world. Secure by design will need to be the mantra for these new toolsets – and we can expect a fair portion of the enterprise market to take any viable solutions in this space seriously. Particularly if we see the complete transformation of the global economy as many analysts and pundits are expecting.

And what do you make of these "Digital Workplaces", Ollie, that have suddenly become all the rage… some providers are already branding them "borderless", "anywhere" and "secure"… are these going to become critical offerings from providers as we look to manage increasingly complex global models, or do you see this more of a short-term gimmick while we're in this temporary remote situation?  

Digital Workplace is an area I spent quite a bit of last year researching; you can imagine how excited I was to see that research lose relevance almost immediately as the Pandemic reshaped enterprise appetite for workplace services. But to answer your question, the truth is nobody knows – outside of the three buckets of work I mentioned earlier, it's difficult to say how this space will evolve. There are certainly some big gimmicks out there – and vendors never waste a crisis, when there are solid rebranding and marketing opportunities to be had. But there's also a lot of innovation in the space that hasn't seen the investment and utilization it deserved until now.

There are a couple of factors that make me think the digital workplaces rising to popularity now will stick in the long-term. The first is, a pile of businesses are seriously rethinking whether they want to go back to centralized workspaces. The trendy tech giants are already racing to reassure staff that they can stay home if they wish to, and some are even footing the bill for their home office refits. Even the stale multi-century old business community are having conversations internally about whether it's worth going back to expensive glass-walled offices in London and New York when they could have everyone at home for a fraction of the price, and potentially find it easier to scare up hard-to-get talent.

The second is, employees are showing mixed enthusiasm for going back in the first place. Surveys vary, but at best the humble city office is only getting the thumbs up from a quarter of employees­—with the majority preferring a comfortable home office and a weekly trip to hang out with colleagues in a WeWork or café. With mass unemployment, it's easy for business magnates to look passed this trend, but unemployment doesn't last forever, and there are still talent wars raging all over the economy – forcing employees back to the 9-5 cubicle might leave you with only a few loyal traditionalists in the team.

And the final one is geopolitical; governments are rethinking the modern workplace just as enthusiastically as future-of-work analysts and evangelists. In Europe, conversations are taking place in some regions over whether the ability to work from home should become an employee's right. In other areas, slower relaxation of lockdown rules will force employers and employees alike to stick with their current set-up, and once the investment is made it's harder to push the boundaries of the traditional working environment back into place. That being said, the leaders of major cities and business hubs won't watch their corporate cash cows disappear into the sunset to their new Ikea-furnished home office. So, we can expect incentives to pull big business back. Although for many I suspect pandora's box has been open a little too long and the prospect of getting a cheaper lease doesn't entirely offset no-lease at all combined with the bonus of no commute and working in your pyjamas.

Are you envisaging an increase in cyberattack in this remote model with the increased surface area exposure?  If so, how best should enterprises protect against them?

Of course, for some cyber-criminals, this is one of the best opportunities they'll ever have to perform major cyber-heists. Every business in the G2000 now has thousands of tiny offices in every country around the globe—with many of their employees cobbling together random tools to bring some semblance of normality and productivity. Some enterprises I've spoken to are using six collaboration tools alone, the result of multiple departments rushing off and picking a toolset they preferred. And just focusing on that small and relatively low-risk part of a business's tech estate, how quickly did chagrinned CISO's realize many of the tools were insecure? Often when mischievous teenagers or more malevolent figures busted into virtual meetings playing load music or presenting graphic images.

The reality for many enterprises is they simply weren't that secure in the first place. Less so now, with employees using the tech equivalent of cobwebs and chewing gum to hold their new digital workspace together. And that's assuming we're talking about cyber criminals needing to go through the tedious process of technically breaking into digital environments. Many don't need to, a few of the recent cyberattacks to hit the headlines have strikingly coincidental timing with privileged credentials going up for sale on the dark web. Or passwords appearing in forums, posted by disillusioned staff.

