Budgets? We don’t need no stinking budgets! Or do we? An interview with Accenture’s Bill Phelps

|

Earlier this year, HfS Research and Accenture surveyed over 200 cybersecurity professionals around the globe to better understand how enterprises are securing their digital assets and dealing with increasingly sophisticated, and all too frequent, cyber attacks.

I recently had the opportunity to sit down with Bill Phelps, Managing Director, Accenture Security, to discuss our report. Bill was one of my co-collaborators in this research effort, and I was curious to get his take on both the survey and its implications for the cybersecurity sector moving forward.

Fred McClimans, Research Vice President, Digital Trust and Cybersecurity, HfS: So Bill, we spent several months surveying security professionals on a global scale—different verticals, different geographies, different size organizations—to really uncover what the state of cybersecurity and digital trust are today. What were your expectations when we first started and what surprised you coming out of the report?

Bill Phelps, Managing Director, Accenture Security: Fred, I was really excited about doing this report together because we were taking a new perspective looking at security through the lens of digital trust, not purely as a technical or an operational issue, and I think a lot of the findings reflect that. I think honestly one of the most amazing things was that our respondents said over a third of their management doesn’t see the value in the money they spend on security, and they are disengaged. So in spite of security being a front-page headline item almost every day of the week, we still have leadership in organizations that don’t make it a priority.

Fred: That was a bit of a surprise to me as well. I would have expected closer alignment between security operations and the executive management in these organizations.      

Bill: The best CISOs I know spent the majority of their time with their business counterparts, and that typically creates a good alignment. But there are still a lot of what I think of as old school CISOs—very technical, very capable individuals who often came up through a technical track. They haven’t learned to engage with their business counterparts,  and so the business counterparts don’t necessarily appreciate the value of the security organization and how it can team with them.

Fred: One of the elements that might be fueling closer alignment between CISOs and their business counterparts is the shift away from cybersecurity as a way to protect assets and more towards  a way to develop assets that can be leveraged to create a greater feeling of digital trust for the enterprise and its consumers.

Bill: I think that’s absolutely right. I think that people have viewed security as a very tactical discipline. We know we have to authenticate users and prevent data breaches. When we are talking right now to CISOs, especially for global organizations, privacy and trust are coming up more in the agenda and it’s becoming more and more about the brand and about how organizations convey to their customers how seriously they take privacy and trust around the digital identity.

Fred: One of the things that came out of the report that was a bit surprising to me was the number of organizations that acknowledged they have had insider data theft over the prior 12 months, and in fact they expect that to increase for the next 12 to 18 months.

Bill: The reality is that the easiest person to steal information inadvertently or intentionally is an insider. They have the credentials. Perhaps more importantly they understand the value of the information. They have access to it. And I do believe that we are going to continue to see more of that until organizations not only have the right controls in place but have the right value system in place and can convey to their leaders and to their employees the importance and sensitivity of the information to the customers.

Fred: One of the things that was encouraging in the report was that while firewalls and encryption technologies are still core to cybersecurity, moving forward a lot of the CISOs said they see a lot more reliance on things like automation, analytics, and cognitive shifting into AI moving forward.

Bill: I think there are two things going on. One is better analytics around user behavior, around where information is flowing so that we can quickly spot anomalies and patterns. The second thing is what I call a rebirth or resurgence of the importance of identity management. And organizations are realizing that so many of the breaches are the result of a misuse of an identity.

In some cases it’s by a malicious insider and in other cases it’s by an insider who has been tricked. Sometimes it’s a stolen identity¾an identity that’s been acquired maliciously and is being used  All of those can be addressed through better analytics but fundamentally they also need to  be addressed through better management of those identities and we are seeing a huge uptick in interest in that.

Fred: From an identity management perspective there is also the possibility of blending behavior analytics with digital and physical security analytics. This combination has the potential to expose something that’s out of the norm from typical behavior, such as the right person, in the wrong location with the wrong credentials or at the wrong time of the day.