When it comes to advice, there's no playbook for where we are now. And anyone claiming to have one – especially if it's sent via a link in an email from an unknown sender – are probably telling fibs. The mistake will be thinking it won't happen to you because there are juicier targets out there, or that you have all the resources you need to lock down this new world we're in. Looking to get help from the provider community is a sensible strategy, at the very least bringing in advisors that are right now helping firms make sense of this world could bring in fresh ideas and solutions for some of the challenges we're all facing. But by far the most significant certainty of failure is sitting around and doing nothing on the grounds we'll be back to normal soon – sadly, or gladly dependent on your perspective, there doesn't seem to be much of a normal to return to.

Ans finally, Ollie, how influential are geopolitics in determining how to make these cyber investments?  Especially with disruptions to supply chains and global commerce…

This is such a hard question to answer. National bodies are by far the biggest hitters in the broader 'cybercrime' space in the first place. Sometimes for good, sometimes for bad depending on perspective. Take Vietnam, for example, which refused to believe the stats about Covid-19 coming from China so spent the early days of the virus, hacking into government systems to get a better look at any hidden data. Now, some people might say that's a bit cheeky, but to date, Vietnam has one of the best responses to the Pandemic, because it responded quickly, rather than believe the narrative from neighbors – and hacking was a crucial part of justifying that decision-making. And there are more or less constant pot-shots from different national hacker groups to other countries, resident businesses, and individuals that it's become part of the cyber-defence tapestry of the modern world.

When it comes to the role of geopolitics more broadly, that's where things get complicated. One of the areas I spend a lot of time digging into is cloud – and there are bodies in Europe that are increasingly uneasy about the prospect for enterprises of either going American (Azure, GCP, AWS) or Chinese (Alibaba, Tencent). A part of that concern is data sovereignty, but another is how seriously are these firms taking the security of business data in Europe, and is it superseded by the requirements of its resident government. Now, whether you take these concerns seriously or not isn't the point, but the conversation and pulling together a rational judgment becomes much harder when leaders of countries are forcefully denouncing the tech giants or businesses of another. Huawei is perhaps the best-known example of a company finding itself in the middle of an international dispute, with both the company, its clients, and entire industries thrown into disarray as a result. In many ways, at a global level, Corporate assets, particularly technology and data, have become both the pawns on the chessboard and the spoils to the victor at the end.

Right now, what that means is executives are forced to make decisions based on future security, at a time when 'best-in-breed' has been the chant from tech experts. They have to decide, and at times guess, if plugging in the best tech, which may be from a country butting heads with their resident nation, will be a security vulnerability in five years if that head-butting turns into something more belligerent. This isn't new, of course, multi-nationals have always needed to keep a wary eye on the global stage. I can remember in my early days as a consultant, visiting an IT office in eastern Europe and examining their business continuity plan, which had provision for moving staff, resources, and data out of a nation on the likelihood a neighbor might take the opportunity to invade. At the time it seemed overcautious until a few years later I was watching the news and that same nation was unexpectedly invaded by its neighbor. While I retrospectively commend the prescience of the security and business continuity officers who worked on that plan, that type of event is so rare an instance to seem frightening and unprecedented. Whereas finding North Korean sponsored hackers were behind an attack on a British or American company doesn't seem that newsworthy at all. Or that new tariffs are being put on technology imports to ensure domestic businesses have a chance to build up their capability, with equal likelihood in the future that those same companies will be declared strategic assets and receive government protection and support. That's the new global stage executives and CISO's need to keep an eye on – and it's vaster and far more complex than anything we've had to deal with in the past.

Terrific stuff Ollie... can't wait to start reading about the weekly security developments

Posted in: IT Outsourcing / IT ServicesSecurity and RiskCyber-security

Never Miss A Story

Sign up for the HfS Research newsletter and get the best research delivered to your inbox weekly.




Post a Comment

Your email is never published nor shared.