Bill: An interesting finding in the report was the immaturity of organization governance reporting lines¾who the CISO is working with. One of the places this manifests itself is the link between physical security and information security, or logical security. Many organizations have completely different cultures, reporting lines, accountability, budgets. If we bring them together we can answer these questions around why is somebody accessing the financial system in New York at 1:00 AM?  Shouldn’t it raise a question? We can’t understand this simply through the information security systems, but as soon as we overlay the physical items it’s an obvious question.

Fred: Now you mentioned reporting structures. One of the surprises to me was that across the board there was a dissatisfaction with who cybersecurity professionals were reporting to.

Bill: First, I think it’s an indication of the immaturity of this area. We don’t know what the right answers are in many ways in information security. We are working through it and we know that some things don’t work. But in terms of reporting lines, I can say that roughly half of CISOs report to a CIO. Sometimes that’s a very good and positive relationship and sometimes it’s not. One of the reasons it’s not always a positive relationship is that the CISO and CIO have conflicting motivations. The CISO’s job is to protect the organization first and foremost while a CIO’s job is to deliver business functionality and business outcomes. If the CIO is under a great deal of budgetary pressure and time pressure and the CISO is saying you need to slow down and spend more money on the security of the code that is being delivered and the security of the architecture, you have a conflict. Sometimes that’s been rationalized, at other times it hasn’t, and I could give you similar examples with CISOs reporting to CEOs, CISOs reporting to COOs, CISOs reporting to CROs.

I also think that the autonomy of the CISO is critical as is their access to the senior level executives across the organization; but we don’t have a one size fits all in the organizational alignment yet.

Fred: In the report, we identified five gaps that are having a significant impact on the ability of CISOs to execute on their role within an organization. I’d like to walk through those gaps. The first gap is the talent gap – the requirement on the part of CISOs to fully staff the organization with the right number of bodies but also the right skill set, against the available talent pool in the market.         

Bill: Of the five gaps, I would put talent as the second in importance. It’s clear from the findings of this research and from all of my discussions in the industry that we need talented security professionals, almost nothing else matters. Without them, we can’t configure the tools properly or communicate effectively to the business. And these are people that in many cases it takes time to develop. It’s not putting them through a brief certification program. It’s education plus on the job training and apprenticeship with professionals. We are not satisfying the demand for talent quickly enough and it’s one of the top things that comes up in every single discussion around security with my business clients.

Fred: One of the ways that some organizations are starting to address the talent gap is through automation; looking to lighten that level one burden for the individual and let them bump up to a level two in capability is a good step but it may also have a negative impact because the entry level position into the cybersecurity talent pool is now level two, not level one.                 

Bill: I think that’s true. Robotic Process Automation is a huge buzzword in IT right now and really valuable for automating tasks that are easier to teach people to do. But the toughest jobs to fill in security are those of seasoned individuals who know how to spot telltale behaviors, who know how to respond to the problem or the issue they haven’t seen before. So you need those people to train human labor, you need those people to train the robotics and the analytic system. So while there is a benefit to process automation, I’m not sure how much it’s going to help create the very talented senior level security professionals and as you pointed out it may even be a hindrance.

Fred: The second gap that we identified was around technology. One of the challenges we saw was just keeping pace with the technology that’s available out there. 

Bill: The threat actors have very good talent and are not necessarily using expensive commercial software. Instead they use technology that is available via open source or on the dark net and they know it extremely well. The technology that’s being used to defend the organization many times comes off the shelf, is highly sophisticated and capable, but we don’t have the people who understand how to use it well. It is evolving very rapidly as the newest brightest shiniest object is funded by the venture capitalists or comes out as a feature from a large vendor.

I think what the research says, and what I have found is that you need to really make it simple. The problem in technology is that what we have we are not using well, not that we don’t have the latest technology.

Fred: Cybersecurity is an asymmetric battle today.

Bill: It is totally an asymmetric battle and there is no end in sight. I’d love to sit here and tell you that two to three years from now the defenders are going to catch up, but there are so many vulnerabilities in the environment. The attackers have a real advantage in their collaboration, in their understanding of the technology.

Fred: The third gap that we uncovered was what we are calling the parity gap – the differences between different capabilities that exist within an extended enterprise. To give an example of that we asked respondents to rank how secure they thought various business elements were. The sales organization: not that secure. IT: very secure. Customer support? Kind of in between.

Bill: This is one of the top challenges I see. We sit down with a CISO or a Chief Risk Officer and they explain how much they have invested in security in IT or in security education. And then I  ask them if they know all the organizations in their supply chain, or if they  recently acquired a company – have they assessed the security if the acquired organization. It completely comes down to this weakest link problem, and with computers and automation it’s not hard to find that weak link.

We think about so called security by obscurity, but when the adversaries are running scanners against the environment, they can quickly go through every single IP address. The idea that you can protect only a part of the organization really well is completely inadequate. So many of the major breaches we have seen have been the result of exactly that, compromising some obscure part of the ecosystem and using it as an entry point into the broader enterprise. It’s a huge problem.

Fred: When we asked CISOs what were the top inhibitors to complete enterprise cybersecurity and digital trust, one of the top inhibitors was lack of budget for either technology, or more importantly, for staffing and training.  

Bill: My bias in this is that the security professionals are not doing an adequate job of educating the business. I have heard business executives, board members, and others all say a variation of “We are willing to spend the money. We have the money. But we need to understand where the money is being spent and the value that is being created”. I am not saying this is easy, but the security organizations are struggling to answer those questions. There is a cynicism that the money is not actually improving the problem.

Fred: That leads nicely into the fifth and final gap – the management gap. When we asked CISOs how they viewed the management’s position on cybersecurity, we saw a third of the respondents indicate they believed management views cybersecurity as an unnecessary cost.             

Bill: We are still seeing cybersecurity in too many organizations as a discrete function, not as a value system and a part of the brand that is broadly embedded in the organization. I’ll use an example from the energy industry, which has embedded employee safety as a fundamental value. If you go to most of the oil exploration production companies, the first thing they will talk about or do is a safety minute. You have to sign something that says you understand their safety policy. We are so far from that in cybersecurity. In so many organizations, if you say “What are you doing Mr. Vice President of Sales for security?” You get a blank stare and they say, “Well, that’s the job of the CISO”.

We have a long way to go. In the most successful organizations, the CISO has become a peer of the business executives both in substance and in style. They spend a great deal of their time with the business. There is top down support for making security part of the culture, part of the brand and that’s where we are going.

You never want security to be an inhibitor. Security maturity and state-of-the-art starts with the alignment of the security function to the business. It starts with how security is perceived as enabling the business, enabling trust amongst the customers, the suppliers and the others within the organization. It’s asking “do we have enough of the sufficiently talented security people in our organization and are they respected by the business?” Then of course it comes down to specific capabilities in technology and things like that, but those are almost an outcome, not a starting point when I think about what the state-of-the-art looks like.

Fred: From Accenture’s perspective, how has this report affirmed your position on digital trust or shaped the way you view digital trust in cybersecurity moving forward? 

Bill: I think it was tremendously validating for some of the direction that we were already taking, and I think in some ways may accelerate that. We are moving away from thinking about security as a technical issue to talking about it as a brand attribute, as something that is communicated to customers, and that’s a business value. So what does that mean in our business? It means we are selling to business executives. It means we are engaging with the broad business leadership in security. It means we are talking about digital trust not just about security. It means we are asking, “what do you want your customers to think about you in terms of whether or not they trust you, whether or not they are confident in your protection of their private sensitive information, whether it’s medical records or financial information or whatever?”

Fred: I think if your cybersecurity approach doesn’t reinforce the brand promise and your ability to deliver on that, you’re probably wasting your time.

Bill: You certainly are thinking it’s not valuable and that it’s a cost, not an investment. As soon as you start thinking about it as a brand attribute it becomes an investment.

Fred: Bill, I can’t thank you enough, and I look forward to following up again a few months down the road. We’ll see how this is playing out.        

Bill: That’s great Fred. Thank you very much! I think this is some very exciting research.

Posted in : Security and Risk

Comment0

Leave a Reply

Your email address will not be published.